• Home
• Archives
• Newsletter
• Career Center
• White Papers
• Contact

Hot IT Jobs

Process sales orders, data entry for Wal-Mart, Target. $45+/Hr

Work from home processing data, $20-45/Hr. Automated system

We'll PAY-YOU $200+/DAILY To Process ®DISH NETWORK Orders Online

Production / IT Director, Montgomery, AL

EARN $86,400/YEAR! Process Orders On HOME Computer For ®DISH TV!

Cover Story

Worms, Slowdowns and Viruses, Oh My!

Josh Erosky, director of network services for real estate investment trust UDR, faced network security issues head on.

When leading multifamily real estate investment trust (REIT) UDR relaunched under its new name in early 2007, its marketing strategy included an interactive Web site. With the arrival of the New Year, however, came a worm that was reported to UDR in error-the software in place detected it as a known worm that could be resolved, but, in reality, it was unknown, with no available fix. As a result, the worm had a New Year's Eve party of its own and propagated itself throughout the company's network, infecting every machine.

Instead of champagne toasts at the stroke of midnight, the UDR network team of seven administrators frantically tried to put an end to this worm that so quickly took down the network, which supports approximately 2,500 employees. At the time, the team spoke to its antivirus provider and was informed that an updated virus definition file would take 36 hours to arrive to remedy the situation.

"It was a nightmare," says Josh Erosky, director of network services for UDR. "Our antivirus server blew up and this unknown worm proceeded to propagate itself, filling up all of our routers with sessions. Our routers can handle 150,000 sessions at one time and it was blowing them out of the water. This attack opened up everyone's eyes and made us realize that we needed additional help."

With a performance history of successfully managing, buying, selling, developing and redeveloping real estate properties in targeted U.S. markets, UDR owned 65,867 apartment homes at the end of 2007, had 6,386 homes under development and another 738 homes under contract for development in its pre-sale program. UDR is the fourth-largest apartment REIT in the nation, with rental income reaching nearly $500 million last year.

With the New Year's attack behind them, Erosky and his team set out to assess the situation to determine what went wrong and what changes were required to avoid any future attacks. Assuming they had all the right technologies in place-firewall, antivirus and an intrusion-detection system-this attack demonstrated they needed additional alerts and especially centralized reporting in their network security capabilities. Thus began the exploration for a data collector that could pull together all the data and present it within one central console.

"For our size, the only way we can survive is to use technology to our full advantage," Erosky says. "We don't have two separate teams to manage both network and security; we have one team that does it all."

THREE-PHASE PROCESS

The evaluation process consisted of three major phases: initial solution due diligence, selection of a short list of vendor solution options and a final side-by-side evaluation of selected solutions.

During the initial due diligence, the UDR team looked at many vendors offering centralized event- and log-management solutions, closely analyzing options to select vendors that would provide the best fit for UDR. At first, narrowing the field of vendor options was difficult because of complex "marketing hype," says Erosky, and the wide use of technology terms and acronyms presented in marketing materials that often lacked consistency. Complicating things further was the use of terminology not widely used.

Upon further inspection, UDR determined multiple features of event and log management that were central to its selection process. Erosky wanted a solution that would deliver log management, security information management (SIM), security event management (SEM) and security information and event management (SIEM).

He also sought a method to collect and retain network and security events and logs from devices deployed on the UDR network. A few key considerations in this area were the breadth of supported devices, the flexibility to collect from non-supported devices, the ability to retain and present both normalized and raw event formats, and the efficiency of event and log retention for an extended period.

A key consideration in event search is the ability to compile results in such a way that is useful for delivering actionable information.

UDR learned through its research that some of its network switches and routers provide a source of flow data information, which is valuable for assessing network and application use. During the process, UDR determined that some vendors do not have the ability to collect this information, while others have the ability to collect flow data but provide limited features for information processing. Only one vendor that was reviewed, Q1 Labs, processed this information to detect complex threats and policy violations.

Throughout the evaluation, Erosky learned there are varying degrees in event normalization and categorization across vendors. "An important consideration is how well a vendor shields the user from the complexity of events to simplify the user's experience across the entire solution," he explains.

Initially, behavior analysis was not a consideration in UDR's evaluation criteria; however, Erosky determined that integration between log management and behavior analysis would play an important role in the ability to manage the company's security position.

Erosky also found that some solutions missed the mark in their event search abilities, because they only presented filtered events in a tabular form, without any useful aggregation. In addition, some solutions were only capable of searching real-time or historical events, but not both. For him, a key consideration in event search is the ability to compile results in such a way that is useful for delivering actionable information about security incidents.

FINDING INSIDER THREATS

After a two-month evaluation process and feature comparison, UDR chose to purchase QRadar from Q1 Labs. A key function of QRadar is its ability to identify and locate the source of any insider threat, infection and bot, and immediately remedy the situation. What once would take UDR's team hours to track down and resolve (if they knew about it at all), Erosky says, now takes minutes, or even seconds.

The solution also delivers security management features that meet the requirements defined during the initial due diligence. This includes collection and retention events and logs across the entire UDR network, the ability to integrate network flow data and behavior analysis with log management, correlation and analysis of network and security information, and reporting capabilities that require little to no advanced expertise.

"The Q1 Labs support team came in and let us test the product to see just what it could do for us," explains Erosky. "We realized it offered much more than what just a data-collection product would have offered.

"We almost chose another vendor since they were going to give us a great deal, but once we saw QRadar in action and got a taste for what it could do and realized its potential, we had to go with Q1 Labs. QRadar's drill-down features were unbelievable, especially for the price. We were able to get 10 times more features than what the other vendor was offering."

In just a matter of hours, UDR had QRadar operational, and, according to Erosky, "It did everything they promised and then some."

Erosky says he is confident UDR now is prepared for any potential security incident that comes its way. In fact, QRadar has already managed to save Erosky's team many hours trying to locate network problems that would have gone either undetected or misdiagnosed with its previous architecture.

When the UDR team experienced a problem with bandwidth-and knowing that many people in the company listen to Internet radio during work hours-it decided streaming media was the cause. They shut down everything-AOL Radio, YouTube and anything else that could drain bandwidth.

UDR lacked the ability to identify positively the root of the bandwidth crunch, but at the suggestion of Q1 Labs, Erosky brought in a QFlow Collector, which could provide visibility into the different applications running across their pipes. With QFlow installed, Erosky found that the problem was not with the shut down applications, but was actually a configuration issue with one of its routers.

Another thwarted incident occurred when a UDR security engineer noticed huge spikes in network activity while watching real-time traffic profiles. With QRadar, he immediately identified the source of the spikes-one machine that was draining bandwidth. The machine's user was unaware of any issues with the computer. A simple shutdown and restart of the offending computer resolved the problem.

While Erosky says attaching a dollar figure that accurately reflects the costs savings realized by UDR from using Qradar is difficult, he does say that the political benefits of being able to quickly identify the locale of security and network problems are important and that time savings alone are significant.

"When my CEO or CIO approach me and ask about network issues, I can quickly describe the problem and provide accurate traffic updates," he offers. "I look smart, my team looks smart, and everyone benefits. Our investment was actually a bargain when compared to all other solutions evaluated. Moreover, we have only just scratched the surface of what it can do. I am confident that it will easily pay for itself in a year's time."

About Q1 Labs

Shaun McConnon is the CEO of Q1 Labs, a network security management company based in Waltham, Mass. The company has more than 90 employees located in the United States and Canada, and was founded in New Brunswick, Canada, in 2001. Q1 Labs' installed base of customers encompasses a wide range of vertical industries, including global enterprises, the U.S. federal, state and local government agencies, academic and financial institutions, energy firms, service providers and healthcare providers.

McConnon previously was CEO of Okena, a next-generation network security company, and CEO of Raptor Systems, a firewall security company. Prior to joining Raptor, McConnon held various executive positions with Sun Microsystems, most recently as managing director of Australian and New Zealand operations. He holds a bachelor of science degree in biology from Roanoke College.

For more information (click here)