SPECIAL EDITION
TM
Proventia
™
Security’s Silver Bullet?
February 2003
TM
Protection for the Multinational Enterprise
ALSO:
Seamless Assurance
Inside xDSL Cloud
Security the
August 2003
TM
Industrial Strength
Security Protection Strategies FOR Specialized Markets FEATURE:
Security and Privacy in
HEALTHCARE Emergency Response Services:
Real-world Incident Response Experience
ISS House Ad Page C2
■
contents AUG 2003
Industrial Strength
Security Protection Strategies FOR Specialized Markets
PAGE 12
features page 12 Industrial Strength Security — Protection Strategies for Specialized Markets Internet Security Systems delivers industry-leading security solutions that provide best security practices for specialized markets.
page 18 Security and Privacy in Healthcare HIPPA security directives enforce the importance of best security practices for healthcare organizations to protect the confidentiality, integrity, and availability of patient information.
page 24 The Proventia™ A Series Threat Protection Appliance The Proventia™ A Series combines protection and prevention technologies to deliver revolutionary, cost-effective security to customers.
departments
PAGE 18
2 Forward Thinking
28 How-To
3 Off and Running
30 Calendar
6 Q&A
32 Point of View
8 Case In Point 10 Behind the Scenes
Cover: Internet Security Systems provides industrial strength security for specialized markets.
Global Headquarters: 6303 Barfield Road, Atlanta, GA 30328 (404) 236-2600 www.iss.net email: connect_magazine@iss.net Regional Headquarters: Australasia, Level 6, 15 Astor Terrace, Spring Hill Queensland 4000, Australia, +61 (0) 7 3838 1555; Asia Pacific, JR Tokyu Meguro Bldg. 15F/16F/17F, 3-1-1 Kami-Osaki, Shinagawa-ku, Tokyo 141-0021, Japan, +81 (3) 5740-4050; Europe, Middle East and Africa Ringlaan 39 bus 5, 1853 Strombeek-Bever, Belgium, +32 (2) 479 67 97; Latin America, 6303 Barfield Rd., Atlanta, GA, USA, 30328 Internet Security Systems is the premier provider of online information protection solutions for business. President and Chief Executive Officer Vice President of Marketing Editor-in-Chief Managing Editor Design and Production
PAGE 24
Thomas E. Noonan Tim McCormick Joel Deitch Leslie Kittredge The Leader Publishing Group, Inc. 3379 Peachtree Road, Suite 300 Atlanta, GA 30326 (404) 888-0555
© 2003 Internet Security Systems, Inc. All rights reserved worldwide. Reproduction in whole or in part of any text, photograph or illustration without written permission of the publisher is prohibited. Internet Security Systems and The Leader Publishing Group are not responsible for any errors or omissions. Copyright © 2003, Internet Security Systems, Inc. All rights reserved worldwide. Internet Security Systems, the Internet Security Systems logo, Proventia, System Scanner, Wireless Scanner, SiteProtector, AlertCon, X-Force and X-Press Update are trademarks, and Secure Steps, RealSecure, Internet Scanner, Database Scanner and Online Scanner registered trademarks and service marks, of Internet Security Systems, Inc. Network ICE is a trademark, and BlackICE a licensed trademark, of Network ICE Corporation, a wholly owned subsidiary of Internet Security Systems, Inc. Other marks and trade names mentioned are the property of their owners, as indicated. All marks are the property of their respective owners and used in an editorial context without intent of infringement. Specifications and content are subject to change without notice.
August 2003
1
■ ■
dept_name thinking forward
One Size Does
NOTFit All
O
nline protection is no longer a straightforward IT challenge. The underlying hardware and software may be the same, but a protection solution that works for a healthcare provider doesn’t necessarily work for a public utility or an automotive manufacturer. This business reality certainly sounds obvious — which makes it all the more surprising when one realizes many organizations overlook this simple fact. Over the past six months, I have jointly led a series of eight CIO Roundtables in cities around the country, including Los Angeles, San Francisco, Chicago, Washington, D.C., Columbus, Ohio and Atlanta. These roundtables offered participants an opportunity to voice concerns, frustrations, challenges and successes in dealing with the day-to-day responsibilities of running large enterprise IT organizations. Some of the feedback has been surprising. For example, while most CEOs typically want to avoid additional regulation of their business or industry, many CIOs and CISOs have indicated that more regulation is a sure way to increase awareness of a problem that, to date, has received less attention from senior management than it deserves. The roundtable participants have also consistently expressed frustration within the areas of measurement and security patch management. Participants lack a standard set of metrics through which they can provide evidence of a change in an organization’s security posture. Many organizations are months behind in patching for even the most serious and common vulnerabilities. While in many cases this is due to lack of adequate staff and resources, many participants chafe at this responsibility, as it prevents them from deploying resources towards new business or strategic initiatives. In fact, most believe that they will never have the staff or resources to effectively maintain patch parity and are calling for new methods to manage ever-present and ever-changing vulnerabilities. At Internet Security Services, we are committed to developing solutions that help our customers overcome these challenges. In fact, in this issue, we explore Proventia™ threat protection appliances, the X-Force™ Catastrophic Risk Index (CRI) and industry best security practives for specialized markets. In the next series of CIO Roundtables, we will re-engage with these IT security leaders to better understand ways in which companies are dealing with these problems. Internet Security Systems will also suggest approaches to these problems that will be culled from the enormous security and industry expertise that ISS uniquely possesses. We bring solutions that will be thought-provoking, cutting-edge and actionable, and will look to join our customers in solving these key problems. As always, I will continue to provide input to the President’s Critical Infrastructure Protection Board based on our customers’ feedback, and will personally remain passionately engaged in this endeavor.
Tom Noonan president and CEO
2 2
ISS Connect ISS Connect
off and running
■
Proactive
RISK Management
Via The X-Force™ Catastrophic Risk Index
O
nline business operations require that networks, hosts and applications be protected against attack and misuse. However, recognition of this basic business necessity is not the same as understanding how best to allocate limited protection resources. In risk management terms, organizations need an easily-understood, easily-deployed guide that helps them defend against the most severe threats that represent the greatest risk to confidentiality, integrity and availability of critical business systems. Internet Security Systems’ X-Force™ Catastrophic Risk Index (CRI) delivers guidance for network and security administrators concerned about the most significant threats to networks, hosts and applications. Based on market-leading X-Force™ security research and product development, the CRI provides immediate information for prioritizing protection tasks and securing online business operations. Internet Security Systems’ (ISS) unified Dynamic Threat Protection™ platform uses the X-Force CRI to quickly identify and protect against severe security exposures. The Internet Scanner® and System Scanner™ vulnerability detection applications apply CRI information to locate high-risk situations and suggest appropriate remediation. Customers use the X-Force CRI to implement quick, effective protection against both known and unknown active threats through ISS’ RealSecure® intrusion detection software and Proventia™ protection appliances. The X-Force Catastrophic Index is an always up-to-date list of the most serious, high-risk vulnerabilities and attacks that enables cost-effective and proactive protection for critical systems. Internet Scanner uses an X-Force CRI-based scanning policy to automatically identify the most serious, highrisk vulnerabilities and provide prioritization and guidance for effective risk reduction. In
addition, this same information allows RealSecure and Proventia protection agents to quickly be configured to provide maximum protection against these same vulnerabilities. This deep cooperation between vulnerability detection and threat prevention provides a Dynamic Threat Protection framework that offers full security without requiring physical patches to production systems. The X-Force CRI ensures maximum protection with minimal complexity and exceedingly rapid deployment. The X-Force’s deep security knowledge and close working relationships with hardware and software vendors, other security research teams and governmental agencies ensures that the X-Force CRI always provides a firstto-know and a first-to-protect advantage of the most critical vulnerabilities plaguing corporate networks. X-Force CRI vulnerabilities have been analyzed and selected by Internet Security Systems’ X-Force, the most respected security intelligence and product development organization in the industry.
All X-Force CRI entries must meet the following general criteria: • Pervasive to most organizations, across all industries • Serious threat to confidentiality, integrity and availability of critical data • Potential cause of catastrophic business system/application failure • Easily exploitable • Highly susceptible to virus and worm creation The X-Force CRI includes approximately 30 high security risks. The index will be updated quarterly. The most recent version will be available on the Internet Security Systems Web site at http://xforce.iss.net/xforce/riskindex. Quarterly adjustments to the X-Force CRI are also available as part of the X-Force™ Internet Risk Impact Summary (IRIS), located at https://gtoc.iss.net/documents/summary report.pdf. The X-Force CRI policy in Internet Scanner may be updated more frequently to reflect interim index updates.
Proactive Risk M anagem ent
D evelopm ent of t he X-Force Catastr ophic Risk Index 200+ New Vulnerabilities and Attacks Added Monthly
Frequency Risk
Startherewit h CRIH igh Frequency & H igh Severity
Severity Risk
Catastrophic Risks Must Be:
X-Force Catastrophic Risk Index
Pervasive to most organizations, across all industries ï A serious threat to confidentiality, integrity and availability of critical data ï A potential cause of catastrophic business system/application failure ï Easily exploitable ï Highly susceptible to virus and worm creation
August 2003
3
PROACTIVE RISK MANAGEMENT OVERSET
rate of approximately 200-300 per month. The sheer volume of new threats makes it all but impossible to manually identify and patch at-risk systems. The direct inclusion of X-Force CRI information within Internet Security Systems’ Dynamic Threat Protection platform makes the proactive, automated approach a much faster, much more costefficient strategy, both in terms of breadth and depth of the protection solutions and efficient use of administrators’ time. In short, the X-Force CRI enables organizations to protect against the most dangerous threats immediately upon deployment of the Dynamic Threat Protection solution — thus maximizing the initial security investment and providing an extremely rapid return on investment. More important, other online assets can then be organized into critical, primary, and general assets, and X-Force CRI protection extended to them over time in a planned, orderly fashion. What might have been an overwhelming, manual task instead becomes a planned process based on generally accepted best practices for online protection. For example, in Phase 1, administrators lock down mission critical assets against the Catastrophic Risk Index. In Phase 2, the process extends to critical assets. In Phase 3, the focus extends to primary assets. By Phase 4, all assets receive some level of protection. The cycle then begins again, with additional layers of protection being applied that may extend well beyond the starting point indicated by the X-Force CRI.
The X-Force CRI In Action The X-Force CRI interacts directly with key Dynamic Threat Protection products to provide immediate security against extremely high-risk threats. Here’s how it works on a product-byproduct level: Internet Scanner includes a special assessment policy based on the X-Force CRI. This policy allows these vulnerability detection applications to quickly identify potential catastrophic security exposures based on the index. The results of these
scans provide rapid remediation feedback on how to configure RealSecure and Proventia protection agents to detect, block and protect against these risks. This tight unification between Internet Scanner, System Scanner, RealSecure and Proventia creates a Virtual Patch™ capability that defends against threats listed on the X-Force CRI — even in advance of manual patches or updates to affected systems. Production systems do not need to be taken offline to be protected. In effect, physical patching then becomes part of a regularly scheduled upgrade and maintenance cycle. This approach also helps remove the risk of applying a patch under duress, which may cause additional, unforeseen problems due to inadequate time allocated for testing. Internet Security Systems’ X-Force Catastrophic Risk Index and Dynamic Threat Protection products and services are the fastest, most authoritative means for organizations to rapidly protect online business operations. This powerful combination delivers immediate protection, frees administrator and other resources for other network and security tasks, and serves as a solid foundation for a phased expansion of protection strategy to encompass ever-wider ranges of networks, devices and potential threats. Use of the X-Force CRI with Internet Security Systems’ Dynamic Threat Protection products converts a time-consuming, labor-intensive manual patch process into a proactive, automated protection solution that frees up resources for other network and security tasks. This critical base then becomes the foundation for a broader security strategy in which phased implementations extend protection to broader numbers of networks, hosts and applications, and automated identification and response covers less severe but still important threats.
■
off and running The X-Force CRI And Dynamic Threat Protection For many organizations, protection from online threats consists of firewalls and other static infrastructure defenses. Unfortunately, these essential tools only do so much. Since they function by allowing or disallowing traffic through specific ports and network services based on broad criteria, they cannot analyze the content within that traffic to identify malicious content. More importantly, static infrastructure only protects network gateways, whereas sophisticated threats often utilize remote systems and fixed, mobile and wireless desktops to first penetrate a vulnerable target. The items contained within the X-Force CRI specifically address threats and vulnera-
bilities that cannot be protected by firewalls and static infrastructure. The X-Force CRI, therefore, provides a crucial link for organizations seeking to move from disparate point solutions and static infrastructure into a Dynamic Threat Protection platform. The following section details how this process works. The first step is to understand the risk. Identify which online assets are missioncritical, which might include hosts containing confidential customer information, applications supporting critical operations, networks linking the organization to the Internet or clusters of remote executive laptops holding classified financial information. Regardless of business model, Dynamic Threat Protection begins with identifying what online assets are most at risk.
The next step is to mitigate that risk. Once an organization understands what must be protected most, the focus then shifts to reducing threats to these assets as quickly and cost-effectively as possible. This is achieved through mapping and deploying Dynamic Threat Protection platform components to each mission-critical asset. In other words, this step determines what type of protection agent should be deployed where in order to secure mission critical online resources. The third step is to quickly and decisively deploy the protection solution so that the key online assets are secured against attack or misuse as rapidly as possible. It is at this stage that the X-Force CRI comes into play. ISS’ X-Force organization documents new vulnerabilities and threats appearing at the
Managed Protection Services
Provides
Security
GUARANTEE
MPS offers the most reliable level of enterprise protection available.
W
hat’s better than Internet Security Systems’ Managed Security Services? ISS’ new Managed Protection Services – the only solution of its kind that allows organizations to transfer the risk of protecting their networking environment to the solution provider by offering a $1 Million Protection Warranty and Guaranteed Performance-Based Service Level Agreements (SLAs) at a fixed monthly cost. Internet Security Systems Managed Protection Services set a new standard by providing organizations with the most reliable level of enterprise protection available. The solution goes beyond simple event monitoring and device management to include guaranteed protection of business assets and operations. This in-depth security expertise provides the foundation for Internet Security Systems’ ability to deliver superior protection and guarantee the results.
$1 Million Protection Warranty ISS’ Managed Protection Services offers the industry’s most comprehensive and reliable level of enterprise protection by providing a warranty service payment up to $1,000,000 in the event a security breach is missed and damage occurs. Backed by AIG and Marsh, the worldwide leaders in cyber-security insurance, this one-of-a-kind risk-free guarantee applies specific warranties to Internet Security Systems service level agreements (SLAs), giving customers unparalleled peace of mind.
A Smart Business Decision Managed Protection Services provides organizations with around-
4
ISS Connect
the-clock, guaranteed protection, giving organizations the ability to improve their security posture while allowing them to focus on their core business operations. Benefits include: • $1 Million Protection Warranty in the event a security breach is missed • 24/7 guaranteed protection of mission-critical assets • Early warning security intelligence • Improved system patching • Meet or surpass industry-specific certification and regulatory compliance guidelines • Low Total Cost-of-Ownership (TCO) with improved your security posture ISS’ Managed Protection Services leverages best-in-class protection technologies to deliver a wide range of enterprise prevention and protection solutions for organizations of all sizes and markets. By unifying market-leading security technologies — vulnerability assessment, intrusion prevention and response, policy enforcement, event management and correlation — into a single protection platform, Managed Protection Services provides comprehensive protection across the entire enterprise. The Security Command System is the heart of each Managed Protection Services offering. The Security Command System consists of: • Managed Service Customer Portal — Provides secure, real-time access for all client/SOC communications, trouble ticket entry, event handling, incident response, data presentation, report generation and trends
analyses. This highly user-friendly interface integrates X-Force™ security intelligence and early warning threat services into one high-impact user interface organizing and enhancing the visibility of critical security information. • Virtual Patch™ Protection — Provides a more efficient and cost-effective process for deploying security patches across an extended enterprise by proactively identifying the most serious vulnerabilities and delivering security intelligence and the ability to automatically update and apply protection policies to vulnerable systems before an attack ever takes place - without physically applying a security patch. Virtual Patch combines vulnerability detection with best-in-class protection technologies to solve this problem and makes patching a cost-effective, proactive process that occurs on the company’s time, not on the hacker’s time. • Advanced Correlation and Event Prioritization — Allows for the real-time, automated analysis and correlation of events, preventing the misidentification of attacks, eliminating false positives and providing for the accurate identification of malicious behavior prior to those behaviors causing damage. This benefit allows ISS security professionals to provide a higher quality of guaranteed protection than that associated with “manual” execution of tasks.
• X-Force™ Global Security Intelligence — X-Force is the most respected security intelligence and research group in the industry, having
researched and identified security issues in products from Cisco®, Microsoft®, IBM®, Sun®, Hewlett-Packard®, Oracle®, Peoplesoft®, BMC®, Polycom®, Apache® and many more. This cutting-edge research team actively turns security research into product and service improvements by researching security issues, tracking the evolution of threats through its Global Threat Operations Center and quickly delivering protection against the very latest threats and vulnerabilities. • X-Force™ Threat Analysis Servic — Allows Internet Security Systems security professionals to provide proactive security management through the evaluation of global online threat conditions and detailed analyses tailored for specific environments. This unique blend of threat information collected from Internet Security System’s international network of Security Operations Centers and X-Force research and development organization clearly denotes the nature and severity of external Internet threats and provides the recommended course of action. • X-Force™ Emergency Response Services — Provides instant access to industry experts who assist in the development of incident response procedures to control security breaches and mitigate the risk of further damage. Our expert team excels in all facets of incident response including, planning, forensic analysis, preservation of evidence and data recovery as well as assists in the preparation for future attacks and efficiently handles the immediate and post attack investigation.
MPS Customer Portal v2.0:
P O W E R F U L , Interactive
Reporting and Analysis
T
he Managed Protection Services Customer Portal provides Internet Security Systems’ managed services customers with a powerful, interactive reporting and analysis tool for maintaining effective security practices. The MPS Customer Portal offers secure real-time access to reports, charts and utilities, enabling staff to quickly review logs, submit policy changes and enter trouble tickets. One of the key advantages of Internet Security Systems’ managed services offerings has been ISS’ powerful, easy to use customer portal. The just-released Version 2.0 of the Customer Portal features a number of enhancements, all designed to bring maximum protection with minimal complexity for managed services customers. This unique design provides a consistent interface between the customer and Internet Security Systems’ Security Operations Centers, organizing and enhancing the visibility of critical network security
information. MPS customers maintain high levels of security awareness and control, while Internet Security Systems protection experts perform day-to-day security management tasks. At its core, the MPS Customer Portal places critical protection information at customers’ fingertips. All information relating to the managed solution is easily and openly presented. This transparency is quite intentional. ISS does not believe in sealed, "black box" security, and invites customers to be as involved in the security monitoring process as their comfort level allows. The MPS Customer Portal’s design dramatically simplifies the security management process. As a result, customers have rapid access to the information they need most. This in turn allows quick, fully informed decisions about the deployment of the protection solution, plus how best to allocate internal resources and staff. The home page for this Web-based
interface includes a wide range of security intelligence, including current client status, open tickets and summaries of worldwide security news that is relevant to the customers’ online business operations. Portal access now includes SecurID as well as password authentication. Detail pages, all easily reached from the home page, include: • 30 day attack metrics • Threat drill down detail • Event & incident summary • X-Force current threat assessment • Security policy reports • Ticket submission • Remote scanning scheduling, targets and reports • IDS summary & details • Feedback & contacts The MSS Customer Portal is available at no extra charge to all Internet Security Systems’ Managed Protection Services customers.
August 2003
5
■
q & a
Total Security Management PCCW's Ken Ho fields questions about the company's joint Managed Security Services solution. Q: As the leading telecommunications corporation in Hong Kong and greater China, tell us why PCCW decided to partner with Internet Security Systems? Ho: Internet Security Systems met PCCWs requirements for success — the 3Ps. The first P is People: strong and experienced security team. Internet Security Systems has the X-Force. X-Force is a team with great professionalism. The second P is Process. BS-7799 (ISO17799) is a proven escalation and incident response procedure that is very important to meet these services. The last P is Place. ISS has more than a $100 million investment in five Security Operation Centers (SOCs) and global recognized tools. In
terms of the 3Ps, we believe ISS & PCCW are a great match. Q: What network security does PCCW’s corporate client base require in Hong Kong and greater China? Ho: Security is a growing concern in Hong Kong and greater China. So, what our corporate client base wants now is not only a network, but also a secure network. PCCW has the synergy to provide security and network service together for our customers. Q: What advantages do your clients gain from PCCW’s Managed Security Services? Ho: The customers’ advantages are: • Integration — by integrating Internet Security Systems’ service to PCCW managed network service, we can provide more information to the customer, including incidents and events that can be handled accurately and with rapid response.
KenHo
Ken Ho is PCCW’s General Manager of CPE Product Marketing. PCCW, the Hong Kong-listed flagship of the Pacific Century Group, is one of Asia’s premier integrated communications companies.
From its market-leading position in Hong Kong, PCCW is focused on building shareholder value by leveraging synergies between its core businesses and partners, and by delivering customer-led total solutions throughout Asia. PCCW provides key services in the areas of integrated telecommunications, broadband solutions, connectivity, narrowband and interactive broadband (Internet services), business e-solutions, data centers and related infrastructure.
6
ISS Connect
from Top IT&T Firm • Local support — PCCW knows the business culture of Greater China & Hong Kong as well as the individual customer needs, it is all about enhancing our customer’s satisfaction. • Highest quality — PCCW provides the highest quality in the industry. PCCW is the leading IT&T (Information Technology and Telecommunication) company in Hong Kong, and Internet Security Systems is the leading security solution provider worldwide. We believe that this combination can deliver the best of the breed to the customer. Q: How has PCCW’s partnership with Internet Security Systems enhanced PCCW’s service menu? Ho: PCCW’s services are recognized as the most premium in the industry. And we believe this partnership with Internet Security Systems can enrich the services available to our customers. We already offered Managed Network Services in this country and in this area of the world. But because Internet Security Systems is the No. 1 security provider in the market, our partnership with ISS enriches our offerings in the total management services. Leveraging the expertise and experience of Internet Security Systems, PCCW’s Secure Network Center can deliver a totally integrated management service to our customers. Also, our Secure Network Center was the first integrated
center that can deliver network and security management services in Hong Kong and greater China. Q: How does the PCCW service menu save the customer time and money? Ho: As the leading IT&T company, PCCW provides a lot of value-added services — including the Managed Security Services and Managed Network Services — via our Secure Network Center. This combination allows the customer to choose the most suitable services for their needs without having to search for multiple vendors, ultimately saving the customer time and money. Q: What competitive edge does PCCW have when offering Managed Security Services and Managed Network Services together? Ho: In greater China, particularly in Hong Kong, we were the first to provide this kind of service. We also saw that nowadays the customer needs a secured networking solution, not just security or networking. We are the first to deliver this to the customer. With our Managed Security Services and Managed Network Services together, we provide what the customer needs. Q: How would you characterize the working relationship between PCCW and Internet Security Systems?
are the first Secure Network Center to offer these services to our customers and Internet Security Systems is our best end support that allows us to deliver a quality service. Q: What is the key characteristic that clients seek in a security provider? Ho: Trust. We understand that the client is looking for a trusted, secure networking partner. PCCW is a trusted name brand that people know and recognize in Asia. Q: How would you rate Internet Security Systems’ service? Ho: Very good. During the launch process, Internet Security Systems showed both their professionalism and customer oriented approach and how they bring these values to PCCW and its customers. Q: What value has Internet Security Systems added to PCCW? Ho: The value from Internet Security Systems is that they have enhanced PCCW’s services. We are an IT&T company and Internet Security Systems is the leading security solution provider worldwide, so I think the companies combined — PCCW and ISS — deliver the total solution our customers need.
Ho: Both Internet Security Systems and PCCW have a commitment to success and to explore the potential of the market. We
Both Internet Security Systems and PCCW have a commitment to success and to explore the potential of the market. We are the first Secure Network Center to offer these services to our customers and Internet Security Systems is our best end support
May August 2003 2003 7
7
■
case in point
BRAZIL’S SOLID SECURITY FOR
Online Tax Returns Internet Security Systems delivers uncompromising protection for its partner Serpro, Brazil’s federal agency for online individual income tax returns.
P
roven innovations are the hallmark of any successful information technology institution. Serpro, Brazil’s largest government company in the field of information technology services, is proof positive of such truths. Serpro — Serviço Federal de Processamento de Dados, or the Federal Data Processing Service — is the Brazilian government agency charged with housing and ensuring the security of ReceitaNet, the Brazilian Federal Tax Department Web site established for individual income tax returns. In 1999, Serpro created GRA, which in English translates to the Attacker Response Group — one of the first teams in Brazil created
SERPRO 8
ISS Connect
to respond to information security breaches. In its first year, GRA battled thousands of hacking attempts into the online individual tax return network. To further the GRA’s fight against attack and misuse, and to solidify protection of the ReceitaNet Web site, Serpro sought the expertise of the worldwide leader in security solutions — Internet Security Systems. In April, Serpro and the GRA entered into a technical cooperation agreement in which Serpro’s partnership with Internet Security Systems proved a key part of the arrangement. Serpro’s reasoning for choosing ISS was simple, according to Paulo César Brantes, manager of Serpro’s Network Security Department. Internet Security Systems’ expertise can ensure the security and integrity of Brazil’s online individual income tax returns for the 2003 fiscal year and beyond. Approximately 16.5 million individual income tax returns were filed via the Internet this year, a record in Brazil, representing 95 percent of Brazilian taxpayers. The feat has made the country an international benchmark in the process of delivering income tax returns online.
In Brazil, individual income tax returns started in 1922. As of 1997, Federal Revenue started to offer delivery of tax returns via the Internet. As with most Federal, state, provincial and local governments around the globe, online transactions move government services closer to citizens and decrease the costs associated with those services. Brazil has aggressively adopted this approach. The increase in federal Web offerings, and thus, online assets, has resulted in a need for increased security measures. The rate of attempted hacks in 2003 compared to last year has increased proportionally to the increase in the number of individual income tax returns filed via the Internet — 370 percent higher in 2003 than in 2002. As a major user of information security technologies in Brazil, Serpro first turned to Internet Security Systems in 1999 for solid security solutions. Since then, Serpro has invested and tested numerous security technologies. “These four years of experience and partnership have proved that in addition to providing the best intrusion detection system (IDS) and vulnerability analysis (VA) sensors, Internet Security Systems has the best security platform, by far,” says Brantes. Over three years ago, GRA adopted to Internet Security Systems’ intrusion detection platform. According to Brantes, “these tools were of crucial importance in the development of monitoring, detection and blocking security incidents, allowing the GRA security team to act proactively in security monitoring processes.” For processing activities in 2003, Serpro crafted their solution for GRA around the Internet Scanner® and System Scanner™ applications for vulnerability detection, and RealSecure ® Network and RealSecure® Desktop Protector for intrusion detection and response. Centralized management is conducted via SiteProtector™ and correlated by the SiteProtector™ SecurityFusion™ module. Rogério Morais, commercial executive for Serpro, explains that this combination proactively expands the intrusion detection technology to prevent potential threats from becoming serious security incidents. “The result is a more effective solution, reducing the number of false alarms and giving it the resources required to investigate an incident,” says Morais. The objective of the technical cooperation agreement, endorsed by Brazil’s General Coordination of Technology and Information Security of the Federal Revenue Agency, is to increase the security levels utilized by ReceitaNet. A team of ISS security experts managed the delivery of the income tax returns to ensure protection efficacy and information security to ReceitaNet, expedite methodologies and processes of detection and to guarantee the blockage of security threats. During the 15 days prior to the deadline for the delivery of the income tax returns, the ISS security team thoroughly monitored the system 24 hours per day, 7 days per week.
Paulo César Brantes, Manager of Network Security Department, Serpro
The expectation is that in 2004, the number of Brazilians that will use the Internet to file their income tax returns will be near 100 percent. In order to ensure security and zero rate of successful attacks to the ReceitaNet Web site, Serpro will continue to count on Internet Security Systems’ security expertise.
“Internet Security Systems’ solution adopted by GRA combines tools for detection, hacking blockade, vulnerability analyses, advanced event correlation, and a system for management, analysis and investigation of events,” adds Morais. “The innovations of ISS’ solution, include the capability of reporting to the manager if attackers were successful or not. Now, with the centralized management of all sensors, a single and integrated technology, and higher capability of event analysis — thanks to SecurityFusion’s advanced correlation — Serpro is able to work with a solution that offers a clear view of security incidents that really have to be addressed.” The expectation is that in 2004, the number of Brazilians that will use the Internet to file their income tax returns will be near 100 percent. In order to ensure superior security and a zero rate of successful attacks to the ReceitaNet Web site, Serpro will continue to count on Internet Security Systems’ security expertise.
August 2003
9
■
behind the scenes
PeoplE
Congratulations to several Internet Security Systems employees who have been recognized recently with numerous awards, nominations and appointments.
Make the
Difference Coffsky Appointed to American Israel Chamber of Commerce Board
A
dam Coffsky, Manager of Consulting and Integration of Alliances, was recently appointed to the Board of Directors for the American Israel Chamber of Commerce (AICC). The AICC is the largest regional Israel economic support organization in the United States, which include dedicated business leaders who succeed in of educating, networking, matchmaking and mentor-
Adam Coffsky (center row holding child) pictured with friends after the Juvenile Diabetes Research Foundation Walk-a-Thon in 2002.
10
ISS Connect
Adam Coffsky, manager of Consulting and Integration of Alliances.
ing its members. Adam also received an award in the “Outstanding Contribution” class for the Juvenile Diabetes Research Foundation Walk-a-Thon in 2002.
Lill Accepted into Empire Who’s Who Registry of Executives and Professionals
Mike Lill, Corporate Applications manager.
M
ichael Lill, Corporate Applications Manager for Internet Security Systems, has been honored with a nomination, as well as an acceptance, into the Empire Who’s Who Registry of Executives and Professionals. Empire Who's Who provides a forum for executives and professionals, as well as a searchable electronic registry of business leaders and professionals in across multiple industries and specialties.
Frech Elected Chairman of OIS
A
ndre Frech, Research Engineer for Internet Security Systems’ X-Force™ organization, was recently elected chairman of the Organization for Internet Security (OIS). Frech, a pioneer in Internet security, is one of the leaders who helped develop the Common Vulnerabilities & Exposures (CVE) standard run by The MITRE Group. The chairmanship of OIS is a great honor for both Andre and Internet Security Systems. "With our leadership in ISACs, NIAC and now OIS, ISS is clearly positioned as a leader in security policy, standards and information sharing practice across the board," says Frech.
ISS Receives Awards in 2002 Society for Technical Communication Competition
C
ongratulations to the following ISSers for winning special recognition awards in the 2002 Society for Technical Communications’ (STC) annual documentation competition. STC is a professional association that advances the arts and sciences of technical communication. The Wireless Scanner™ Quick Installation Card received an Award of Merit for excellent writing, editing, layout design and superiority in its class. The Wireless Scanner Help System received an Award of Excellence, which indicates that it is superior to the majority in its class, and that it demonstrates excellent writing, editing, layout, and design. Both Wireless Scanner entries were edited by Cindy Schneider. The Network Sensor and Gigabit Network Sensor Installation Guide also received an Award of Excellence. This book was written by Lori Brown and edited by Cindy Schneider. The BlackICE™ Protection System Installation and User Guide received a Distinguished Award for outstanding writing, editing, layout and design. It is the highest award that the American STC confers. This honor is awarded to entries that are near ideal technical communication and stand out as a positive example of what professional communicators should strive toward. The guide was written by Karen Docherty and Emma Ryland, and edited by Cindy Schneider. Entries that received a Distinguished Award will continue to compete internationally.
Internet Security Systems received several awards in the 2002 Society for Technical Communications' competition thanks to efforts from Cindy Schneider, Karen Docherty, Lori Brown and Emma Ryland (not pictured).
August 2003
11
Industrial Industrial
Strength Strength SECURITY SECURITY Internet Security Systems delivers industry-leading
security solutions that provide superior best security practices for specialized markets.
12
ISS Connect
August 2003
13
T
he objective of information security is to protect the confidentiality and integrity of information while ensuring it is available to those who need it. However, governmental regulation and market pressures have forced best security practices to evolve from a one-size-fits-all proposition into an increasingly specialized discipline. The particular security concerns of a government agency or bank, for example, are very different than those of a hospital or electric utility. “Regardless of what sector you’re working in, there are sector-unique skills and knowledge sets you simply have to have,” says Jim Kane, CEO of Federal Sources Inc. a market research firm for IT companies that do business with the government. “What’s happening in the federal space, in particular, is that it’s not only a solution sale, but it’s ‘Let us help you demonstrate that the government will get a good return on investment; our solution will give you productivity benefits.’ You have to make the business case.” A security solution provider must thoroughly appreciate how individual industries and organizations work in order to mitigate network security risks. That’s where ISS sets itself apart. The message that individual industry expertise is imperative to being an effective network protection provider permeates ISS. Larry Costanza, senior vice president of Americas sales, preaches the mantra that “We need to listen.” “You need to know who the people are, their expectations, objectives, what their company stands for. This is a way of life for us,” says Costanza. “If you go in cold and just ramble about the latest, greatest software we have to sell, it is a total debacle. We need to listen and understand the challenges of the customer.” There are fleets of IT companies that bundle data and network security with other products and services. Internet Security Systems, on the other hand, focuses exclusively on network and information asset security, and by serving customers with professionals steeped in the demands and needs of the industries they serve. Internet Security Systems addresses these customer needs using a five-step process that covers the complete security management lifecycle, including phases for Assessment, Desaign, Deployment, Management and Education (ADDME™). This proven process identifies and analyzes gaps in your current security state then designs and implements solutions to close those gaps and ensure ongoing conformity. Internet Security Systems’ strategy provides each customer with business solutions, not strictly technical answers. To that end, Internet Security Systems brings clients a thorough understanding of
fundamental risk management principles. ISS combines this basic business approach with an appreciation of the marketplace and regulatory forces that shape information asset protection needs within specific markets. It sounds obvious — different industries have different regulatory requirements and marketplace realities that dictate where to concentrate security resources. And yet, many vendors still pursue a one-size-fits-all approach. ISS understands that an effective information asset protection solution must understand the customer’s business, and the particular security needs and potential threats that are unique to each organization. After all, government agencies, banks, manufacturers, hospitals and utility companies have invested years and copious amounts of money not in cultivating network security expertise, but in amassing knowledge about how to run their businesses. To secure business and execute effectively, ISS must present online protection within a business case, designed for both technical staff and non-technical management. The company can do so because of people like Howard Glavin. A senior X-Force™ professional services consultant, Glavin brings 30 years of law enforcement and corporate experience to his clients. That background separates him from many security professionals who tend to be grounded in technology, but lack an appreciation for the larger business imperatives that drive customers’ security needs. “They can write code all day,” Glavin says. “But they panic on the business case.” A former chief information security officer for a railroad company, Glavin talks dollars and cents, not just bits and bytes. He can, therefore, communicate with businesspeople, and he exemplifies Internet Security Systems’ philosophy of approaching information security in the context of larger business realities. Especially in today’s unforgiving economy, the central reality for most clients is stretching their dollars. “Approach security as a ROI (return on investment) issue,” Glavin says. “Always increase protection of the information assets and reduce cost.” Without a firm grasp of the customer’s business, this is impossible. It is generally not prudent, for instance, to spend $10 to protect an asset worth $9.
ISS Understands E-government Glavin and his ISS colleagues work in teams that specialize in particular industries, including the government sector. Kimberly Baker joined Internet Security Systems last October as the company’s first vice president of Federal Operations. She oversees ISS’ federal government market strategy and operations.
A security solution provider must thoroughly appreciate how individual industries and organizations work in order to mitigate network security risks. 14
ISS Connect
Through her experience dealing with the federal government, Baker understands that, while overall spending on IT in general and information security in particular is rising, each government agency is being required to make a clear business case to justify its expenditures. “Internet Security Systems has put together a very strong team of seasoned professionals that understand the government market,” says Kane, “and we find that is critically important for companies to be successful in this space.” Internet Security Systems has consistently demonstrated in-depth knowledge of public sector data and network security. The company serves all major federal agencies and departments, plus a substantial number of state and local governments. This proven understanding of the public sector market, coupled with ISS’ technological leadership, has led to Tom Noonan, ISS’ president and CEO, being appointed to the National Infrastructure Advisory Council (NIAC), a committee created by President George W. Bush to advise him on issues surrounding the security of information systems that support the nation’s critical infrastructure as part of homeland defense.
L
ike the healthcare industry, local, state and federal governments have moved more and more data and services online in the past few years. On the federal level, the Internal Revenue Service has made it far easier to file income tax forms electronically. The Department of the Interior has set up online systems allowing people to make reservations for accommodations at national parks. Plus, Baker adds, government agencies are increasingly doing business with other governments — local to federal, for instance — electronically. This broad move toward “e-government” has generated substantial demand from government agencies for network and data security services and products. Another important driver of government network and data security investment is, of course, homeland security. Indeed, largely because of homeland security measures, Baker says that information security is expected to account for about 8 percent of the federal IT budget in the 2004 fiscal year, up from 5 percent or 6 percent in recent years. Yet despite increased demand, Baker and her staff have to negotiate various challenges in conducting business with the federal government. One of those challenges is funding. Baker explains that a mandate from the federal Office of Management and Budget requires government agencies to provide a business case to justify funding every new program. Cyber security must be addressed in the business case.
“Approach security as a ROI issue. Always increase protection of the information assets and reduce cost.” — Howard Glavin, senior X-Force™ Professional Services consultant
August 2003
15
“Finding money to fund cyber security, even though it’s mandated has been a real challenge,” Baker says. “Agencies must often decide where to find the money. That’s when our experience really helps make a difference.”
Manufacturing Security
“We are a business’ trusted advisor.” “Internet Security Systems’ expertise is focused on specific industries and customized to meet those precise business needs.” — Larry Costanza, senior vice president of America’s sales
16
ISS Connect
In the manufacturing sector, Internet Security Systems understands that data security challenges stem primarily from intense competition that has led manufacturers to embrace online technology to create complex webs across partners, suppliers, vendors and customers, all of which require trusted networks in order to work efficiently. Consequently, any online interruption wreaks costly disruptions to precisely scheduled inventory and assembly line operations. Manufacturers need a network security partner that can deliver both rapid and superior protection, timely research and product updates, plus a variety of unified and compatible delivery vehicles for an equally wide variety of needs. The solution must scale to encompass global operations. And it must be centrally managed, no matter how large it grows. As a security specialist, Internet Security Systems delivers its portfolio of expertise and products via an international presence that ensures comprehensive protection. ISS deploys industry-compliant solutions with low acquisition costs and market-leading protection across networks, servers and desktops across the entire online supply chain. These are hallmarks of Internet Security Systems service, and bring the same peace of mind to utilities and financial institutions as manufacturers, government agencies and healthcare organizations. In order to tailor a plan and tool set for each customer, Internet Security Systems professionals must know the myriad moving parts of companies and the industries in which they compete. Business and security challenges vary greatly from industry to industry. A single organization’s security issues depend on, among other factors, regulatory structures, information volume, the nature of information in which companies traffic and whether a company’s business is part of what is viewed as the nation’s critical infrastructure.
Healthcare Security Healthcare is an industry feeling dramatic effects from a new regulation known as HIPAA, The Health Insurance Portability and Accountability Act. HIPAA mandates numerous information security and privacy measures for hospitals and other healthcare organizations. The act requires that records be shared online among insurers and healthcare
organizations. However, sharing of electronic records must be done securely and privately.
I
n addition to regulatory changes, healthcare institutions are also expanding their use of information technology to improve efficiency, often because of financial constraints. Doctors, for example, are increasingly using wireless hand-held devices in place of paper charts to improve their access to patient medical histories and other records. “As healthcare organizations move to put records online, they need help to determine what their protection strategy will be,” says Shirley Wyatt, Director of Policy and Education Services with ISS’ X-Force™ Professional Security Services. “This is a new requirement for them. They’re in the business of providing patient care. They’re not in the business of knowing security best practices and how to translate those into cost effective every day operations.” That’s where Internet Security Systems comes in. The company’s expertise is vital to clients because, ultimately, the actual hardware or software that a big manufacturer or hospital chain purchases from ISS might not differ greatly from the ISS software that a major financial s ervices concern uses. But, the businesses of health and wealth are different animals, and it is the implementation that makes all the difference. With a proven history in healthcare protection, ISS has learned that it must approach those clients in their own language, in their own particular ecosystem.
The process is working. ISS serves more than 11,000 corporate customers, including all of the Fortune 50, the 10 largest U.S. securities firms, 10 of the world’s largest telecommunications companies and major agencies and departments within U.S. local, state and federal governments. It’s part of what Costanza describes as an ongoing commitment to know the customer’s world. In every vertical “world,” legislation, regulation and other forces unique to that vertical shape information security demands. So it simply makes sense for Internet Security Systems to shape its offerings in the same manner. Internet Security Systems has been protecting vertical information infrastructure since the corporation’s inception in 1994. The company helped early adopters in the financial services industry design, build and maintain some of the earliest network protection infrastructure. Other industries, such as utilities, healthcare and government, have with ISS’ help followed the lead of financial services firms by putting more and more sensitive data online. The experience of successfully implementing and refining protection has allowed ISS to post nearly a decade of consistent excellence in service and thus profitable growth. “We are a business’ trusted advisor,” Costanza says. “Internet Security Systems’ expertise is focused on specific industries and customized to meet those precise business needs. This is what distinguishes us from a generalist who may promise security in a broader solution sale. That is our great value proposition. Industryspecific security is our core expertise.”
A Trusted Advisor Internet Security Systems systematically keeps its vertically-targeted security intelligence fresh in numerous ways. Three times a year, the company assembles chief information officers from similar verticals to discuss issues of the day, such as the Sarbanes-Oxley Act, which requires that corporate officers personally certify their financial statements and mandates audits of internal controls and processes. In June, the company brought together a dozen chief information officers from large companies in various industries. “Each CIO spoke in their vernacular relative to what their challenges are,” says Costanza, who attended the conference. “And they perked up when they heard another company in the room that shared their same background.” Internet Security Systems conducts regular in-house training for salespeople and consultants. And ISS personnel consistently talk to customers, and customers of customers. The object is to understand customer issues such as confidentiality, data accuracy and availability to authorized users.
ISS serves all of the Fortune 50, the 10 largest U.S. securities firms, 10 of the world's largest telecommunications companies and agencies and departments within U.S. local, state and federal governments.
August 2003
17
HIPAA Securi A Call for Best Security Practice
HIPPA security directives enforce the importance of best security practices for healthcare organizations to protect the confidentiality, integrity, and availability of patient information.
P
rotecting the confidentiality, integrity, and availability of patient information is no
longer simply a best practice for healthcare organizations. It is a legal requirement. The Health Insurance Portability and Accountability Act (HIPAA) mandates that all healthcare organizations comply with strict federal directives to meet administrative, technical and physical safeguards to maintain data integrity for the organization’s employees, customers and shareholders. Illustration by David Ramares
18
ISS Connect
rity Mandates
es for Data Integrity and Privacy
August 2003
19
Under HIPAA, all healthcare organizations, from pharmacies and doctors to hospitals and insurance carriers, must have detailed and documented security processes, procedures and plans for implementation. The specific security requirements must be completed by 2005 to meet administrative, technical and physical safeguards (see sidebar, “HIPAA FACTS,” below). The first
he Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress and signed into law in 1996. • The first goal of HIPAA is to make health insurance portable, so that businesses can change providers easily, and so that employees can maintain their coverage when they change jobs or lose a job. • Another goal of HIPAA is to reduce the costs of healthcare by making possible standardized, electronic transmission of many healthcare transactions. • HIPAA defines a number of requirements for protecting the privacy of patient information throughout the healthcare supply channel. • HIPAA’s requirements have been phased-in slowly since 1997, so the idea of HIPAA compliance is not new. Reporting and privacy requirements should already have been met. • The security regulations for HIPAA were not published in their final form until February 2003. • Smaller facilities have until February 2005 to meet these requirements. • While HIPAA is a federal statute, it is enforced by state health departments, not the federal government. You can learn more about HIPAA, through the Centers for Medicare and Medicaid Web site at ttp://cms.hhs.gov/hipaa/hipaa1/default.asp. The site includes information for consumers and many different healthcare professionals.
FACTS
T
HIPAA
goal of HIPAA is to make health insurance portable, so that businesses can change providers easily, and so that employees can maintain their coverage when they change jobs or lose a job. Another goal of HIPAA is to reduce the costs of healthcare by making possible standardized, electronic transmission of many healthcare transactions. The administrative section of HIPAA contains over 70 percent of the regulations, and calls for documented processes, plans for implementation, emergency response procedures, as well as organization-wide education. The technical and physical sections of HIPAA call for the implementation of the products and services to complete compliance. Ultimately, complying with HIPAA provides security best practices. The administrative safeguards determine the gap analysis between current state and HIPAA requirements, as well as the plan to close those gaps. The technical and physical safeguards provide the products and services to close those gaps and to ensure that they continue to remain closed. “The healthcare industry has to follow a stringent, rigid set of regulations, under HIPAA,” says Olivia Rose, Regulatory Compliance Programs Manager for Internet Security Systems. “But to meet those and to, subsequently, achieve security best practices, you really do face a set of tough challenges along the way.” The business challenges associated with achieving this level of security and HIPAA compliance, are abundant, including: • Lack of dedicated security budget • Absence of necessary security expertise • Inability to easily deploy and manage required security technology solutions • Lack of employee education on security best practices
“Compliance is a five-step, phased process conducted by a wide-ranging team of ISS professionals who possess the necessary expertise and experience in the healthcare industry,” says Shirley Wyatt, Director, Policy and Education Services. 20
ISS Connect
The ADDME process identifies and analyzes gaps between current state and HIPAA requirements, designs and implements solutions to close those gaps and ensures the gaps remain closed. • Tight deadline in which to achieve compliance • Lack of additional IT or other department employees to assist with compliance “Healthcare organizations are feeling the intense pressure to comply with HIPAA security mandates and there is uncertainty of how to effectively meet them,” says Rose. “How much documentation of processes and procedures to show due diligence really needs to be done? What technology do I need? How do I educate my employees on security best practices and HIPAA so that security is not breached? And, how are we supposed to comply with HIPAA security mandates without hiring additional headcount and not knowing how much to budget for compliance?” Yet every link in the healthcare chain — doctors, hospitals, clinics, pharmacists, medical insurance providers, and drug companies — must comply with the new rules. The final rules on security were issued in February 2003 and compliance must be complete by February 2005 for all healthcare organizations, except for small offices that have an extra year for compliance. And there are criminal penalties for failing to comply.
other health care professionals. Wyatt spent many years in government service before joining the company, and has a firm grasp of government processes and what companies must do in order to meet government requirements in a cost effective manner. “Most government regulations require a standard approach to information protection,” says Wyatt. “Compliance is a phased process which involves identification of risks, determination of a protection strategy, communication of that strategy, and implementation of strategy, which must be conducted by a team of professionals who possess the necessary expertise and experience in the health care industry. The team will not only include ISS and the organization’s employees, but also the health care information management vendors and transaction clearinghouses that organizations already know and trust. Internet Security Systems’ knowledge of the health care vertical, its capability to provide strategy and solutions and its relationship with health care vendors differentiates it from other security solution providers.” The ADDME phased approach is unique to the security industry as it provides a comprehensive solution from one provider to meet administrative, technical and physical safeguards, which, in turn, ensure security best practices for healthcare organizations for now and in the future.
The ISS Approach for HIPAA Compliance — ADDME™ Meeting HIPAA security requirements often results in healthcare organizations requiring outside professional guidance to overcome business challenges. In order to take the burden of HIPAA compliance off of healthcare organizations and to effectively and efficiently meet the administrative, technical and physical safeguards, Internet Security Systems has developed the five-step phased ADDME™ approach. “This unique approach is comprised of a highly defined process covering the complete security management lifecycle, including phases for Assessment, Design, Deployment, Management and Education,” says Rose. “The ADDME process identifies and analyzes gaps between current state and HIPAA requirements, designs and implements solutions to close those gaps and ensures that the gaps remain closed.” Shirley Wyatt, Direcor, Policy and Education Sevices for Internet Security Systems X-Force Professional Security Services who works closely with hospitals and
August 2003
21
HIPAA COMPLIANCE The ISS Approach to
n order to streamline security and help meet the administrative, technical, and physical safeguards of HIPAA compliance, ISS has developed a five-step process covering the complete security management lifecycle, including phases for Assessment, Design, Deployment, Management and Education (ADDME™). The ADDME process identifies and analyzes gaps between current state and HIPAA requirements, designs and implements solutions to close those gaps and ensures that the gaps remain closed.
TO BE RE-DRAWN TO FIT THIS SPACE
PHASE ONE Assessing the current level of information security.
PHASE TWO Designing and documenting policies, processes and solutions to ensure protection. PHASE THREE Deploying protection technology and services. PHASE FOUR Managing the security program to serve business goals. PHASE FIVE Educating the organization on security best practices and best-of-breed technology.
STRATEGY
I
The ADDME Approach Phase One: Assessment The first step in the ADDME process is to assess the current level of security and conduct a gap analysis between current state and HIPAA requirements. “The best place to start is with a risk assessment,” says Wyatt. “Where is electronic protected health information (EPHI) located? Where does the data travel across the network? Who needs access to what type of data, both inside the organization and outside? How quickly do they need it? What are the vulnerabilities associated with systems and applications containing EPHI?” Doctors may need information right away while clerks may be able to wait unless they are in the process of helping deliver emergency care. “Some of the biggest risks we’re seeing is that the health care organizations may not understand their entire network structure, the EPHI data flow, systems that the data resides on and where it travels along the network,” says Wyatt. “We see common problems of older operating systems and systems not being patched, active accounts for terminated employees, and a lack of understanding of remote or mobile access needs. We often see a lack of policies, meaning a strategy for protection has not been defined in the past.” Internet Security Systems helps organizations determine their risks through vulnerability assessments, penetration tests and HIPAA gap assessments. “A HIPAA Quick Start Program is utilized by Internet Security Systems to train health care organizations on HIPAA security standards and a facilitated workshop format is used to help our clients develop their security implementation plan,” Wyatt says. Phase one in the ADDME process is managed by X-Force™ Professional Security Services — an elite team of experienced industry professionals that utilize marketleading intellectual capital, best-of-breed technology and standards-based methodology to help healthcare organizations meet compliance. “Only when an organization fully understand its risks,” adds Wyatt, “can it begin to create a strategy to deal with those risks. Internet Security Systems’ experts then move into Phase Two of the ADDME process.” Phase Two: Design The second step in the ADDME process is to define the strategy and complete a gap closure plan between current security state and HIPAA requirements.
22
ISS Connect
“Only when an organization understands its risks”, adds Wyatt, “can it begin to create a plan to deal with those risks. Internet Security Systems’ experts not only provide that knowledge, they also provide the strategy and, more importantly, the solution to implement a cost effective strategy.” Information accessibility and data privacy is key to this gap closure plan. HIPAA requires that each worker in the healthcare system is restricted to gain access only to information they need to delivery patient care. In a doctor’s office, for example, HIPAA requires that an organization describe precisely what data a nurse will be able to access, as opposed to the data the office manager will be able to access. A nurse must be able to know the precise condition and case history of the patient, while the office manager may only access a payment history. Levels of information accessibility and privacy must be documented and processes implemented to assure the appropriate level of access for each individual. Emergency response procedures must also be cemented in case of a breach in data privacy. The Design Phase is also managed by X-Force™ Professional Security Services. The policies and procedures establish the framework for installing technology and changing business practices. Internet Security Systems’ experts then move into Phase Three of the ADDME process: Deployment. Phase Three: Deploy The third step in the ADDME process is to deploy best-of-breed technology to proactively protect desktops, servers and networks, resulting in the closure of the gap between current security levels and HIPAA requirements. “That’s where ISS’ products and services come into play. ISS products and services help organizations with HIPAA compliance by helping assure against unauthorized access to systems,” says Wyatt. “Healthcare organizations need vulnerability detection and intrusion prevention in place and they need help in managing security.” This technology is the Dynamic Threat Protection™ Platform — ISS’ world-class technology approach that is specifically designed to help healthcare organizations rapidly achieve compliance by offering proactive protection against known and unknown attacks across networks, hosts and applications.
“The Dynamic Threat Protection Platform provides centrally managed protection and is backed by the X-Force research and development, which creates a comprehensive solution that is easily managed by the customer,” says Phil Hillhouse, vice president of the Americas, X-Force Protection Services. Phase Four: Manage and Support The fourth step in the ADDME process is to manage and support the new security program to ensure that the gaps between current security levels and HIPAA requirements remain closed. An ongoing solution needs immediate responses to incidents and remediation of vulnerabilities, without resulting in the need for additional headcount. “With a centrally managed solution, a healthcare organization does not need to increase its staff, which enables the organization’s employees to concentrate on their core business — healthcare — not HIPAA security mandates,” says Hillhouse. This step in the ADDME process is managed by Managed Security Services (MSS). Utilizing five state-of-the-art Security Operation Centers located across three continents, the X-Force supports healthcare customers by remotely monitoring and protecting their networks. MPS features 24/7 monitoring and support, a secure Web interface for instant interaction with the security experts managing the network, and unparalleled customer service (see “Managed Protection Services Provides Security Guarantee,” page 5). “MSS provides cost-effective, scalable security solutions for healthcare organizations that do not want to incur the overhead of an in-house solution,” adds Hillhouse. Phase Five: Educate This final step in the ADDME process is to educate the organizations’ staff with handson, product specific training, seminars and webinars. As the goal is to reinforce security best practices, it will result in a reduction of possibility of security breaches. This step in the ADDME process is managed by X-Force Security Intelligence — ISS’ leading group of security experts, dedicated to proactive counter-intelligence, research and
development and public education against online threats. The X-Force researches security issues, tracks the evolution of threats through our Global Threat Operations Center and ensures that new threat management solutions get to market quickly. Internet Security Systems offers healthcare organizations a single source for guidance, expertise and technology that addresses HIPAA security requirements. While the requirements of
“Healthcare organizations need vulnerability detection and intrusion in place and they need help in managing security.” —Shirley Wyatt, Director, Policy and Education Services
HIPAA are stringent and detailed the benefits associated with compliance to HIPAA security requirements are real, and will be realized with each patient’s visit to the doctor, hospital, clinic, pharmacy or medical insurance provider. More information on the ISS approach to HIPAA compliance can be found on the new HIPAA website on www.iss.net at http://www.iss.net/products_services/ market_ solutions/healthcare.php
August 2003
23
24
ISS Connect
The Proventia A Series: ™
The Proventia™ A Series combines protection and prevention technologies to deliver revolutionary, cost-effective security to customers.
INSTANT INSTANT THREAT THREAT
REDUCTION REDUCTION In
the world of viruses, worms and other malicious code developed by hackers, there is the one constant rule — threats to networks never fade away. The sophistication of software and the growing capabilities for even mediocre attackers creates a constant challenge for IT professionals and network administrators. Even more troublesome is the speed at which an attack can cripple thousands of networks, all in just minutes. Given
the swiftness of newly emerging threats, a dynamic system of protection is a must for any IT professional to ensure the protection of their data from hackers and thieves. To resolve this problem of implementing cost-effective security products that protect against both known and future threats, even in advance of a physical patch or hot fix, Internet Security Systems launched in April of this year a new line of groundbreaking
August 2003
25
products, called Proventia™ threat protection appliances. The Proventia threat protection line features appliances that have both hardware and software to create a system that both prevents and protects against destructive activity for networks, hosts and applications. These new devices also offer an opportunity to drastically reduce purchasing costs and still be compatible with existing Internet Security Systems services. Time is money and Proventia is designed to deliver an IT department with a functioning devise that is compatible and usable “out of the box” without extra network, hardware and software requirements. “Most businesses can expect to wait months before implementing new security components for their networks,” says Peter Tosto, ISS product management director. “This would include reviewing, planning, testing and implementation, a true headache for any business with systems that are exacerbated by new, emerging threats that use different software or exploit different vulnerabilities.” The first Proventia line, the Proventia™ A Series, addresses the perpetuallychanging nature of threats to computerbased networks by alerting system administrators to intrusions via its advanced protection capabilities The appliance can be taken out of the box,
installed in any network and be up and running in as little as 15 minutes. “The appliance does not need to be integrated into any other part of the network or configured to work with servers and desktops. Therefore, IT departments are saved from having to endure lengthy impact projections and testing procedures to ensure compatibility with off-the-shelf and proprietary software run by the customer,” says Tosto. The A Series also boasts the convenience of installing directly into the level of any network segment, again saving time and money when deploying in a network. The Proventia A Series works to complement the traditional firewall, because firewalls can’t stop all threats. The A Series not only can detect intruders, but it also can stop traffic to open ports elsewhere in the system, a big advantage over traditional firewalls. “Another advantage over the traditional firewall is that there is nothing to identify the A Series to an intruder,” says Tosto. “Typical firewalls include identification that hackers and malcontents attempt to discover and develop an attack that exploits a weakness with that particular firewall. The A Series prevents this by becoming invisible to attackers while also blocking suspicious behaviour from proceeding any further in the network. For a security administrator, blocking and logging suspicious events helps to identify what attacks are occurring, providing critical information to bolster against current and future threats. “The Proventia line of products is perhaps the first step toward achieving an easier means to achieve enterprise network protection,” says Greg Adams, ISS vice president of Product Management. “This has become the ultimate achievement for the security industry: a simplified,
The Proventia™ A Series addresses the perpetually-changing nature of threats to computer-based networks by alerting system administrators to intrusions via its advanced protection capabilities. 26
ISS Connect
inexpensive security solution that is easy to install and manage and will stand against future threats. Attempting to be all things to all people is very difficult but the Proventia line promises to get closer to that goal.” The Proventia line reinforces Internet Security Systems’ practice of defense-indepth by proactively preventing rather than reacting to threats. The Proventia A Series appliance’s ability to log events as they occur and the capability to receive updates from ISS, liberates administrators from the routine and time-consuming tasks of updating software so that they can be deployed to other mission critical positions. The A Series also has an incredible advantage for administrators because it is linked to Internet Security Systems’ very powerful and crucial X-Force™ security research and development organization. The X-Force discovers vulnerabilities and threats and gives ISS’ customers the information and product updates that are critical to keeping key computer infrastructure up to date and protected. X-Force lives by and delivers its motto — first to know, first to protect — earning ISS a key distinction among all security solution providers. The X-Force conducts tests for vulnerabilities before they are discovered by competitors, software manufacturers, attackers and malcontents. Once these threats and vulnerabilities are discovered, the X-Force team can notify and update the customer automatically. ISS has long provided a proactive process for customers to defend against
potential threats. However, ISS’ Proventia line takes this service one step further, by allowing the customer to choose how they will implement these services. The A Series centralized management capacity also lets administrators customize the level of protection they need according to the mission of the network and the level of security required by the customer. These settings are based upon a wide variety of protection technologies, from packet examination to protocol analysis, offering the administrator a complete arsenal of defenses against intrusion. The Proventia appliance is attached at the segment level. As a result, these varying security settings offer better protection for the more complex and diverse network structures companies face in an expanding, global environment. Using the SiteProtector™ management application, the administrator can view and assess the types of activity and manage what are tagged as threats. The administrator can have the appliance automatically block identified events or log them for further attention. Proventia and its later progeny are designed to incorporate many of today’s security hardware and software products into an easily deployed, easily operated appliance family without the worries associated with compatibility, obsolescence, and increasing costs to match the growing threats. The Proventia line seeks to resolve the main problem with firewalls, which is that good security is not just about keeping out identified threats but to also prevent malicious activity that comes in through legitimate avenues. The next in the Proventia line, the Proventia™ G Series promises to complement the A Series by dynamically examining and blocking targeted types of traffic across a network segment rather than just monitoring and detecting attacks after they occur. To keep out viruses, worms and other activity, good security infrastructure needs to look at what the activity is rather than just where it comes from. The G Series
will fill this need by becoming an inline filter to a network that examines and blocks malicious packets and activity on the fly. The Internet Security Systems team is working on yet another line of the Proventia threat protection appliances that will incorporate as the best technologies of legacy security solutions such as firewall, gateway antivirus, VPN (virtual private network), and managed threat protection in one, combined threat prevention unit. This new series, the
Proventia™ M Series, will feature a centrally organized unit that will take advantage of ISS’ threat protection services, while also performing a wide variety of security functions and procedures. The “holy grail” for the security industry is to create one, multifaceted product that integrates security tasks in an easily managed device. Stay tuned for more on the Proventia family to be featured in a special edition of Connect in the next issue.
The Proventia™ A Series centralized management capacity lets administrators customize the level of protection they need according to the mission of the network and the level of security required by the customer.
August 2003
27
■
how-to
D L R O W L REA Incident Response Experience
Emergency Response Services provides vital and effective solutions for customers when it matters most.
28
ISS Connect
H
ow a person handles an emergency situation is often a character-defining moment. The same rings true for business. Internet Security Systems Emergency Response Services (ERS) delivers time critical security solutions to customers in crises, when it matters most. “ERS is a key differentiator in the security industry. It delivers advanced incident response and preparedness supported by highly experienced security management professionals that save overtaxed IT departments precious time and money,” says Patrick Gray, director of ISS’ X-Force™ National Emergency Response and Penetration Testing Services. As a branch of ISS’ X-Force™ Professional Security Services, ERS experts combine leading security research with realworld incident response experience to help organizations not only respond to information security breaches, but also prepare for unforeseen breaches — all backed by ISS’ elite X-Force™ research and development team. The ERS team performs after-the-fact forensic investigations and helps organizations develop and improve their incident response capabilities. “From a cost standpoint it makes sense to have ISS on site, because when companies dedicate their own staff and they have to work on an incident for a week, their
normal duties also drop back a week or more,” says Gray. “The company’s staff has to make up that time, which leads to overtime. With ISS on board companies don’t have to dedicate as many full time employees to an incident. That’s our job.” ERS offers customers two solution sets: subscription-based and incident-based services designed to meet the demands of organizations of any size, in any market. As a subscription-based client — either basic or comprehensive — the advantage is that ISS has first-hand knowledge of the client’s business and its infrastructure. “The benefit is we know their environment. We’ve toured their data centers,” explains Gray. “And they know us. They know who we are because we conduct quarterly checkups, deliver monthly status reports and share information with them about the latest threats.” X-Force emergency response research always pays for itself when reinvested in the customer. For example, the CFO of a client discovered that his e-mail mailbox was deleted from the company network. The client organization surmised that the event occurred between Thursday evening and Friday morning. “An IT person in their company decided he was going to figure out what was going on and that’s when he determined that the account was deleted off the network. They started
FINAL ART BEING COMPOSED
D messing around with the computer system. They recreated an account so the CFO could get the information back onto his system so that he could continue to work,” says Gray. The client’s IT staff created a honey pot, a well of information unprotected on the network used to entice suspects who may be combing the network for additional
information, such as passwords. The problem with this client’s attempt to defuse the situation is that it tainted the crime scene, says Gray. “Because they had already been in the system, adding, deleting and tweaking, they had to understand that when we came on board, we might not have been able to obtain the evidence we’d like to obtain in order to catch the culprit. Our terminology is that they’ve stepped all over it.” Cautious not to blow the whistle on their own company, the client also didn’t call ISS until
Tuesday afternoon. “In a perfect scenario, we would have received the call Friday morning and given them direction on what not to do,” says Gray. The delay cost the client precious data, because the crime scene had aged. Once notified by the client, the ERS team thoroughly investigated the plight to explore who was involved, the moves made, what systems were affected, log activity, when the situation occurred, how it was discovered, how the customer reacted and a list of suspects. “We interview the client to gather initial information to start piecing the puzzle
“ERS is a key differentiator in the security industry that delivers advanced incident response and preparedness supported by highly experienced security management professionals that save overtaxed IT departments precious time and money,” — Patrick Gray, director of ISS’ X-Force™ National Emergency Response and Penetration Testing Services. August 2003
29
INCIDENT RESPONSE METHODOLOGY Internet Security Systems’ thorough incident response methodology enables an organization to properly respond to an information security breach and continue to meet the demands of business.
ANALYSIS
ISS analyzes the incident data to determine the source, cause and potential effects.
CONTAINMENT
ISS assists with preventing the effects of the incident from spreading to other networks and systems within the organization.
ERADICATION
ISS assists with stopping the incident at the source and protecting the organization’s networks and systems from the effects of the incident.
RECOVERY
ISS assists with restoration of the affected networks and systems to normal operations.
PREVENTION
ISS assists with ensuring that the organization’s networks and systems are protected from future occurrences.
together,” says Gray. “In this situation, we helped them secure their network and we helped them develop a plan to protect their network from future incidents. In that regard, we’re leveraged in two different ways. Not only do we pull the investigation together, conduct the analysis of the system and help catch the persons performing illegal activity, but we also help the client by running a scan across their network or database and point out vulnerabilities that need to be protected as soon as possible to prevent future incidents. The added value with ISS is that we don’t just work through individual incidents. We conduct thorough investigations and then provide thorough solutions. We are a solutionbased company with the client’s best interest at heart.” Case in point: Via the ERS 1-800 number, which features on-call, 24/7 security incident response expertise, ERS professionals received a call at 3 a.m. from a client who reported “serious” activity on a network not scheduled for a penetration test. “They didn’t know what was happening,” says Gray, “but they knew someone was trying to get into their system.” In situations like this, speed is of the essence. An ERS team can be on site within hours. A team of ERS penetration test experts
30
ISS Connect
was called in to assist. “The client was so happy to see the response. And they deserve it. When they have a situation that’s a little fire
threats and vulnerabilities enables ERS experts to know exactly what to look for on a client’s network. Recognizing the threat and rapidly addressing an emergency situation properly minimizes the damage the incident might cause to the organization, especially for incident-based customers who may be contacting ERS for the first time. Organizations who take advantage of ERS offerings not only maximize their staff time by allowing employees to concentrate on meeting business demands rather than those of security, but also provide peace of mind to their customers and vendors. Further investigation and after-the-fact forensic analysis conducted by an ERS team ensures that an organization is prepared to take the best course of action to identify and prosecute attackers, as well as prevent future attacks. As multitalented specialists — part security, part IT and part detective — ERS professionals approach each case holistically. ERS’ priorities are No. 1, to secure the breach to ensure the continuation of business and No. 2, to collect forensic data that may be used to prosecute a suspect. “This is not just an IT problem. It’s a business survivability issue as well,” says Gray. As trusted advisors, ERS experts work with clients through judicial proceedings and take a tailored approach to develop incident
“The added value with ISS is that we don’t just work through individual incidents. We conduct thorough investigations and then provide thorough solutions. We are a solution-based company with the client’s best interest at heart.” that you may be able to stomp on and put out, it doesn’t mean that you feel the firefighter shouldn’t come in and see if you’re okay,” says Gray. “We go out no matter what size the fire is. And depending on how big the fire is, we pull more firefighters in.” Following any incident response, ISS compiles a report that details the incident, its effects and ERS’ recommendations for preventative measures. Access to the X-Force’s wealth of knowledge is a key advantage in an emergency situation. Real-world knowledge of
response procedures for the organization, test those procedures and match industry best practice standards to an organization’s specific business requirements. “Be it subscription-based or incidentbased, we build a relationship with our ERS customers,” says Gray. “We provide the customer the solutions they need, and they know they can depend on us when it’s most vital.” To learn more about X-Force Emergency Response Services, call 404-236-3971, e-mail consulting@iss.net, or visit www.iss.net.
■
calendar E NETWORK AND For a complete Calendar of Events, access Internet Security Systems’ Web site at www.iss.net.
S SPEAKING E EVENT (U.S.) E EVENT (International) Event dates are subject to change without notice.
Featured Shows: Show info TK
September SEPTEMBER E ARE YOU VULNERABLE? E SEMINAR SERIES February 5, Boca Raton, FL February 6, Port of Spain, Trinidad February 11, Albuquerque, NM February 12, San Antonio, TX February 19, Harrisburg, PA February 20, Oklahoma City, OK February 26, Monterrey, Mexico February 27, Guatemala City, Guatemala
“X-Force™ Education Series” Web Casts E MANAGED SECURITY AND PARTNERING FOR SUCCESS February 13
E BENEFITS OF AUTOMATED CORRELATION February 20
E SECURITY BEST PRACTICES
INFORMATION SECURITY
February 18, Munich, Germany www.trustday.de
S INFRAGARD MEETINGS February 20, San Francisco, CA
E HIGH TECH DAY AT THE GEORGIA STATE CAPITOL February 26, Atlanta, GA
E ARMED FORCES COMMUNICATIONS & ELECTRONICS ASSOCIATION TRADESHOW (AFCEA) February 26, Washington, D.C.
E FEDERAL COMMUNICATIONS WEEKLY DINNER February 26, Washington, D.C.
E HOMELAND SECURITY: IT ON THE FRONTLINE AFCEA February 26-27, Ronald Reagan International Trade Center, Washington D.C. www.afcea.org/homeland03/default.asp
FOR CRITICAL SERVERS February 27
E STUTTGARTER ITSICHERHEITSTAG February 6, Stuttgart, Germany www.trustday.de
April
E INTERSTATE ISAC WEBINAR February 12
March E ARE YOU VULNERABLE?
MARCH SEMINAR SERIES
March 4, Reno, NV March 6, Calgary, Alberta, Canada March 11, Omaha, NE March 12, Des Moines, IA
S ISSA MEETING February 18, San Antonio, TX
E ”DYNAMIC THREAT PROTECTION™ FOR THE ENTERPRISE” SEMINAR SERIES March 4,
August 2003
31
■
klaus’ corner
Maximum Protection with
MINIMAL COMPLEXITY&COST Finally, the change management process often introduces conflicts of interest between security and network administration staff. Security staff must order systems taken down to address significant security exposures. But network administrators are paid to keep resources online and available for as long as possi-
“Manual vulnerability detection and patching must be replaced by a highly automated, proactive process that frees staff and resources for the most urgent security tasks.” Chris Klaus founder and CTO
P
atching has become an enormous burden for CIOs, CTOs and security administrators. There’s little standardization for identifying vulnerable systems or tracking which updates have been applied. Hosts often must be rebooted for patches to take effect. Patches and hotfixes themselves introduce new bugs and unpredictable behaviors, many of which are not apparent until the host has been put back into service — and many of these modifications can’t be reversed. Legacy systems and custom applications often have no repair option. And because patches are designed for system-by-system application, the repair process rarely scales across enterprise infrastructure. For example, an organization with 1000 servers typically needs 500 man-hours to apply a single patch across every server. During that period of time, other patches might be released, which only adds to the burden.
32
ISS Connect
ble, causing friction between the two groups. The cost is easy to measure in dollar terms. It takes a typical patch four hours to be applied to a server, at $80/hour for the technician’s time. Multiply that by a conservative five patches a month and the total cost for patching 1000 servers against a total of 60 vulnerabilities within 12 months quickly balloons to almost $20 million per year. It’s no surprise that businesses around the world are struggling with this problem. It’s also no surprise that Internet Security Systems has the answer. This issue of Connect introduces a powerful new addition to Internet Security Systems’ Dynamic Threat Protection™ platform. The X-Force™ Catastrophic Risk Index (CRI) (see page 3) is a regularly updated list of the most devastating vulnerabilities and threats affecting networks, hosts and applications, the X-Force CRI helps network and security administrators prioritize protection around the organization’s most mission-critical online operations. The X-Force CRI reflects the continued evolution of Internet Security Systems’ Virtual Patch™ capabilities, in which vulnerability detection and intrusion prevention are unified through centralized command and control to mitigate risk before business operations are even threatened. Our Internet Scanner™, RealSecure™ and Proventia™ offerings all use the X-Force CRI to quickly recognize imminent critical threats and provide immediate protection — even in advance of physical patching. Manual vulnerability detection and patching must be replaced by a highly automated, proactive process that frees staff and resources for the most urgent security tasks — and allows physical patching to take place within a predictable, scheduled change management environment. This powerful capability provides highly-effective coverage for both known and unknown threats, and it’s available now in our Virtual Patch. As important as these developments are, there is much more to come over the next few months. There is a common theme in all of these technological innovations — maximum protection with minimal complexity and cost. These developments are important steps to that end, but they are only parts of a larger and much more exciting whole. Keep your eye on us over the next few months. The best is yet to come.
ISS House Ad Page C3
ISS House Ad Page C4