Westinghouse tightens security

Early virus detection through behavior-blocking was worth the aggravation of extra training.

To combat viruses and spyware, Westinghouse Electric has rolled out desktop software that watches for suspicious code activity and blocks it based on behavior.

The software proved effective in stopping the recent Zotob worm in its tracks, in advance of anti-virus vendors identifying the threat and producing signatures to detect it, says Tom Moser, Westinghouse's manager of IT services.

But he points out that while behavior-based security protection does detect threats early, the downside is it can generate a lot of false alerts that distract both end users and help-desk staff.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

To combat viruses and spyware, Westinghouse Electric has rolled out desktop software that watches for suspicious code activity and blocks it based on behavior.

The software proved effective in stopping the recent Zotob worm in its tracks, in advance of anti-virus vendors identifying the threat and producing signatures to detect it, says Tom Moser, Westinghouse's manager of IT services.

But he points out that while behavior-based security protection does detect threats early, the downside is it can generate a lot of false alerts that distract both end users and help-desk staff.

"It's causing [end users] to make a decision about whether their machine is being attacked," says Moser, whose staff spent the first half of this year deploying Cisco Security Agent (CSA) software for use by almost all its 7,500 employees.

Westinghouse, which began piloting the software last year with a group of 150 users for two months, found CSA was trigger-happy in its alerting when placed in monitoring mode. Other desktop applications that Westinghouse was running, including McAfee anti-virus and programming debugging tools, induced CSA to wrongly tell the user in a screen-display message that the machine faced an unknown security threat.

"One thing we ran into early on was it generated 30,000 alerts per day for McAfee anti-virus," Moser says. With Cisco consultants called in to help, Westinghouse reduced that number to 50.

Helping thousands of employees adapt to the concept of behavior-based software was a challenge, requiring considerable training to help them interact with CSA.

In its alerting, CSA gives the user the chance to override any blocking of a suspected threat. But in training its employees, Westinghouse has encouraged them to always let CSA block the code activity it detects, just to be on the safe side. Users are instructed to check with the help desk if CSA seems to be blocking something legitimate.

Westinghouse isn't abandoning use of anti-virus products, but says its $50,000 behavior-based software project is paying off. When the Zotob worm appeared last month, the number of alerts - which had previously averaged 1,000 per day - jumped to more than 8,000, and Westinghouse was spared damage (CSA includes a central management console that generates alert-tracking reports, among other things).

"There is a period when you're totally vulnerable," Moser says, noting that anti-virus vendors take two or three hours to release a signature for a new threat. It's not realistic to presume that patching vulnerable software can be done in minutes, because the process requires careful testing and a scheduled time it can be applied.

Lesson learned with MyDoom.F

One reason Westinghouse was willing to persevere through the sometimes difficult deployment of behavior-based software was the experience it had with the MyDoom.F worm a year and a half ago. MyDoom.F, which can delete files, is the most dangerous variant of the mass-mailer MyDoom worm.

"It was diabolical and self-propagating. It infected 100 PCs, 42 servers and deleted 9.3 million files," Moser says. The day it hit, "people were saying, 'Where's the file? It's gone. I went to lunch, and it's gone.'"