Watching the gatekeepers

In 2001, the Federal Computer Incident Response Center was notified of 6,683 attacks, ranging from defacing Web sites to break-ins of an agency's central "root" servers. In 2000, the agency that monitors malicious attacks on federal systems was notified of only 586; in 1999, that number was 580.These numbers have many industry and government officials worried whether agencies have enough manpower to keep up with the increasing number of attacks on their computer systems.Although the federal government has increased spending on information security ? from $1 billion in 2001 to $2.7 billion in 2002, according to market research firm Input Inc. of Chantilly, Va. ? the amount of information passing through government systems and the evermore complex nature of security threats guarantee that even these additional dollars will be spread thin.Addressing this problem are software companies that have produced solutions that attempt to foresee threats sooner and simplify the workload for administrators."Traditionally, many of the technologies are reactive in nature. We have more of a proactive solution," said Dave Hammond, director of marketing at Okena Inc., a Waltham, Mass., firm that sells about 50 percent of its security software to government agencies.Industry observers are seeing pressure on systems administrators from two areas: increasing network capacities and more complex threats, both of which strain traditional security components."Government agencies are requiring one gigabit networks, whereas 100 megabits were adequate two years ago," said Randy Richmond, group manager within the federal network systems unit of Verizon Communications Inc., New York, which provides managed network services.As network throughput grows, Richmond said, firewalls and intrusion detection systems struggle with an increasing number of data packets.Add to this the changing nature of the threat. According to David von Vistauxx, managing director of a Silver Spring, Md.-based security practices coalition called the Organization for Infrastructure Security, agencies may be more "prepared to fight the last attack, not the current one," he said.For example, a June 10 General Accounting Office report criticized the Army Corps of Engineers for not adequately securing its financial management system, even though the corps had addressed many problems called to its attention by an earlier GAO audit. Among the new problems identified was the corps' failure to correct "continuing and newly identified vulnerabilities," the report said.Increasingly, security software providers are gearing their solutions toward anticipating future threats, ones whose methods of attack may be new, rather than just guarding against the kinds of attacks that have already occurred.Okena, for instance, sells software called StormWatch that monitors computer applications to ensure they don't perform any activities outside their boundaries."We're defining policies for appropriate application behavior," Hammond said.Network Associates Inc., Santa Clara, Calif., also has developed a proactive approach through the release of its McAfee ThreatScan software. Ryan McGee, group product marketing manager for Network Associates, said this product is "designed to help a security administrator find vulnerabilities in the network that might be attacked by viruses or other malicious code.""It is specifically targeted at the vulnerabilities that get exploited by viruses," McGee said, in contrast to virus protection software that checks for the presence of malicious programs themselves.In May, NFR Security Inc., Rockville, Md., released a version of its intrusion management system that includes a forensic analysis tool that mines security data for pertinent characteristics that could be used to guard against future attacks."Security must be considered a process rather than a single technology," said Jack Reis, chief executive officer of NFR Security.Advanced detection systems such as these can be valuable tools, but agencies need knowledgeable systems administrators who know how to use them, said Ira Winkler, chief security strategist for Hewlett-Packard Consulting, a unit of Hewlett-Packard Co., Palo Alto, Calif., during a June 6 Washington Technology conference on information assurance. Otherwise, the data about possible break-ins will just go unused.And this is where administrators need the most help, officials said."There's a ton of data out there. You look at those logs from intrusion detection systems and firewalls that are millions of lines long. No one has time to look through all of them," said Albert Turner Jr., a senior vice president for SilentRunner Inc., a subsidiary of Raytheon Co., Lexington, Mass.Raytheon spun off this business unit to address the growing customer base for more visually oriented tools to help system administrators track threatening behavior. In May, the company released a new version of its analysis tools."SilentRunner's customers have the power to [expedite] network security decision-making efforts," said Jeff Waxman, chief executive officer of the company.Also looking to lighten the administrator's load is Symantec Corp., Cupertino, Calif. In April, the company signed an agreement with Defense Information Systems Agency, which oversees the Defense Department's cyberinfrastructure, to supply personnel onsite to help install and manage Symantec's Internet security solutions.