05:24 AM

Stanford Medical School's Rx: Anomaly Detection

Appliance helps minimize bot, malware infections

The new sheriff who came to bring order to the Wild West town is an apt way to describe Todd Ferris’s job: As associate CIO for IT services at Stanford University's School of Medicine, Ferris was charged with putting policies, products, and procedures in place for a network that was proud of its open, unrestricted culture.

Stanford’s School of Medicine has been gradually ratcheting up its security checks over the past five years under Ferris's direction. Early last year, the med school upgraded its Lancope StealthWatch NC G1 anomaly detection appliance for more horsepower and expanded the appliance’s reach, and as part of a university-wide initiative, also installed Juniper Network’s Netscreen Unified Threat Management system.

The results have been dramatic: Rather than an open network constantly under siege and plagued with zombie machines, the medical school now wards off only about 10 significant intrusion attempts each month.

Stanford has a main campus network that serves its undergraduates as well as the university’s core business functions, but each of its separate schools, such as business and law, has its own network and IT department. The School of Medicine, the biggest school on campus, supports about 6,000 employees, students, and faculty, who connect about 12,000 devices to the network. Since medical information is exchanged, security checks that comply with HIPAA regulations need to be in place.

When Ferris arrived in early 2003, it was all one big open IP network with no restrictions, not even firewalls -- and all of its machines were sitting open on the Internet, inviting attack. The university started to monitor its network traffic with open source tools such as Snort. “We quickly discovered that we were reacting too slowly to protect ourselves: By the time we became aware of a threat, such as viruses like Blaster, it had already infected a number of our machines,” Ferris recalls.

To bring some order to the chaos, the university went out in search of an anomaly detection product. Ferris says the school chose Lancope’s StealthWatch because it was easy to use. “We have a small IT department and could not dedicate significant resources to running the software,” Ferris says. “With StealthWatch, we could quickly export data, pull it into Excel, play with it, and figure out what was happening on our network.”

The university installed the appliance, which cost about $20,000, in August 2003 as part of the selection testing and never took it out. “We were quickly able to get [bot-infected] machines off the network that had been sitting there and scanning for months,” Ferris says.

Today, in addition to monitoring information flowing over the enterprise network, StealthWatch controls information moving among devices in the data center as well.

While the Stanford School of Medicine has made progress, Ferris recognizes that attacks evolve and change, so his team will need improved security tools to keep the network safe. Being able to manipulate more historical data from StealthWatch would be helpful, he says: The product stores only 30 days’ worth of security information.

More sophisticated monitoring is also needed, he says. “Recently, the threat from hackers has changed dramatically. They have moved away from widespread attacks to directed attacks, ones that are quite precise, accurate, and have low noise ratios.” Previously, attackers would install malware on users’ systems and then start scanning continuously. Now they do their dirty work more intermittently, so it is becoming more difficult to separate infected machines from clean ones. Ferris is working with Lancope to develop capabilities to better detect problems, such as botnets.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Lancope Inc.
  • Juniper Networks Inc. (Nasdaq: JNPR)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Veterans Find New Roles in Enterprise Cybersecurity
    Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
    Understanding Evil Twin AP Attacks and How to Prevent Them
    Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
    7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
    Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Flash Poll
    Online Malware and Threats: A Profile of Today's Security Posture
    Online Malware and Threats: A Profile of Today's Security Posture
    This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2018-11-19
    modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfi...
    PUBLISHED: 2018-11-18
    ** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
    PUBLISHED: 2018-11-18
    GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig...
    PUBLISHED: 2018-11-18
    Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/, NbconvertFileHand...
    PUBLISHED: 2018-11-18
    Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.