During the 17 days of competition at this past February's Olympic Winter Games in Turin, Italy, IT services firm Atos Origin S.A. logged 3.1 million suspicious "events" daily. And not one threatened the games' IT infrastructure.
That's because the France-based company, which for years has managed IT networks at major sporting events worldwide, took a somewhat radical approach to identity management and access control. It dropped users or devices that tried to access an application or network outside the norm.
Atos Origin recently released a recap of its Olympic security effort, revealing that it thwarted 158 potentially major disruptions, including 10 deemed critical because of how close the unauthorized access occurred to an event.
"The way we treat security is that we have several alerts generated by the systems we've put in place, and we don't know initially if these events are problems or a potential threat," explained Patrick Adiba, Atos Origin's executive vice president of the Olympics and other major events. "So we capture all the information and filter it to make it relevant. The richer the information, the easier it is to identify real threats that could impact the integrity of the system."
But when dealing with an event involving 90,000 accreditations for 2,500 technologists, 10,000 media reps and 2,500 athletes and their supporters, the policy typically meant disable first and ask questions later. Otherwise, weird activity could mean someone was trying to alter results or even wreak havoc during a live event.
"It's very important when we measure an event to recognize its impact on time," Adiba said. "For example, an event eight hours before a competition may not be major, but if it happens 10 minutes [before] or during a competition, it's critical we do something."
An examples of such an event may be someone trying to connect an unauthorized device. "It could be a genuine connectivity issue, or it could be someone trying to inject a virus," Adiba said. Other flagged activities: users that enter incorrect passwords on critical equipment, or log in during the middle of the night from onsite.
Without knowing the users' intention, Atos took no chances. The company simply disabled any suspicious line or checked out where the activity was coming from during off hours by calling in physical security to help.
But in the real world, how would Atos Origin's tough-love, anomaly-based approach fly in most enterprises?
"The basic principles and tools we used work for any company," Adiba claimed, though most organizations wouldn't need to take such drastic precautions. "For example, we disabled immediately any suspicious applications or systems. We probably would not do that in a normal situation and instead would try to understand and to analyze the code before disabling the system."
But the basic principles of differentiating behaviors through traffic analysis and systems alerts -- and, importantly, having a plan of action for handling anomalies -- is within every security practitioner's reach, he added.
Atos Origin also managed the IT networks used in the Athens and Salt Lake City games, and from those experiences learned how to better understand network behavior during that type of event. That, in turn, enabled the company to better protect data this time around.
One way it did so was by using a finely tuned identity and access management system, which profiled every user and then matched those profiles against 'normal' behavior on a system. If someone tried to access an area where they weren't authorized, for instance, the account was immediately flagged. "Of course," Adiba said, "this type of system generates a lot more general 'events' but it also allows us to take smarter measures to block access to certain computers or networks based on what we see."
He added that companies can also benefit from such introspection to periodically review how their systems are being used and what outside traffic tries to access to better configure their networks.
The other major takeaway for enterprises is testing. Atos Origin devoted 100,000 hours to testing its 385 Intel-based servers and Unix boxes tied to 5,000 computers and 700 printers. That's in addition to the 950 commentator information systems and 770 intranet-only terminals spread throughout 28 venues within Italy.
"All of the situations we encountered, we'd anticipated because of all the testing and rehearsals we did," Adiba said. "We were never taken by surprise."
He recommends all companies, regardless of the scale of projects, test first to see how a network, its users and a security team react. During Atos Origin's testing process, a shadow team creates problems to see how the network and people react.
"Don't rely only on designing a system and hoping it's going to work," Adiba added. "Test it, and test it with real problems."