Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Aurora Reaches for Security Rx

Monitoring tool collects data normally left to intrusion detection or intrusion prevention systems

When your business is diagnosing and treating disease, you understand the importance of seeing a problem down to the most granular level. But up until recently, the IT security team at Aurora Health Care -- Wisconsin's largest integrated health services provider -- couldn't fully assess the systems in some of its clinics and smaller offices.

Aurora, which supports some 30,000 users and nearly 1,000 applications, needed a way to look for security vulnerabilities in clients, remote networks, and other downstream devices in its geographically-dispersed, statewide hub-and-spoke network. Without that visibility, the Aurora security team was blind to flaws and risky behavior that were occurring in the farthest reaches of the network.

"We had no vision down to the clinic level, unless the end station was making a call out to the Internet," says Dan Lukas, lead security architect at Aurora. "We couldn't see things happening on the local subnet."

Lukas and his staff looked into available intrusion detection systems (IDS) and intrusion prevention systems (IPS), but the cost and complexity of instrumenting those systems was prohibitive. "Most of those systems require you to deploy sensors locally to all of the devices you want to manage," he observes. "If I had made a proposal to buy 500 sensors or more, my management would have laughed me right out of the room."

After investigating some lower-cost products, Aurora discovered StealthWatch, a network monitoring appliance from Lancope Inc. that harvests data from Cisco Systems Inc.'s NetFlow IP traffic analysis tool and analyzes it to help identify security vulnerabilities. Like many enterprises, Aurora is an all-Cisco shop, so deploying StealthWatch was a relatively simple matter of installing the software and configuring key routers to collect data from downstream devices and share it with the Lancope application.

"It's one of the few products I've seen that just works," Lukas says. "You have to turn on NetFlow and set it up in the routers, but that's a whole lot simpler and cheaper than deploying sensors."

With StealthWatch in place, Aurora began to discover security hazards around the network that needed to be remedied. "We found worms, Trojans, and viruses on the end station," he recalls. "We nailed some users that were doing streaming media, which not only helped with security but it freed up some bandwidth. We analyzed traffic to find places where we suspected security flaws. We even found viruses on some of our physical security devices -- the DVR systems that we use for surveillance."

StealthWatch does have some limitations. It collects data about anomalies, but it doesn't analyze them in detail. "We're looking at buying vulnerability scanning tools so that we can take the events that come to the top in StealthWatch and run more detailed scans," Lukas says. "Otherwise you can't identify all the potential problems."

In addition, StealthWatch can only support 128 hosts per appliance, so it doesn't scale well to every device in a large enterprise network. "We just put it on our hub routers, the ones that handle the most traffic," Lukas says. "Otherwise it can get pretty expensive and you start running up against that maximum."

There is an entry-level StealthWatch product starting at $9,995, but most large enterprises will need the more scaleable StealthWatch Xe appliance, which starts at $29,995. The pricing goes up based on the number of routers used.

"It's not free, but compared to the alternatives, it's a pretty good solution," Lukas says.

— Tim Wilson, Site Editor, Dark Reading

Organizations mentioned in this article:

  • Aurora Health Care
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Lancope Inc.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
    Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
    Palo Alto Networks to Buy CloudGenix for $420M
    Dark Reading Staff 3/31/2020
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 4/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-11580
    PUBLISHED: 2020-04-06
    An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, accepts an arbitrary SSL certificate.
    CVE-2020-11581
    PUBLISHED: 2020-04-06
    An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shel...
    CVE-2020-11582
    PUBLISHED: 2020-04-06
    An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTT...
    CVE-2020-11585
    PUBLISHED: 2020-04-06
    There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a messag...
    CVE-2020-5832
    PUBLISHED: 2020-04-06
    Symantec Data Center Security Manager Component, prior to 6.8.2 (aka 6.8 MP2), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected ...