Peer-to-Peer

Proactively secure

Changing threat patterns and an urge to secure the organization led MphasiS to deploy McAfee’s IntruShield IPS solution. By Varun Aggarwal

Next generation blended threats have already surpassed the capabilities of Intrusion Detection Systems (IDS). Merely monitoring the network will not help you secure your organization. More proactive measures are required to tackle the daunting security threats, which are becoming more advanced by the day.

The evolution of hybrid attacks utilizing multiple vectors to breach security infrastructure has highlighted the need for enterprises to defend themselves against constantly shifting threats. Traditional firewall and anti-virus solutions are necessary to prevent the transfer of malicious code, but are not sufficient to address the new generation of threats and targeted attacks. Security solutions that proactively protect vital information assets in near real time.

MphasiS, an EDS company, a leading application, remote infrastructure, BPO and KPO service provider, had been using IDS for quite some time when it decided to take its IT security to the next level. Due to the dynamic nature of network intrusions and threats, it was imperative to deploy a combination of network and host IPS technologies to provide the greatest level of protection for critical data and applications.

The company implemented a comprehensive information security system based on international standards. The implemented security architecture is synchronous with the processes of its client and factors in regulations that its clients must adhere to.

MphasiS embarked on a Protection-in-Depth Strategy to block and prevent attacks before they reached the internal network, rather than passively detecting network attacks as they sped past the perimeter. This meant real-time risk management and remediation with the ability to stop, block, and clean attacks. MphasiS worked with SecureSynergy to procure, deploy and optimize intrusion prevention technology for its internal network.

Network IPS solutions are deployed inline at the network perimeter, core, or remote office. They are designed to protect critical infrastructure by blocking internal and external attacks on the wire and are considered to be the first line of defense. Host IPS solutions are deployed on servers, desktops, and laptops. They are designed to protect critical systems and applications by blocking attacks at the host level and are considered to be the last line of defense.

“We were looking for a technology from a sound security partner that would bolster our compliance and allow us to adopt a proactive security posture,” said Surajit Sarkhel, Senior Manager–Information Security, MphasiS.

From IDS to IPS

Confidentiality and resource integrity are of paramount importance to service organizations. Stringent laws, compliance mandates, and customer needs require that data centers of companies that hold sensitive information need to be protected effectively.

“We found IPS to be more accurate over a wide variety of attack vectors than other network security technologies. By tying in policies to the appliance, we were able to actively enforce security policies,” adds Sarkhel.

The deployment started in February 2005, and the solution has been deployed across the country, including two sites in the US. McAfee’s IntruShield technologies as well as SecureSynergy’s security platform skills have created a sound security model over the last three years at MphasiS. The IntruShield management console centralizes security management, showing what attacks are coming in, what is being blocked, and where the attack is coming from. IntruShield’s flexible security policy features helped SecureSynergy customize the appliance to fit specific needs of MphasiS.

McAfee continuously updates security policies to reflect emerging security threats, and IntruShield is continually gaining knowledge about the network that it protects. This lets the appliance adapt to changing circumstances and threats.

“The combination of NIPS and HIPS delivers the scalability, flexibility, and depth required by complex, mission-critical corporate infrastructures. It prevents network downtime and system failure by proactively delivering protection against today’s constantly evolving threats, including spyware, zero-day, encrypted, and DoS attacks,” said Sarkhel.

Stages of deployment

The deployment took place in a phased manner with the SecureSynergy team working closely with MphasiS’ IT team.

• Understanding the customer’s business process: In this stage SecureSynergy focused on understanding MphasiS’ information infrastructure. This included the flow of information from one network point to another. It allowed the SecureSynergy consultant to understand what kind of information was to be protected by the IPS and what the impact of blocking an information flow when a policy was applied would be. Moreover, it gave the consultants an idea about which policies were to be applied when the IPS was placed on the production network. The framework used for the entire process was SSRCM (SecureSynergy Risk Counter Measure Methodology).
• Identifying the number of network segments to be monitored: McAfee IntruShield comes in various models with different port densities. Based on the model, SecureSynergy along with MphasiS, identified the number of network links to be protected. During this stage, the consultant configured the IntruShield Appliance for a specific number of segments using IntruShield Manager. Then sensors were deployed in the production network and placed in fail-open mode so that downtime was minimized and network traffic became normal.
• Observation on learning mode for understanding network traffic patterns: In this stage, SecureSynergy applied a policy auditing all network traffic for any intrusion or malicious activity or DoS attack. However, this exercise was purely to monitor and not to block any attacks.
• Actual deployment and monitoring, along with the setting of policies: Policies were configured into blocking mode once stage three was completed and the client’s security policy had been understood. Thresholds were set that would trigger alert notifications and update administrators of any malicious activity. Reports were customized and signatures were configured for automatic download and installation. Backup polices were also set.
• Managing all appliances through a centralized console: All appliances were added and managed by IntruShield Manager. These could be in high availability or in-port clustering mode. Role-based access was created for people identified and defined by the security policy. This included points mentioned in stage four.
• Periodic review audits (an ongoing process): In this stage, policies were fine-tuned, the physical health of the appliance checked and backup policies fine-tuned. Any updates or upgrades that were required were applied. Monitoring is an ongoing activity done by MphasiS’ IT team.

Benefits achieved

MphasiS benefited from the deployment, both from a technological standpoint and from a business perspective. With the newly deployed solution, the company has been able to achieve higher network availability, reduce the cost of responding to incidents,lower the cost of recovery and ensure compliance with international regulations.

Because HIPS and NIPS technologies are situated in different locations of a network, they offer specific and distinct benefits. However, when combined, HIPS and NIPS work together to provide complementary layers of protection. Their built-in anomaly and behavioral rules offer zero-day protection, thereby reducing the urgency of patch deployment, and providing critical protection during windows of vulnerability.

Today the company is able to prevent system intrusion in a proactive manner.

A number of known and unknown attacks can also be prevented using IPS. As opposed to IDS, IPS is not prone to false positives making it easier to manage.

varun.aggarwal@expressindia.com