Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:24 AM

Stanford Medical School's Rx: Anomaly Detection

Appliance helps minimize bot, malware infections

The new sheriff who came to bring order to the Wild West town is an apt way to describe Todd Ferris’s job: As associate CIO for IT services at Stanford University's School of Medicine, Ferris was charged with putting policies, products, and procedures in place for a network that was proud of its open, unrestricted culture.

Stanford’s School of Medicine has been gradually ratcheting up its security checks over the past five years under Ferris's direction. Early last year, the med school upgraded its Lancope StealthWatch NC G1 anomaly detection appliance for more horsepower and expanded the appliance’s reach, and as part of a university-wide initiative, also installed Juniper Network’s Netscreen Unified Threat Management system.

The results have been dramatic: Rather than an open network constantly under siege and plagued with zombie machines, the medical school now wards off only about 10 significant intrusion attempts each month.

Stanford has a main campus network that serves its undergraduates as well as the university’s core business functions, but each of its separate schools, such as business and law, has its own network and IT department. The School of Medicine, the biggest school on campus, supports about 6,000 employees, students, and faculty, who connect about 12,000 devices to the network. Since medical information is exchanged, security checks that comply with HIPAA regulations need to be in place.

When Ferris arrived in early 2003, it was all one big open IP network with no restrictions, not even firewalls -- and all of its machines were sitting open on the Internet, inviting attack. The university started to monitor its network traffic with open source tools such as Snort. “We quickly discovered that we were reacting too slowly to protect ourselves: By the time we became aware of a threat, such as viruses like Blaster, it had already infected a number of our machines,” Ferris recalls.

To bring some order to the chaos, the university went out in search of an anomaly detection product. Ferris says the school chose Lancope’s StealthWatch because it was easy to use. “We have a small IT department and could not dedicate significant resources to running the software,” Ferris says. “With StealthWatch, we could quickly export data, pull it into Excel, play with it, and figure out what was happening on our network.”

The university installed the appliance, which cost about $20,000, in August 2003 as part of the selection testing and never took it out. “We were quickly able to get [bot-infected] machines off the network that had been sitting there and scanning for months,” Ferris says.

Today, in addition to monitoring information flowing over the enterprise network, StealthWatch controls information moving among devices in the data center as well.

While the Stanford School of Medicine has made progress, Ferris recognizes that attacks evolve and change, so his team will need improved security tools to keep the network safe. Being able to manipulate more historical data from StealthWatch would be helpful, he says: The product stores only 30 days’ worth of security information.

More sophisticated monitoring is also needed, he says. “Recently, the threat from hackers has changed dramatically. They have moved away from widespread attacks to directed attacks, ones that are quite precise, accurate, and have low noise ratios.” Previously, attackers would install malware on users’ systems and then start scanning continuously. Now they do their dirty work more intermittently, so it is becoming more difficult to separate infected machines from clean ones. Ferris is working with Lancope to develop capabilities to better detect problems, such as botnets.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Lancope Inc.
  • Juniper Networks Inc. (Nasdaq: JNPR)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    97% of Americans Can't Ace a Basic Security Test
    Steve Zurier, Contributing Writer,  5/20/2019
    TeamViewer Admits Breach from 2016
    Dark Reading Staff 5/20/2019
    How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-05-23
    Computrols CBAS 18.0.0 mishandles password hashes. The approach is MD5 with a pw prefix, e.g., if the password is admin, it will calculate the MD5 hash of pwadmin and store it in a MySQL database.
    PUBLISHED: 2019-05-23
    In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.
    PUBLISHED: 2019-05-23
    asterisk 13.10.0 is affected by: denial of service issues in asterisk. The impact is: cause a denial of service (remote).
    PUBLISHED: 2019-05-23
    Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
    PUBLISHED: 2019-05-23
    Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats.