Building an Endpoint Security Arsenal

 These threats are very real, and the recent spate of data thefts and security breaches has created the potential for a huge amount of personal and sensitive data to become compromised.

 For example, McDonalds Japan was forced to recall more than 10,000 promotional MP3 players after discovering that the devices carried a spyware Trojan. Apple unknowingly shipped video iPods that were loaded with a Windows virus capable of compromising a computer. Tom– Tom revealed that many of the GPS units it shipped in the fourth quarter of 2006 were infected with a virus that could infect a computer if the Tom–Tom unit was connected to the machine. Empire Blue Cross and Blue Shield of New York lost an unencrypted compact disc that contained personal information on 75,000 people.

 These recent instances of data loss and malware infiltrations pushed my staff to look long and hard at the potentially large number of holes in our existing security nets. Many studies reveal that the most significant security breaches come from insiders—both from malicious and seemingly benign activities. As part of our ongoing efforts to protect against all potential threats, we decided we needed to proactively seek a solution to enforce our policies regarding the use of removable storage media on company PCs, laptops and servers.

Caught Between a Device and a Hard Place  

 At John C. Lincoln Health Network (JCL), we consider ourselves to be at the forefront of computer security in the healthcare environment. JCL is a not–for–profit organization based in Phoenix that includes two hospitals, thirteen physician practices and a number of outreach programs. We employ more than 3,000 staff and 1,400 physicians, all of whom are dedicated to providing the highest–quality patient care possible. As the CIO, my role in ensuring quality care also includes maintaining a secure environment for patient data. Yet, in early 2005, we struggled with ways to enforce our IT security policies.

 While JCL had extensive documentation on proper security usage in regards to removable storage media, my IT staff was unable to effectively enforce these policies. One policy stated that users are not allowed to save anything to a hard drive, but some employee activity stood in direct violation. In one instance, an employee inserted a floppy disk and inadvertently exposed JCL to the Slammer virus—the pandemic worm that used a known buffer overflow in Microsoft’s SQL Server database to generate massive amounts of network packets, overloading servers and routers and slowing down network traffic. While the organization recovered from this incident, portable media continued to cause problems.

 We were continually performing reactive maintenance. This, combined with frequent news reports of compromised data, forced us to look for methods that would put some weight behind the written word. One of our prime concerns included allowing people to continue to do their jobs in an effective manner while providing the proper security balance. For many years, capital investments at JCL were directed toward ways to improve overall computer operational efficiency and security. Several technologies, including Computrace, e–mail encryption, PC blade computing, Darknet, e–mail filtering and others were already in use at JCL. However, we still lacked a way to control the physical desktop where PC blade technology was not in use.  

 This manifested itself in the problems we were experiencing with people downloading or uploading from thumb drives, CD–ROMs, burners and floppy disks. Employees were also adding peripheral devices, such as modems, without our knowledge. The modems were bypassing our firewalls and connecting to programs like AOL. We were not sure what was being uploaded or downloaded. We had people loading games, bringing in term papers and using our machines for other non–work related activities.  

 One of the most serious risks we considered was data leakage. Employees can easily lift data from a company’s database by using an iPod or a Blackberry. Once the data is on the device, it’s vulnerable to data leakage if lost or stolen. However, data leakage is not the only risk. The idea of “mobile malware”—inadvertently introducing viruses, spyware, Trojans or other forms of malware from a device that spends most of its time hooked up to a far less secure home PC.  

 These concerns made us realize that building a truly effective endpoint security arsenal starts by understanding that the “endpoint” has shifted from the PC to removable storage media. The number of ways users can access sensitive corporate data is continuously increasing, especially with the proliferation of handheld devices. We had to establish defenses accordingly.  

 One of my greatest challenges was not being able to individually inspect the 2,000 machines across our 15 locations. I could not simply ignore unknown threats to the network that could potentially put the organization at risk of noncompliance with HIPAA privacy laws, which mandate the protection of confidentiality and security of health data through setting and enforcing standards. I began a search for an effective, yet flexible device management solution to prevent unauthorized user activity.

 We wanted a process that would allow us to take better control of our peripherals without making it impossible for the people who needed devices to do their jobs since there are some instances in which some devices are appropriate and add business value. In the same vein, we also wanted to take control of our hard drives.  

Creating Sanctuary for Mobile Device Use

 JCL considered several options in our investigation of endpoint security methods. The easiest and cheapest solution would have been to disable peripheral and USB access at the BIOS level. This was a clean, straight–forward approach, but it would not have achieved our goal of allowing authorized users to accomplish their job. At JCL, as in most facilities, a large number of users may access numerous machines throughout a standard work day. By forcing all machines into the same strict configuration, we would be severely limiting the ability for staff to effectively do their jobs. In addition, it is not practical to perform a large amount of moves and general repairs while trying to keep a specific set of systems open. What we needed was an automated system that could be configured based on an individual’s role, not location, and had a manageable administrator interface to allow easy changes, adds and deletes.

After looking at several products, we chose Sanctuary, SecureWave’s endpoint security solution, to simplify the device management process and proactively secure our organization from data leakage, malware and other threats posed by the use of removable storage media. We chose Sanctuary for many different reasons. The ability to manage users in a role–based scenario was one of our core requirements, and this product was one of few that allowed that function. By rolling out Sanctuary to all of our desktops, we were able to set policies based on either a user’s role or identity. For example, a user could have full thumb drive access, just keyboard access or access to read from a thumb drive or CD–ROM, but not the ability to save anything to the machine from the peripheral.

 Another key benefit of the SecureWave software is the ability to quickly and easily change a user’s configuration and peripheral levels on the fl y. With continued growth at our facilities, we were hiring numerous new staff throughout the organization, as well as redefining some existing roles. Sanctuary allows us to use lightweight directory access protocol (LDAP) as a method to quickly and efficiently add or remove permissions to a unique user, without having to make a technician available to go out and physically touch a machine. In an environment where construction changes were making us move or add users and workstations with very little notice, this was a key success factor in our ability to continue to protect our security levels while maintaining a high level of customer service.

 Sanctuary also allows us to control the use of approved devices. We require all JCL employees to fill out a “device approval” form if they want to plug any device into their work machines. If anyone tries to use media that has not been sanctioned by the IT staff, the device will be automatically blocked by Sanctuary.

 If employees can justify a need to use an application or connect a device such as a USB stick to the IT network, I can easily use Sanctuary to grant access rights. Sanctuary allows us to enable access rights at a high level or all the way down to device class, specific device or application to users, user groups, a particular computer and many more granular parameters. Sanctuary provides us with the control we need while giving users the flexibility to access applications and devices that are required to effectively do their job. Permission settings include read/write, scheduled access, temporary access, online/offline, specific busses, HDD/non–HDD devices and more.

 Equally important is Sanctuary’s encryption functionality, which encrypts removable media so that it can be safely used and transported to ensure that sensitive data is not inadvertently exposed to those without authorized access. It seems like every day we hear about another stolen hard drive or laptop or PC that contained sensitive patient data. With Sanctuary, we can enforce policies so that if an authorized piece of removable media with sensitive information is lost or stolen, the data is encrypted.

 In addition to putting an enforcement technology behind our written policies, the Sanctuary implementation also gave us a much needed ease of rollout. Though we looked at many products that claimed to offer plug–and–play capabilities, in most instances it was more often plug–and–pray. Numerous registry issues with demo installs and poor technical support in the pre–purchase decision phase made us leery of many of the other players in this market.

 We tested Sanctuary on workstations and laptops with Windows 2000 and XP Professional, as well as on cube thin clients, with no issues and completed a 2,000–seat deployment without a single hitch. We found an immediate fix to the glaring problem of unauthorized device use, as the entire sales and deployment process wrapped up within two weeks from the first on–site meeting and demonstration. Only one staff member was required to install and deploy Sanctuary, which installed the first time, and the support was and is to this day top–notch. The install of the client was easily delivered by our software delivery program, and worked with a wide range of O/S and patch levels on our varied systems throughout our network.

Whitelisting: Security’s White Knight

 Sanctuary operates on a default/deny or “whitelisting” concept. This involves setting a predefined list of devices that are allowed to work on corporate machines while blocking all others by default. The whitelisting concept shelters administrators from the laborious task of maintaining blacklists of all the devices which are to be banned on corporate PCs, laptops and servers.

 The beauty of the whitelisting approach is that it places control of corporate policy squarely in the hands of the IT administration staff. Only devices authorized as having a viable business use will work on corporate endpoints. This supports company policy, because it gives the IT staff the means to enforce its written list of allowed devices. For example, if a policy excluded iPods from use on company computers, the IT administrator would simply exclude iPods from the whitelist and they would not work on corporate endpoints.

 There is also minimal administrative overhead associated with Sanctuary and whitelisting. We spent minimal time creating the list of authorized devices and even less time updating it. Sanctuary provides a pre–populated whitelist that identifies every type of removable media, so there is not much custom definition that needs to be done. In turn, I have the guarantee that virus–laden iPods or other devices will not impair the organization because they will never succeed in connecting to the network if plugged in to any of our 2,000 workstations. On average, we save about 10 hours each week due to a substantial decrease in the number of work orders for trouble shooting related to device dilemmas.

 Because the whitelisting approach is so effective for enforcing device–use policy, we elected to purchase additional components. Sanctuary Application Control allows us to add a layer of protection that would prevent people from installing software without IT involvement. This reduces the risk of software conflicts and assists with software license compliance. Additionally, Sanctuary is an exceptional first line of defense to battle viruses, Trojans, spyware and all other forms of malware. It allows us to create a whitelist of allowed executables, and all others are denied by default—including all unauthorized programs, unwanted software and all forms of malicious code.

 Whitelisting applications is far more efficient than the traditional blacklisting approach used by anti–virus, antispyware and similar solutions. These types of technologies require the constant updating of a blacklist of known threats that should remain barricaded outside the network. Many companies take the same approach to device use, denying access to unauthorized devices. However, the problem is that malicious code today is so complex and targeted that maintaining an accurate blacklist is next to impossible.

 Sanctuary’s unified console allows JCL to centrally manage and monitor both device and application control across the organization. Sanctuary provides a single, seamless view of everything accessing or attempting to access the network through corporate endpoints from a device and application perspective, providing a new level of visibility into the network than was previously possible.

A Layered Approach to IT Security

 In order to complement Sanctuary, JCL also has undergone many initiatives to increase our overall security stance. One of the larger deployments involved replacing traditional workstations, primarily in clinical areas, with PC blade technology. This architecture enabled JCL’s IT staff to allow the user to experience the same level of GUI, while reducing the possibility of confidential data inadvertently being stored on a hard drive that was accessible to anyone with access to the PC. By having a thin client device connecting back via remote desktop protocol (RDP) to a secure PC blade located in JCL’s server room, not only are we able to reduce the threat of data being stored locally, we dramatically reduce overall downtime for our 24/7 clinical areas. By removing elements such as heating, cooling and power spikes, users are no longer forced to wait for repair when their PCs crash. Now, with a simple mouse click, we can redirect any end user to a new blade so they can continue working with minimal downtime.

 We also installed several Darknet systems to increase the physical and electronic security of the JCL’s systems. With the number of phishing attacks that occur on a daily basis increasing, our three Darknet systems not only protect us from outside incursions, but also have the added ability of tracking an infected PC back to the desktop location. They have proven invaluable in black–holing numerous bogus sites, including financial institutions that have sent messages to our end user population asking for verification of one confidential detail or another. Again, though policies exist and education is conducted on these types of corrupt sites, the ability to add automation to a written policy has saved our network from numerous attempts at malicious penetration.

The Winning Combination:
User Education and Policy Enforcement

 The systems and guidelines for JCL are always changing in an effort to stay one step ahead of the bad guys. With an ever–increasing drive to establish electronic systems for everything from A to Z, the reliance on these systems to provide accurate, safe and secure information grows exponentially.

 With ever increasing pressure to make exceptions to the rule for one person or program, it becomes harder and harder to protect our electronic boundaries and information. A CIO must always balance good security procedures with the needs of a particular organization. However, as more data is forced into the electronic age, at what point does convenience have to be overshadowed by security? As such, we strive to make IT as invisible to our employees as possible.

 This dilemma revealed itself when we rolled out the SecureWave software. We were surprised at just how many devices were out there. We found devices we did not even know about. Organizations often have hundreds of IT policies and many times employees unintentionally violate them, so we need Sanctuary to audit the network and evaluate all device activity. Sanctuary’s I/O bi–directional shadowing tracks information as it is read from or written to a floppy, CD/DVD or removable device, and provides a comprehensive audit log of every event, whether allowed or attempted—including those by unauthorized code—and all writes to removable media and specific ports. Optionally, a full copy of the data written to or from a device can be captured and retained as well.

 As incidents of mobile malware and device theft make headlines in growing numbers, JCL will continue to utilize Sanctuary to proactively enforce its device usage policies. We will also regulate application use with Sanctuary and thus proactively avoid problems of malware, spyware, keyloggers, Trojans, rootkits, worms and viruses. Not only is the audit log invaluable in measuring and enforcing policy compliance, it also bundles the information we need as proof of HIPAA compliance.

 Any organization without policy enforcement in place is treading on thin ice. If you assume policies and procedures are enough, there are going to be a lot of “I told you so” moments. Policies are important, but if you have a choice between a policy and a technology such as Sanctuary, that enforces a policy, the safe bet is to go with the technology because people are human and will make mistakes. With Sanctuary, we do not have to worry about patient data being exposed. As long as end users know what the IT department is doing and why, they are usually more than willing to help out.

 While it should be the duty of every user to protect the company’s assets, the CIO and their IT departments ultimately will be held responsible for any breach of confidentiality or data. By proactively taking steps to address device and application control, organizations can ensure that they are protected from data leakage while still enabling employees to use the gadgets and programs they need to perform their regular job functions. The most effective approaches to addressing these challenges involve multiple steps that help companies thoroughly understand what applications and removable storage media are needed and by whom.