Forty years ago, mischievous adolescents got their kicks by calling people on the phone and asking them, "Do you have Prince Albert in a can?" Today, they concoct computer viruses and worms designed to knock out the networks of global corporations.
In its 2003 survey of 530 computer security professionals, the Computer Security Institute found that 56% of U.S. corporations reported unauthorized use of their computer systems within the last 12 months. The total annual losses associated with these breaches amounted to $202 million.
As in prior years, theft of proprietary information caused the greatest financial loss ($70 million), and denial of service ranked second ($66 million). Virus incidents (82%) and insider abuse of network access (80%) were the most cited forms of attack or abuse, according to CSI, San Francisco.
Not surprisingly, U.S. companies, including insurers, are investing in technologies that can help to protect their networks--as well as the proprietary corporate and customer data that resides in their systems. In the CSI study, 98% of U.S. companies have installed firewalls, 99% have deployed anti-virus software, and 92% have implemented access control.
The buzzword this year
But the "buzzword" this year was intrusion detection system (IDS), according to CSI, with 73% of survey respondents reporting they now use the technology-up from 60% in 2002 (see "Intrusion Detection Deployment Grows").
Prudential Financial is one insurer that has installed a leading-edge intrusion detection and prevention system this year. In January, the Newark, N.J.-based financial services giant began deploying approximately 30 intrusion detection and prevention devices, covering 10 locations across the globe.
Prudential selected technology from IntruVert Networks Inc., a San Jose, Calif.-based startup, which was acquired in May by Network Associates Inc., Santa Clara, Calif. "We're covering all our external connections, as well as the majority of the core switches in our network," says Peter Kuzmiskas, security director at Prudential Financial.
Over the past couple of years, Prudential--like other companies--has seen an increase in viruses and worms, says Kuzmiskas. "We're trying to mitigate any risk and take more proactive measures rather than reactive measures. We see viruses internally from time to time, and we're just trying to stop the spread of them. Being a global corporation, we don't want part of our environment to affect another."
Intrusion detection systems inspect inbound and outbound network traffic and identify suspicious patterns that may indicate an attack. Because network traffic flows through the IntruShield "in-line" appliances used by Prudential, they can be configured to drop any packets-or messages-that may be malicious.
"For instance, using the Nazi worm as an example, the worm sends an initial 'ping' to find other hosts on the network," Kuzmiskas explains. The ping is specifically crafted--it has what's called a unique "signature." Prudential's IDS is programmed to identify known signatures, and will drop those packets while allowing valid traffic to pass.
Prudential's IDS also can be set up in what's called passive mode, which produces alerts rather than automatically dropping 'bad' packets. When the company receives newly released malicious signatures, it begins looking for them in passive mode, says Kuzmiskas. "We want to validate the accuracy of (the signature detection) before we drop the packets. Then we can go into blocking mode."
False positives
Indeed, "false positives"--or identifying normal messages as potentially bad ones--is the No. 1 problem with many intrusion detection systems, says Raj Dhingra, vice president of product marketing and management at Network Associates.
"If you don't have accurate intrusion detection technology, companies are going to be reluctant to use it," he says. They don't want to waste resources investigating false positives, and they don't want to block legitimate network traffic.
To make its system accurate, IntruVert developed an appliance specifically built to detect and prevent malicious traffic. It identifies known, unknown and denial of service attacks, using signature, anomaly, and denial-of-service detection capabilities integrated into one device.
Known threats are those developed by hackers that can then be downloaded and run by anybody, Dhingra says. Signature-based detection is the most accurate way to identify these attacks. But for "unknown" attacks, which occur as soon as a vulnerability is publicized, signature-based detection is initially ineffective.
In these cases, anomaly-based detection can distinguish between good traffic and bad traffic on a network, he says. Finally, denial of service attacks, which are on the increase, according to Dhingra, require their own detection techniques.
Breaking ground
"IntruVert is breaking ground in this space," says Mike Rassmussen, director, Forrester Research Inc., a Cambridge, Mass.-based research and advisory firm.
"There are other players that can claim pieces of (intrusion detection and prevention), but IntruVert is unique because it has built customized hardware, and it's very fast."
In fact, the IntruVert IDS is capable of handling up to 2 gigabits per second of network traffic, which was a selling point for Prudential. "Regarding reliability and stability, the system was able to handle our high bandwidth requirements without dropping packets or freezing up," Kuzmiskas says.
In addition, because the system is appliance-based rather than software-based, it is easy to manage and has reduced Prudential's overall cost of administrative maintenance.
With a software-based intrusion detection system, on the other hand, Prudential would have had to patch the IDS along with the underlying operating system, Kuzmiskas explains. Using IntruVert, "Prudential doesn't have to be concerned about managing an underlying operating system-such as Windows or Unix. Patches are released by Network Associates for their own devices, and there's no need to go to any other vendor."
Cost savings
The IntruShield multi-port sensors can monitor multiple network segments, which also reduces costs.
Instead of having one generic security policy for all types of Web servers, the IntruVert system enables users to create intrusion policies specific to each type of Web server and each operating system--but runs them on the same sensor. This significantly reduces the number of sensors that a company, including Prudential, has to maintain and manage.
In a study commissioned by IntruVert last year, Giga Information Group, a wholly owned subsidiary of Forrester Research Inc., found that IntruVert's intrusion detection and prevention system could reduce capital and operating costs by up to 66%.
Four IntruVert customers, including Prudential Financial, were interviewed for Giga's total economic impact analysis, which showed that the IntruVert system produced a return on investment of up to 145% over three years.
Prudential's Kuzmiskas says the new IDS also has enabled his team to learn more about the company's network since it has been installed. "Anomaly detection learns what normal traffic is on a network," he explains. "And it tells you when your traffic exceeds thresholds that you set."
As a result, Kuzmiskas' team has discovered that some of the company's applications were demanding more bandwidth than they really needed.
"We've been able to fix those applications, or if they were purchased, we've been able to go back to the vendors to fix them. We learn more about our network every time we add new sensors to the environment," he says.
Because the threat of network attack is only getting worse, most companies feel a responsibility to perform network monitoring, says Network Associates' Dhingra.
Pressuring them further, however, are the security and privacy regulations requiring health insurers and financial services institutions to protect customer and financial information. Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley are all catalysts for insurers to look into better network security, sources say.
Dinghra explains: "When the auditors come in, they want to see: What are your access control policies? What traffic do you allow? What traffic don't you allow? Has there been any misuse or malicious traffic that got in? Were you able to identify where it came from? Were you able to identify what systems or applications it targeted? Do you know if any information was compromised? And, if so, did you take steps to make sure the integrity of your information is still intact?
"These are just some of the requirements insurers face in securing their infrastructure to maintain privacy, confidentiality, integrity and availability," he says.
