Stanford Medical School's Rx: Anomaly Detection
Appliance helps minimize bot, malware infections
The new sheriff who came to bring order to the Wild West town is an apt way to describe Todd Ferris’s job: As associate CIO for IT services at Stanford University's School of Medicine, Ferris was charged with putting policies, products, and procedures in place for a network that was proud of its open, unrestricted culture.
Stanford’s School of Medicine has been gradually ratcheting up its security checks over the past five years under Ferris's direction. Early last year, the med school upgraded its Lancope StealthWatch NC G1 anomaly detection appliance for more horsepower and expanded the appliance’s reach, and as part of a university-wide initiative, also installed Juniper Network’s Netscreen Unified Threat Management system.
The results have been dramatic: Rather than an open network constantly under siege and plagued with zombie machines, the medical school now wards off only about 10 significant intrusion attempts each month.
Stanford has a main campus network that serves its undergraduates as well as the university’s core business functions, but each of its separate schools, such as business and law, has its own network and IT department. The School of Medicine, the biggest school on campus, supports about 6,000 employees, students, and faculty, who connect about 12,000 devices to the network. Since medical information is exchanged, security checks that comply with HIPAA regulations need to be in place.
When Ferris arrived in early 2003, it was all one big open IP network with no restrictions, not even firewalls -- and all of its machines were sitting open on the Internet, inviting attack. The university started to monitor its network traffic with open source tools such as Snort. “We quickly discovered that we were reacting too slowly to protect ourselves: By the time we became aware of a threat, such as viruses like Blaster, it had already infected a number of our machines,” Ferris recalls.
To bring some order to the chaos, the university went out in search of an anomaly detection product. Ferris says the school chose Lancope’s StealthWatch because it was easy to use. “We have a small IT department and could not dedicate significant resources to running the software,” Ferris says. “With StealthWatch, we could quickly export data, pull it into Excel, play with it, and figure out what was happening on our network.”
The university installed the appliance, which cost about $20,000, in August 2003 as part of the selection testing and never took it out. “We were quickly able to get [bot-infected] machines off the network that had been sitting there and scanning for months,” Ferris says.
Today, in addition to monitoring information flowing over the enterprise network, StealthWatch controls information moving among devices in the data center as well.
While the Stanford School of Medicine has made progress, Ferris recognizes that attacks evolve and change, so his team will need improved security tools to keep the network safe. Being able to manipulate more historical data from StealthWatch would be helpful, he says: The product stores only 30 days’ worth of security information.
More sophisticated monitoring is also needed, he says. “Recently, the threat from hackers has changed dramatically. They have moved away from widespread attacks to directed attacks, ones that are quite precise, accurate, and have low noise ratios.” Previously, attackers would install malware on users’ systems and then start scanning continuously. Now they do their dirty work more intermittently, so it is becoming more difficult to separate infected machines from clean ones. Ferris is working with Lancope to develop capabilities to better detect problems, such as botnets.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Juniper Networks Inc. (Nasdaq: JNPR)
About the Author
You May Also Like