In-Depth

Case Study: Outsourced Network Security Uses Behavioral Modeling

The Yankee Group predicts that by 2010, 90 percent of all security will be outsourced. Here's how one company made its decision to choose a pro-active security solution.

• By Mathew Schwartz
• 12/08/2004

What’s the best way to improve network security? For Larry Burwell, CIO of a large, Dallas-based financial institution (which for security reasons prefers to remain anonymous), tackling network security meant outsourcing. “Being a financial institution, we were looking for a way to secure our network facilities, and we also wanted to do it in a way that wasn’t too cumbersome—where we didn’t have to hire some high-end technical expertise that would only be used for one small portion of the business,” he says.

Drivers for the credit union to improve its security were twofold: create peace of mind for customers, and meet National Credit Union Association (NCUA) guidelines for credit union compliance. When it comes to NCUA, “You don’t have to do what they say, but you don’t have to stay in business either,” Burwell notes.

The credit union’s information technology department is small, and Burwell wanted to keep it that way. “We run very efficiently, and we don’t like to have a lot of staff on hand.” Thus he began investigating outsourcing.

Many organizations, given the increasing complexity of attacks, and the potential cost savings from not maintaining a round-the-clock information security staff, are opting for outsourcing. In fact by 2010, the Yankee Group predicts 90 percent of all security will be outsourced.

When Burwell began evaluating outsourced security possibilities, he took the long view, especially when it came to intrusion detection and prevention systems (IDS and IPS). “People are looking for a magic bullet, like an IPS, for example. We do IDS; we have one, but that’s not the magic. The magic is being able to look at all these things over a long period of time—that’s the magic.” In other words, he wanted a service able to track his network’s security trends over a long period of time. Instead of reacting to every IDS alarm, he wanted a company able to zero in on actual threats.

The credit union examined a range of security-outsourcing options—the IT management team wanted a bake-off between finalists—then, about two years ago, settled upon Dallas-based Global DataGuard. The company “was the most comprehensive service in terms of having behavioral modeling for an institution,” he says.

By behavioral modeling, Burwell means Global DataGuard baselines network activity, then flags problematic variations. “If network traffic, or system responses or processes get out of their standard behavior, we get notified,” he says. In addition, behavioral tracking uncovers actual Internet traffic in use, which the credit union can then explicitly allow or disallow as necessary. Ultimately, he says, that view “makes us proactive—guarding ourselves against vulnerabilities or intrusion attempts made from internal and external sources.”

“Our system is not an IDS system. It’s a behavior analysis and correlation system, and one of the data inputs is a network intrusion detection sensor,” says Scott Paly, CEO of DataGuard. The overall system, for example, includes an intelligent packet logger—“to pull out suspicious packets”—as well as a vulnerability scanner for analyzing all collected data. “We keep track of hundreds of ways a machine can act odd, and anything that happens, we pull the packet.” Paly says he hopes to release an appliance with this technology in 2005.

When Global DataGuard notices odd trends, it warns customers. For example, Paly says, his company caught Code Red 20 hours before it was announced, the SQL Server worm five months in advance, and Slammer three months in advance. “We don’t know what they’re called, but if we’re starting to see a bunch of activity across our customer base,” he says, then Global DataGuard recommends appropriate patch and corrective actions to protect against them.

Seeing Both Sides of the Equation

At first, the credit union instituted external monitoring, then a year ago added internal monitoring to get a better view of all network activity. “We’ve added host sensors which monitor individual servers which we feel are critical or sensitive in nature. We’ve also added an internal network sensor so we can see both sides of the network situation,” says Burwell. Now the credit union sees not only the packets entering the network, but how internal machines respond. “We can see both sides so we can see if one of our systems is responding inappropriately to traffic that we deem unfit.”

Global DataGuard also verifies packet origins to watch, for example, for someone on an engineering system attempting to access a human resources server. Such an approach is “a lot more efficient and cheaper than putting in host IDS’s on every single server,” says Paly.

Monitoring also takes the long view, since the typical attack only happens after innumerable probes. “When people hack things and try to get in, they’re not usually successful the first try, they have to figure out how to do it first,” says Paly. As a result, clients often get detailed recommendations about what to block and why, based on emerging incidents, and detailed by IP address. For example, says Paly, “it’s time to block this whole subnet because we’ve been seeing him for a few weeks, and I doubt any of your financial institution members are in Croatia.” Clients can make the appropriate changes in their firewalls to block such traffic outright.

As with all outsourcers, Paly notes Global DataGuard watches not only individual clients, but correlates attacks against all clients to help detect and stop attacks more quickly.

Having this view of network activity helps on a number of fronts, says Burwell. "It helps us with our branches’ Web communications, where our branches are coming in through private VPNs from the Internet." In addition, it monitors what’s going out to the Internet from internal systems. Most of all, however, “it helps our members’ response time when using our Internet banking network because they share the pipe.” So if employees aren’t “pulling down inappropriate traffic, we’re not using our bandwidth for garbage.” Quarterly vulnerability scans of his network from Global DataGuard further help, he notes.

One thing Burwell likes is technology upgrades as they become available. “If any turnkey solutions make what we have obsolete, then Global DataGuard will replace it for us.”

For the future, Burwell would “continued improvements in reporting” to help make his institution “better managers of that network traffic.”

Related Articles

Yankee Group Says Security Outsourcing Set to Explode
http://esj.com/enterprise/article.aspx?EditorialsID=1112

Q&A: Top Tips for Outsourcing Security
http://www.esj.com/security/article.aspx?EditorialsID=1008