XanGo, a Lehi, Utah, maker of health beverage products, is another company that has boosted its network security with an NBA implementation. About 18 months ago, the privately owned company began using Sourcefire's 3D enterprise threat management suite. Components of the suite include intrusion prevention, vulnerability management, network access control and NBA.
Sourcefire's intrusion protection software provides vulnerability-based intrusion prevention built on Snort, a standard intrusion protection tool. It uses a rules-based language--a combination of signature, protocol and anomaly-based inspection methods--to examine packets for attacks such as worms, Trojans, port scans, buffer overflow attacks, spyware, denial-of-service attacks and zero-day attacks.
Another component, real network awareness, provides NBA, network access control and vulnerability assessment capabilities. Real network awareness delivers a continuous, real-time view of what's happening on a network and identifies potential vulnerabilities on network devices. It monitors communications behavior among endpoints on a network, baselining traffic, watching for deviances from typical traffic levels or connection patterns and alerting administrators to these changes, according to Sourcefire.
One of the primary drivers for adopting the security technologies was to meet the requirements of the Payment Card Industry Data Security Standard, or PCI DSS, because many XanGo customers purchase products over the Internet using credit cards. (PCI DSS is a set of standards created by the PCI Security Standards Council to provide guidelines that help companies prevent credit card fraud and identity theft.)
Aside from helping with standards compliance, managers at XanGo thought NBA could enhance overall security at the company. "We also wanted to adopt good business practices and do what we could to protect company information and the personal information of our consumers," says Brandon Greenwood, manager of network operations and security.
XanGo has deployed NBA sensors at its main office in Lehi and two remote offices, and it plans to install more sensors later this year. Greenwood says NBA gives the company more insight into network activity than it had before. "We have seen instances where a user might be infected with a botnet" that could trigger a denial-of-service attack, Greenwood says. "NBA will allow us to see certain activities that say there's obviously something going on with the network." As a result, XanGo has been able to prevent security breaches on its network.
Regulatory compliance and a desire to improve network security drove another organization, the Weill Cornell Medical College in New York, to adopt NBA technology. The center, which is a health-care and teaching facility, deployed an NBA system called Peakflow X from Arbor Networks in 2006.
Weill Cornell wanted to improve its network visibility, boost security and ensure compliance with regulations such as the Health Insurance Portability and Accountability Act. "NBA gives us a peek into the network that we never had before," says Benjamin Nathan, associate director of security and identity management.
The network is accessed by some 20,000 users, including medical students and health-care professionals. It provides access to the Internet, e-mail, voice over IP telephony, video and other applications.
Peakflow X leverages IP flow technology embedded in routers and switches to provide visibility into the network on a real-time, historical basis. Using IP flow data, the system conducts network analyses to determine normal behavior and automatically alerts managers to any abnormalities. The system provides a granular view into what hosts are doing on the network.
Prior to using NBA, Weill Cornell managers had extremely limited visibility into network activity and were reactive in dealing with network vulnerabilities. Weill Cornell used packet analyzers in multiple locations, but they didn't provide adequate views of network behavior. Not only was it difficult to provide robust security against the latest vulnerabilities, but there was no reliable way to perform historical analyses of network activity or plan network capacity.
With greater visibility into network behavior, Weill Cornell reduced network problem resolution times from days to minutes. The medical college also reduced bandwidth upgrade costs by eliminating noncritical traffic on wide area network circuits.
Using NBA let Weill Cornell detect three times the number of unauthorized network intrusions and attempted intrusions than it was able to detect prior to the implementation. Now, when Weill Cornell security managers detect suspicious network behavior, they can block it quickly. "We investigate everything that could potentially be malicious," Nathan says.
One big advantage of the NBA system is that it can be updated to track the latest security threats. Arbor Networks added a new packet inspection feature to Peakflow X after the initial implementation, which gave Weill Cornell the more granular view of network usage that it wanted.
The biggest challenge of using the NBA system was tweaking the rules to reduce the number of false positives. "That's a manual process and it's time-consuming," Nathan says. But the effort was worthwhile, as it resulted in essential security improvements.
Ask your IT director:
How many network users are there in all locations in the organization, including remote offices?
Ask your CSO:
Can we gather data to show the ROI of NBA systems