It took the ancient Greeks 10 years to penetrate the gate defending the city of Troy, located in what is now northwestern Turkey, overlooking the Dardanelles.
If you recall your Virgil, the Greek army spent three days constructing a mammoth wooden horse (the emblem of the city) in which 32 warriors hid, and then duped the gatekeepers of Troy to wheel the supposed victory trophy past the barrier and into the city. In the dead of night, the Greek elite force exited their “Trojan Horse,” opened the gates from the inside to allow their comrades to enter, and subsequently vanquished the city.
Fast forward a few thousand years and we arrive at a modern equivalent. This time, the trojan horse attempting to enter the city of Richmond, Va. is of a digital variety, but the battle is the same: How to keep the enemy from entering the premises?
But, preventing trojans and other malware from penetrating its network was not the only challenge the city faced. It also needed to trace access to systems on the government network in a Microsoft Windows environment. This included access to databases and file-shares. Log data in the source systems is maintained for only a limited amount of time and is time-consuming to review and search for specific events, according to Daniel McRae (right), the city's IT manager, DIT infrastructure services. Once an event is found, he says, it is difficult to tie back to a specific user.
And, of course, this is important because his IT department is charged with safeguarding data from inappropriate or unnecessary access. His IT team also performs investigations as requested.
So, when providing usable data to his customers in order to meet these needs proved difficult with the native logging capabilities in the source and target systems, he and his 80-member IT team ramped up their search for a solution. Specifically, the task came down to McRae along with his Windows Server support team.
They began their enquiries looking at several options from various vendors, but most were cost prohibitive and did not provide the information needed. Then they took a look at a solution from PacketSentry.
“Our hardened appliance connects into the monitor port of a networking switch, and our virtual appliance monitors VMware virtual switches,” says Jonathan Gohstand (left), VP of product management and strategy at PacketSentry, based in Sunnyvale, Calif. “Through these connections, we're able to capture, decode and analyze traffic moving through the infrastructure, and we can also enforce user and group-based policies in real-time by injecting connection resets.”
Its unique architecture allows the tool to monitor and enforce all user activity with no agents or in-line appliances, says Gohstand. “Unlike other solutions, our product addresses a wide range of issues, such as compliance, IT admin controls, insider threat and network segmentation in a manner which is operationally efficient.” Updates are pushed out via a secure support connection, he says.
And, it was an easy install, adds McRae. “PacketSentry was running and providing usable data in half a day.”
Further, Gohstand points out that there were no noteworthy challenges installing the offering on a government system when compared to corporate customers.
“Operational efficiency is the major emphasis and advantage with our product,” he says. “Not only is our solution easy to deploy (less than two hours), but it requires little maintenance and automatically syncs with Active Directory. Also, since the solution is completely out of band, there is little to no risk for deployment, as it can't impact critical systems or cause network outages and no systems need re-addressing.”
The end result is a platform which provides greater cap-ex savings and substantially reduced operational costs, Gohstand says. “Frost & Sullivan found our solution to be 70 percent less expensive per year than internal firewalls, which provide a fraction of the functionality and compensating controls of PacketSentry.”
McRae says he and his team are pleased with the deployment, citing the PacketMotion engineer who came in to help with the implementation for his help in getting the tool up and running on Richmond's systems.
“PacketSentry is very easy to manage and operate,” he adds. “Searches that could have easily taken hours in the past now take minutes. It is doing a great job of meeting expectations.”
As far as meeting compliance requirements, McRae says his team does not currently have any compliance regulations that they are audited against. However, he says they try to adhere to the best practices set by the Center for Internet Security, a nonprofit whose mission is to enhance the cybersecurity readiness and response of public and private sector entities and to encourage collaboration.
At this point, Richmond is using PacketSentry to monitor and control access to assets within its primary data center only. And, McRae says there are no plans to expand the implementation.
But, threats to the network have not slowed down. “In the past, we primarily focused on keeping threats out of the city,” says McRae. “However, more recently we are working to shore up our internal security to combat threats, such as trojans, which make it into the city and cause problems from within.”
Furthermore, he and his team are seeing an increased desire to use personal devices to connect to the city's network. “We are also using contractors for major initiatives. Ensuring security while providing people increased capabilities can be challenging.”