Security All-Stars

Security: More All-Stars

Credit Suisse

Mapping application dependencies.

Credit Suisse's 14 global points of presence are the hub of its mission-critical activities, handling all of the firm's file transfer, e-mail, Web browsing and e-commerce functions. In October 2004, Colin Constable, director of network engineering at the New York bank, brought in start-up Skybox Security's Skybox Secure application to take daily snapshots of the POPs' security status and the numerous servers and applications within those infrastructures.

Skybox Secure identifies every network device and its application dependencies across the POPs, providing an accurate risk profile and letting the security team see and mitigate threats quickly and efficiently. Because Skybox Secure is automated, the bank was able to turn a semiannual, relatively ineffective and resource-intensive chore into a repeatable, scalable and timely process that delivers quality output to provide a daily risk-based view of the infrastructure and its many assets.

Having spent $700,000 to deploy Skybox Secure, Credit Suisse realized a full ROI in a little more than a year, with three-year ROI totaling $2.1 million.

Harvard Business School

An educational lockdown.

In July 2003, the Harvard Business School was walking a fine line between security and the need to provide an open, collaborative educational network environment. To cut vulnerabilities, it used Packeteer's PacketShaper to analyze the applications being used at Layer 7 and map the appropriate services to its firewall ports.

It then closed every unused port. Overnight, the school went from supporting a wide-open network environment to one that is 99.9% locked down at the border - and no one noticed, says John Arsneault, director of network operations at the Boston school.

That and use of McAfee's E Policy Orchestrator let the school eradicate denial-of-service attacks, virus infections and systems vulnerabilities, while reducing virtually all illegal peer-to-peer traffic on the ISP connection. In three years, the school has freed up staff and stabilized ISP costs, resulting in savings of $220,000 a year.

"One unexpected bonus was our obtaining a better understanding of . . . the applications [and tools] different departments . . . depend on. This knowledge helps our relationships . . . and allows us to better serve users in times of need."

- John Arsneault, director of network operations, Harvard Business School

New York-Presbyterian Hospital

Diagnosing true network threats.

While New York-Presbyterian Hospital deployed strong perimeter security to protect its network from outside attacks, it still had a large number of attacks occurring from inside the network. These threatened not only the network's integrity but the New York hospital's confidential digital assets and patient information - a scenario that threatened its Health Insurance Portability and Accountability Act compliance initiatives.

In November 2005, the hospital deployed CounterStorm's CounterStorm-1 intrusion-prevention system appliances throughout its three-campus network to identify true threats immediately and quarantine offending net devices in real time. The result was not only a stronger network but a more efficient network staff, as the devices significantly reduced the hours needed to deal with attacks, viruses and unauthorized access to the network.

Pruning inside security threats.

Faced with dramatic growth and multiple acquisitions, including such big-name brands as The WineTasting Network, The Popcorn Factory and Plow & Hearth, needed an active way to secure not only its known network, but also its newly acquired, and sometimes unknown, network assets.

Instead of relying on the traditional firewalls and intrusion-detection systems, CIO Enzo Micali in early 2006 implemented Securify monitoring appliances on the internal networks. Securify provides real-time visibility into network Layers 3 to 4 and 7, and enforces policy-driven controls on network behavior.

By enabling, in Carle Place, N.Y., to understand what each user group was doing in real time on the network, Securify paid for itself in the first year and helped the company prevent insider misuse and targeted attacks, letting it protect its assets and its reputation among its customers.

"We wanted to know who had access to what on the network and what exactly were they doing."

- Enzo Micali, CIO,

Appalachian State University

A studied approach to mitigating risk.

Like many universities, this Boone, N.C., school faced security challenges inherent in providing an open network while mitigating security risks.

A $3.5 million network upgrade to implement policy-driven switching, using Enterasys Networks' Distributed Forwarding Engine Switching architecture, Netsight Console and Policy Manager software, has let the school quickly pinpoint and alleviate malicious network attacks.

Using this policy-driven approach, the new network let the school this year register its more than 6,000 students in three days, without the usual hassles of worms and viruses. Plus, the project has saved countless hours troubleshooting and stabilizing the network, says David Hayler, network specialist with the university.

"If we see a problem with malicious traffic, we just write a policy and push it to the edge, and even if it is just an individual or two, we can quarantine them with just a few clicks of a mouse," he says.

Ochsner Health System

Faced with securing and auditing its distributed databases across its varied locations, New Orleans-based Ochsner Health System needed a technology that was not only bulletproof but automated, says Mark Maher, information security administrator for the hospital. The healthcare group became one of the earliest adopters of Application Security's AppDetective vulnerability assessment scanner, investing $10,000 in the software and reaping immediate benefits.

It not only provided unprecedented capabilities in performing penetration testing and identifying weak passwords in Ochsner's databases, but also discovered and secured databases that the group didn't know existed. Database audits that previously took weeks were whittled down to an hour, without compromising network or database availability or performance. The hospital gained the added benefit of increased protection of sensitive patient information, ensuring compliance with Health Insurance Portability and Accountability Act regulations and saving at least $17,000 in audit costs.

“Our Oracle databases obviously contain important information of a

private nature. . . . We needed a tool to actively assess our Oracle environment and secure it where necessary.”

— Mark Maher, information security administrator, Ochsner Health System

Prudential Financial

Investing in data-loss prevention

This Newark, N.J., financial services firm needed a way to make sure its employees, who often handle such sensitive information as customer names, Social Security numbers and addresses, were operating within the firm's strict security policies.

In January 2005, Prudential deployed Vontu's Discover, Monitor and Protect data-loss prevention tools across its 14 business units. Vontu lets the firm gain immediate visibility into the types of information traversing and leaving the corporate network, letting IT pinpoint and stop data loss events, says Pete Kuzmiskas, senior systems specialist at Prudential.

Before Vontu, incident identification and remediation relied solely on employees' active participation in policy adherence. With the Vontu automated monitoring tools in place, users and management can identify oversights in handling data, even when users do not realize they are acting outside company procedure. As a result, Prudential has cut the number of data-loss incidents by 90%, saving millions of dollars in remediation, litigation and corporate reputation.

Southwest Washington Medical Center (SWMC)

Single Sign-On - a medical center's orders

This Vancouver, Wash., medical center's highly mobile acute-care staff increasingly needed access to a variety of secure applications from shared workstations. Strict adherence to the Health Insurance Portability and Accountability Act (HIPAA) and other compliance regulations, however, stipulated long, complicated passwords each time a user logged on to a new workstation, resulting in harried staff and impacted patient care.

Last January, Chris Paidhrin, SWMC's CSO, invested $100,000 to deploy Imprivata's OneSign ESSO appliance to alleviate the problem. OneSign ESSO creates a consistent user interface, as well as secure policy management and a single authentication store for HIPAA and other user ID and access control needs.

As part of the plan, SWMC added biometric readers on machines in the emergency department, letting staffers use their fingerprints to authenticate to the network and access applications and information. Paidhrin says in one year the project will have paid for itself. Not only has the single sign-on initiative saved time, but it has increased staffer satisfaction and the overall quality of patient care, he says.

"The staff loves single sign-on — and now wants it on all of their other (noncore) applications."

- Chris Paidhrin, cSO, Southwest Washington Medical Center

The University at Buffalo Health Sciences

An agent-based prescription for network health

This Buffalo, N.Y., university was in a unique position: It had to ensure security and Health Insurance Portability and Accountability Act compliance for its users and data scattered across 50 independent clinical sites and five hospital systems - without interfering with the overall networks, which were run by the clinics and hospitals, not the school.

Last January, it implemented Elemental Security's agent-based Elemental Security Platform (ESP) 2.0 across its user base and quickly reaped benefits, says Brian Murphy, director of health science IT at the school. ESP lets the school inventory its assets and control their behavior based on predefined security policies.

Plus, the tool's dynamic grouping lets IT automate a systemwide network quarantine to remove threats and in some cases, remedy problems on the desktop. With an initial investment of $250,000 in the tool, the school expects to reap a $20,000 ROI in the first year, Murphy says.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10