Security elite form SWAT teams to attack viruses
by Matthew Nelson from InfoWorld
(IDG) -- As malicious network viruses increasingly resemble terrorist
attacks, the security industry is developing its own version of SWAT teams
that aim to swiftly diffuse crises and get hostages out of a jam.
Recently, security vendor Network Associates Inc. (NAI) was faced with a
difficult virus to eradicate when its customer MCI WorldCom contracted the
Remote Explorer virus, which affects Windows NT machines and encrypted
data.
To combat the virus, NAI called on its anti-virus researchers in the
United States, Japan, and England to fix the damage. The company even
recalled a team manager from vacation in Mexico.
"That is the job. The guy carries a beeper. The customer has a problem,
and the customer wants it fixed now," says Peter Watkins, general manager
of the Net Tools Secure division at Network Associates, in Santa Clara,
Calif. "The guy we had to pull back from Mexico was the manager of the
lab. This is the guy that has to determine the priorities. We just pull
them in. You have to."
No longer is it enough to purchase anti-virus or intrusion-detection
software and install it on a network. Users must now evaluate security
vendors' capability to address a new virus or attack and quickly respond
with a fix to the problem.
"As the networks become ever more intertwined and the code becomes more
self-replicating and vicious, the amount of damage is growing
exponentially," says Jim Balderston, an industry analyst at Zona Research,
in Redwood City, Calif. "The key, now and into the future is shrinking
response times so the damage can be limited or minimized."
As customers evaluate possible security solutions, most SWAT teams point
to several key points of differentiation of which to be aware.
* What is the size and availability of the team?
* What kind of turnaround time does the group usually have on
viruses?
* What is the ease of attaining updates for products?
* Do they provide the services you need to keep up and running?
* Which platforms do they support?
* What is their virus-detection track record?
"I love my job," says Vincent Gullotto, manager of Anti-Virus Emergency
Response Team at Network Associates, in Beaverton, Ore. "It's definitely
what we live for. Most of these people are hard-core anti-virus people. A
lot of them eat, sleep, and breathe these sort of things."
"I love my job a lot," says Carey Nachenberg, chief researcher on Symantec
Anti-virus Research Team, or SARC, at Symantec, in Santa Monica, Calif. "I
look forward to every day. It's actually quite challenging."
Users dealing with security issues, however, expect this level of
commitment when it comes to getting networks back online after a virus
attack.
"Any kind of company that deals with the ongoing threat of viruses would
have some system in place where if we came to them with a virus they would
come to us with a fix," says a virus security administrator at a large
software publication company in California, who wished to remain
anonymous. "You don't hear a lot of stories about viruses, but our company
has been passing a lot of viruses lately. Thankfully none that have been
very malicious."
The simple fact is, however, if a major virus hits, the first thing most
administrators will do is remove their systems from a network.
That leaves users without network access and unable to conduct business as
usual, and a company at a standstill is a company not making money.
"Basically if you don't have to wait and your users don't have to wait,
that's important. Turnaround time is going to be critical in this field,"
says SARC's Nachenberg. "Every minute that an IS manger is waiting, they
have people who are waiting to get their systems back."
SARC has an average response time of 19 hours. In an effort to cut
response times to virus alerts, SARC is working with IBM to create and
perfect a digital immune system that will use computers to scan, identify,
and fix viruses without the need for human intervention.
"Rather than humans doing the analysis, we're going to have computers do
it," Nachenberg says. "That way we won't have to come back from our
vacations."
NAI has set the bar high for itself and is taking a slightly different
approach, according to Watkins.
"I'd like to get that cycle time to less than six hours," Watkins says.
"Over the next year, I'd like to have some of our electronic analysis
tools onsite on the server.
"What I'm doing here is having more points of analysis near the customers,
because the key here is quick containment," Watkins adds.
-o-
Subscribe: mail majordomoat_private with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:09 PDT