June 12, 2007

Historically, electronic attackers were lone rangers whose exploits primarily netted them boasting rights for disrupting corporate systems or snarling Internet traffic. More recently, however, a lucrative malware black market has formed, and organized crime is now fueling the fire.

"With the entry of organized crime, we’re seeing more-sophisticated attacks designed for purposes beyond stealing credit card numbers," says Rob Ayoub, senior analyst and industry manager for network security at Frost & Sullivan. "Targeted malware espionage is here. Any company, in any vertical, that ignores this reality is putting their enterprise at significant risk. And in regulated industries, the auditors know it."

Indeed, T. Rowe Price discovered as much. "We were preparing for our first Sarbanes-Oxley audit in 2004," explains Scott Davis, the investment management firm’s network security manager. "Coincidentally, we were beginning to evaluate the emerging security category of intrusion prevention. When our SOX consultants learned about this effort, they specifically suggested we accelerate the project to improve our audit position. Not surprisingly, senior management quickly provided additional resources."

Initially, Davis’ team researched intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). While both technologies are deployed at the gateway to a network, IDS devices reside alongside the data stream and issue alarms whenever suspicious activity is detected, Davis explains. By comparison, IPSs reside in the data stream so all traffic passes through them. As a result, IPS is more aggressive because it physically blocks malicious behaviors based on user-defined criteria.

"Although IPS was in its infancy, it was the direction of the future and we decided to pursue it," says Davis. Using various sources -- including Gartner’s Magic Quadrant research, which examines the vendor landscape -- Davis’ team focused on three prospective vendors: Atlanta-based ISS (since purchased by Armonk, N.Y.-based IBM); Juniper Networks (Sunnyvale, Calif.); and TippingPoint (Austin, Texas), a division of 3Com (Marlborough, Mass).

Spyware Phones Home
Based on a 30-day in-house trial, T. Rowe ultimately chose TippingPoint for accuracy, throughput speed, high availability, ease of use and minimal maintenance overhead, according to Davis. Upon installation in November 2004, the IPS immediately began blocking external threats as expected. But it also revealed an astonishing volume of network-resident malware.

"To our surprise, over 130,000 spyware connections were phoning home to their mother ships," says Davis. "Apparently, the spyware had crept in over time as employees performed legitimate Web research to fulfill their job duties. Needless to say, our pre-IPS exposure was significant."

As T. Rowe scrubbed out the malware, it gained unexpected efficiencies. "In IT alone we reclaimed half an FTE [full-time equivalent] per week," Davis says. "It turned out that the network-resident spyware was responsible for a mysterious phenomenon that had plagued us -- certain desktops had crashed chronically, requiring IT to clean and rebuild them over and over again."

Protecting its network at the border also has improved T. Rowe’s IT systems administration, Davis adds. "Previously, we put a great deal of effort into analyzing how to deploy critical patches and upgrades in our data centers. Long meetings were required to hammer out deployment schedules based on the criticality of the server and the patch or upgrade," he explains. "With IPS we have a protection umbrella. ... So we’ve eliminated the lengthy meetings because system administrators now patch and upgrade systems using a systematic, methodical approach."

And the SOX audit? "We sailed through," Davis reports. "The audit report specifically praised our IPS implementation as making us a leader in the industry."

Vulnerability Mercenaries
To perform their magic, intrusion prevention systems typically are backed by vendors’ highly skilled research departments. Hacker activities are monitored and researchers dissect popular software to locate latent vulnerabilities.

In August 2005 TippingPoint upped the research ante -- it offered a financial compensation program, called the Zero Day Initiative (ZDI), to obtain the exclusive rights to unknown, or undisclosed, high-severity vulnerabilities. Once rights are obtained, TippingPoint notifies the affected vendor and keeps the vulnerability confidential until the vendor is ready to disclose it. In the meantime, a protection filter is released immediately to TippingPoint’s IPS customers. To date, ZDI has uncovered 125 significant vulnerabilities and has created a global network of more than 500 independent security researchers, according to the vendor.