The evolution of hybrid attacks, utilising multiple vectors to breach security infrastructure, has highlighted the need for enterprises to defend themselves against constantly shifting threats. Traditional firewall and anti-virus solutions are necessary to prevent the transfer of malicious code, but are not sufficient to address the new generation of threats and targeted attacks. Security solutions that proactively protect vital information assets in near real time are needed.
MphasiS, an EDS company, a leading application, remote infrastructure, BPO and KPO service provider, had been using IDS for quite some time when it decided to take its IT security to the next level. Due to the dynamic nature of network intrusions and threats, it was imperative to deploy a combination of network and host intrusion prevention system (IPS) technologies to provide the greatest level of protection for critical data and applications.
MphasiS implemented a comprehensive information security system based on international standards. The implemented security architecture is synchronous with the processes of its client and factors in regulations that its clients must adhere to. The company embarked on a protection-in-depth strategy to block and prevent attacks before they reached the internal network, rather than passively detecting network attacks as they sped past the perimeter. This meant real-time risk management and remediation with the ability to stop, block, and clean attacks.
MphasiS worked with SecureSynergy to procure, deploy and optimise intrusion prevention technology for its internal network. Network IPS solutions are deployed to protect critical infrastructure by blocking internal and external attacks on the wire and are considered to be the first line of defence. Host IPS solutions are deployed on servers, desktops, and laptops. They are designed to protect critical systems and applications by blocking attacks at the host level and are considered to be the last line of defence.
Says Surajit Sarkhel, senior manager (information security), MphasiS, We were looking for a technology from a sound security partner that would bolster our compliance and allow us to adopt a proactive security posture.
Confidentiality and resource integrity are of paramount importance to service organisations. Stringent laws, compliance mandates, and customer needs require that data centres of companies that hold sensitive information need to be protected effectively. We found IPS to be more accurate over a wide variety of attack vectors than other network security technologies. By tying in policies to the appliance, we were able to actively enforce security policies, adds Sarkhel.
The deployment started in February 2005, and the solution has been deployed across the country, including two sites in the US. McAfees IntruShield technologies as well as SecureSynergys security platform skills have created a sound security model over the last three years at MphasiS. The IntruShield management console centralises security management, showing what attacks are coming in, what is being blocked, and where the attack is coming from.
McAfee continuously updates security policies to reflect emerging security threats, and IntruShield is continually gaining knowledge about the network that it protects. This lets the appliance adapt to changing circumstances and threats. It prevents network downtime and system failure by proactively delivering protection against todays constantly evolving threats, including spyware, zero-day, encrypted, and DOS attacks, says Sarkhel.
The deployment took place in a phased manner with the SecureSynergy team working closely with MphasiS IT team.
Understanding the customers business process: In this stage, SecureSynergy focused on understanding MphasiS information infrastructure.
This included the flow of information from one network point to another. It allowed the SecureSynergy consultant to understand what kind of information was to be protected by the IPS and what would be the impact of blocking an information flow when a policy was applied.
Moreover, it gave the consultants an idea about which policies were to be applied when the IPS was placed on the production network. The framework used for the entire process was SSRCM (SecureSynergy Risk Counter Measure Methodology).
Identifying network segments to be monitored: McAfee IntruShield comes in various models with different port densities. Based on the model, SecureSynergy along with MphasiS, identified the number of network links to be protected. During this stage, the consultant configured the IntruShield Appliance for a specific number of segments using IntruShield Manager. Then sensors were deployed in the production network and placed in fail-open mode so that downtime was minimised and network traffic became normal.
Understanding network traffic patterns: In this stage, SecureSynergy applied a policy auditing all network traffic for any intrusion or malicious. However, this exercise was purely to monitor and not to block any attacks.
Actual deployment and monitoring: Policies were configured into blocking mode once stage three was completed and the clients security policy had been understood. Thresholds were set that would trigger alert notifications and update administrators of any malicious activity. Reports were customised and signatures were configured for automatic download and installation. Backup polices were also set.
Managing appliances through a centralised console: All appliances were added and managed by IntruShield Manager. These could be in high availability or in-port clustering mode. Role-based access was created for people identified and defined by the security policy.
MphasiS benefited from the deployment, both from a technological standpoint and from a business perspective.
With the newly deployed solution, it has been able to achieve higher network availability, reduce the cost of responding to incidents, lower the cost of recovery and ensure compliance with international regulations.
Because host intrusion prevention system (HIPS) and network intrusion prevention system (NIPS) technologies are situated in different locations of a network, they offer specific and distinct benefits. However, when combined, HIPS and NIPS work together to provide complementary layers of protection. Their built-in anomaly and behavioural rules offer zero-day protection, thereby reducing the urgency of patch deployment, and providing critical protection during windows of vulnerability.
Today, the company is able to prevent system intrusion in a proactive manner. A number of known and unknown attacks can also be prevented using IPS. As opposed to IDS, IPS is not prone to false positives making it easier to manage.
In arrangement with Express Computer