Incident Response, TDR

Case study: City of Miami Beach

In 2004, the city of Miami Beach decided to change the way it delivered IT services. “The goal was to align IT with overall executive management,” said Nelson Martinez Jr., the city's systems support manager.
The trouble was that Miami Beach had a centralized IT department that supported a decentralized and heterogeneous user base. With the staff and budget of a small city, Martinez had to support the entire city, everything from its fire and police departments, libraries, public works and parking, to code enforcement. Add it all up and it totaled to nearly 2,000 users with an equal number of end point devices that ranged from desktops in offices to laptops in police cruisers.
As Martinez saw it, the first thing he had to address was security. With so many users running so many disparate applications in so many varied locations, a small security hole could easily become a big problem.
“We had plenty of security layers in place already, but we needed more. What we wanted was a security profile that would lend itself to business continuity,” he said.
After Hurricanes Katrina and Rita, and going back earlier to the events of 9/11, business continuity has steadily crept higher on IT's to-do list. Most of the focus is on backup and remote disaster recovery, but what about those day-to-day interruptions?
Sasser, ILOVEYOU and Code Red were mini disasters for those hit by them. “Everyone's going to get hit with something,” Martinez said. “It's only a matter of time. We haven't suffered through anything major yet, but you never know what will happen tomorrow.”
As Martinez saw it, any interruption in computing services undermines the city's goals. “If you quantify the time spent recovering from malware, it's considerable. Lost productivity alone is significant. And then there's the lost resource of IT. We can't support users when we're recovering from an attack.”
Was there a way, he wondered, to plan for zero-day attacks just as you would for an unforeseen natural calamity?
As Martinez assessed the city's existing security and their options for upgrades, he concluded that traditional security vendors didn't measure up in terms of containment, mitigation, and continuity. They do a good job of identifying known threats and removing them once they are studied and understood, but the heuristics- and signature-based approach favored by large, traditional security companies fails to plan for the unknown.
The Selection Criteria: Prevent Zero-Day Attacks and Enforce Policies

“As we evaluated products, our first criteria was to find something that dealt with zero-day attacks,” Martinez said. “When something new hits, it typically takes the heuristics companies a couple of days to derive a response. If you're unlucky enough to be in the first wave of infections, the downtime and lost productivity adds up quickly.
“Next, I wanted a product that recognizes that end users are the weakest link in the security chain,” Martinez added. “You can have the best security policies in the world, but if end users don't follow them or if they can get around them, you're in trouble.”
Finally, Martinez wanted a product that was, for lack of a better phrase, a realistic security solution. Despite vendor claims, we all know that nothing will stop everything. How should a security product respond to something new and dangerous?

For the city of Miami Beach, the ideal solution would have the ability to quickly identify problems, to generate immediate notifications and to quarantine infected machines if malware tries to spread.
Running through the companies the city of Miami Beach evaluated, Martinez mentioned that several, such as Sygate and Senforce, were ruled out for lack of zero-day protection. Others, including McAfee and Symantec, relied on a heuristics and signature approach to threats. Martinez doesn't dismiss this approach, but the heuristics companies couldn't offer complementary zero-day solutions to bolster their existing portfolios.
The Answer: eEye's Integrated Threat Management Solution

Martinez and the city of Miami Beach eventually turned to eEye. The eEye solution represents a new class of security product: integrated threat management. eEye detects vulnerabilities and threats, prevents intrusions, protects all of an organization's key computing resources, from endpoints to network assets, all while providing a centralized point of security management and network visibility.
eEye's research team is consistently the first to identify new threats in the wild, and its products leverage that research to deliver on the goal of making network security as easy to use and reliable as networking itself.
Deploying Zero-day Protection and Tailoring it to the City's Unique Needs

“What sold us on eEye was two things: zero-day protection and policy enforcement,” Martinez said. In terms of zero-day protection, Martinez mentioned that eEye doesn't just look at layer six or seven, the presentation and application layers. “eEye digs down to layer two where the bits and the bytes are.”
The deployment of eEye was a smooth one, although there were a couple of hitches along the way. For instance, some of the notebooks used in the field, Panasonic Toughbooks, had driver compatibility issues that the eEye team had to address.
“Any software product will have an occasional problem,” Martinez said. “What's important is how the company responds to those problems.”
According to Martinez, the eEye customer support team quickly got developers involved to come up with fixes. “We also had some challenges unique to our organization. We had to set up policies for certain types of communications, keeping ports open and allowing services to talk to each other. The professional services team helped us handle those things to tailor the eEye box to our specific needs.”
Once eEye's REM, Blink and Retina solutions were up and running, the city of Miami Beach saw its security profile improve immediately. With zero-day attacks, eEye quarantines machines when anything unusual and potentially damaging pops up.
“If you can quarantine quickly at the workstation level, which is the biggest vulnerability by far for an organization like ours, that's half the battle. Damage is mitigated,” he added. “eEye prevents the epidemic nature of how viruses spread – whether it's a clear or clandestine payload.”
Turning to policy enforcement, Martinez voiced a common IT complaint: being forced to act as a traffic cop. Users are always trying to do something they shouldn't, whether it's clicking on a potentially dangerous link in an email message, visiting a compromised website, or accessing inappropriate content.
“I didn't want to be put in the position of always policing end users,” Martinez said. “I have no problem enforcing policies, but why not find a way to force the end user to comply with IT policy whether they think they're complying or not?”
Martinez found that eEye's fine-grained configuration capabilities enabled him to do just that. “eEye lets me create a policy footprint. IT determines what users shouldn't be able to do, what websites they can't visit, what programs they can't download, and eEye enforces that.
“Even if a user has administrator rights, the policy will still be enforced. Users won't get around policy through rights – which has historically been a problem with Windows. I don't allow anyone outside of IT to have administrator rights anyway, but what I'm saying is that in organizations that don't have those controls in place, eEye will still enforce policy, regardless.”
The end result was that the city of Miami Beach addressed gaps in its security profile, eased the burden on IT and integrated security into its overall plans for business continuity.

Victor Cruz is an independent media consultant based in Providence, R.I.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.