What is a Network Security Service? How does it work?

The best analogy is “an alarm company” for your computer network. The goal of a physical security system is to protect your physical office space and physical assets from intruders. The goal of Network Security Service provider is to protect your computer network and its information assets from intruders.

A physical security company will set up everything from motion sensors to contact sensors to detect entry through doors and windows. These detection tools are tied together through a central management station that in turn is connected to a monitoring center. The management station has a reporting log that can tell you what time openings and closings occur, by whom, and inform you of other anomalous happenings. The key to a physical security system is the 24 x 7 real time monitoring of your office. When an event such as a fire or intrusion takes place a signal is sent to a live operator who validates the event and contacts the customer and/or the proper authorities.

While the technology required to protect your network and information assets is significantly more complex than that of a traditional alarm system, the principles remain the same. As a network security service provider BearHill provides our clients with an appliance, the BearTrap, which monitors your network for anomalous behavior such as intrusion attempts or computer virus/worm outbreaks. The BearTrap communicates with sophisticated systems in our secure operations center (SOC) that streamline event correlation and threat detection. BearHill has security experts on staff 24 x 7 x 365 to monitor your network, validate alerts, and contact you with suggestions on how to eliminate the threat. Management is simplified via a web-based portal that provides an intuitive graphical representation of your security posture. Weekly, monthly, and quarterly reports document compliance and enable effective governance of networked systems.

What causes my computer network to be vulnerable in the first place?

Computer information systems are inherently insecure. Imagine guarding a bank that has no alarm system, no locks on the doors or windows and a vault that won’t close. Seems ridiculous but the state of network security can be likened to this scenario. Computer networking equipment, servers, operating systems, and software applications have largely been designed without security in mind. The equivalent of leaving the front door open, information systems are being exploited via hundreds of vulnerabilities that are discovered each month. More alarming is the fact that only 40% - 50% of these vulnerabilities are being addressed in the first 30 days of their existence. It is virtually impossible for any one administrator to keep abreast of the endless stream of patches needed to secure your systems in real time.

We use firewalls and antivirus software. Why do we need a network security service?

One of the great myths in information security is that by installing a firewall and/or anti-virus software you will be impervious to attack. While both of these defenses provide a measure of security, a recent CSI/FBI Computer Crime Survey found that 96% of organizations that reported a compromise had firewalls and 97% had anti-virus solutions in place.¹ Indeed, in an overview of attack trends, Carnegie Mellon’s CERT Coordination Center listed the “increasing permeability of firewalls” ² as one of six important technological trends. As technologies designed to bypass firewalls are becoming more prevalent, continuously monitoring your network for attempts to circumvent security measures has become essential.

As an example, consider the physical security of your office space. Locks on the doors and windows can be likened to the use of firewalls and anti-virus in that they provide a measure of protection. However, no one would assume that the standard locks on doors and windows at your office make it impervious to a break in. It is generally understood that either though brute force or cunning skill a burglar can bypass these common security measures. This is most organizations employ a physical alarm system to protect against intrusions that bypass standard security measures. If your computers are going to be interconnected in a local network and with the internet, no single technology can provide you with 100% protection. Since no security technology is foolproof, the only way of knowing your systems aren’t being circumvented is to continuously monitor them. The most effective and affordable means to monitor your network is via a network security service.

What could happen if I don’t implement some form of network security monitoring?

What you don’t know can hurt you. But how? Despite the sensationalism propagated by security technology vendors and the media, you are less likely to be the target of shady ex-eastern block, organized crime backed hacker rings than you are to have your computer network rendered unusable by a teenager fumbling with an automated hacker program he found on the Internet. Some examples of risks business leaders must consider:

Loss of network or system availability
Unauthorized access leading to disclosure of confidential information
Civil or criminal liability stemming from a network breach
Violation of State security breach disclosure laws
Non-compliance with Federal regulations
Non-compliance with industry standards leading to a loss of ability to accept credit cards as a form of payment
Negative publicity resulting from a computer security incident

An example of how this risk can manifest itself into a material loss can be tied to the latest flurry of State security breach disclosure laws. More than half the states in the US have laws that require consumers be notified if “personal information was, or reasonably believed to have been, acquired by an unauthorized person” ³ The laws have national implications, in that, they are designed to protect a state’s citizens regardless of a business’s geographical location. As a result, companies and state agencies are compelled to report a security breach even if evidence of data removal is inconclusive. “The cost of disclosure, notification and the offer of credit monitoring services to affected users or customers after a breach can really add up. The general rule is $15 per customer. If it's a financial firm and credit cards are involved, that's an additional $35 for credit card replacement.” ⁴

What is included in BearHill’s Ensure Network Security Service?

Ensure is not just a product or a service but a complete solution. Everything you need to implement a network intrusion monitoring and prevention system, from the BearTrap sensor to trained specialists, is included with Ensure. Ensure incorporates:

BearTrap Intrusion Sensor
Design review to determine intrusion detection & prevention sensor placement
Sensor implementation
Baseline security policy
Policy tuning
24 x 7 uptime monitoring
24 x 7 Event monitoring and reporting
Baseline policy updates and maintenance
Software upgrades and patch maintenance
Phone based incident response support from GIAC certified intrusion analysts

Will using Ensure guarantee that we won’t have an incident?

No. No solution is fool proof which is why Ensure exists. While Ensure can block many types of attacks that circumvent traditional defenses such as firewalls and antivirus, the true value of the Ensure service is that it provides you with the ability to determine if your standard network defenses are being compromised. Ensure monitors your network for intrusions and intrusion attempts and provides reports that enable your team to document “how you know” that your network hasn’t been compromised.

Will Ensure make us 100% compliant with all state, federal and industry regulations?

No. No single solution or service can make your organization 100% compliant. In fact, a disturbing trend among security technology vendors is the claim that their solution will somehow allow organizations to achieve ‘compliance’. Complying with various regulations requires multiple initiatives from instituting appropriate policies to implementing physical and technical security measures. The Ensure network security service is an important piece of the puzzle and is a fundamental component of many data security regulations.

Interestingly, more than 30 states in the US have adopted data security breach laws and some require businesses to contact affected parties any time that “personal information was, or reasonably believed to have been, acquired by an unauthorized person” ⁵ In the event a client claims your organization disclosed their personal financial information in violation of state law your team may be forced to “prove a negative.” As a result, it is essential that organizations monitor and document their networks efficacy. Ensure enables you to answer the question “How do you know your network hasn’t been compromised?” effectively and affordably.

Lastly, if your organization needs help with completing the regulatory puzzle, ask your account representative about BearHill’s regulatory compliance gap analysis consulting services.

What regulations require the network security capabilities that are offered via BearHill’s Ensure?

As mentioned earlier in this FAQ, while no solution is the end-all be-all to regulatory compliance, Ensure is an important piece of the regulatory puzzle. Ensure acts as a computer network alarm system that can both alert on and prevent network intrusions. Ensure enables your organization to effectively manage and secure your computer network and provides documentation that answers the question “How do you know your systems haven’t been compromised?”

FFIEC Regulations

Banks, Credit Unions and financial institutions that fall under the oversight of the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), or the Federal Reserve, National Credit Union Administration (NCUA), and Office of Thrift Supervision (OTS) must comply with FFIEC ⁶ regulations. FFIEC regulations require financial institutions to monitor for network security breaches by stipulating that “Financial institutions should have the capability to detect and respond to an information system intrusion commensurate with risk.” ⁷ Failure to comply with FFIEC regulations can lead to enforcement actions that range from fines to termination of deposit insurance.

Sarbanes-Oxley

High profile accounting scandals have led to legislation focused on the integrity of financial controls in public corporations that requires executives to certify efficacy of the processes and computer systems that generate financial results. Ensuring that information systems that are utilized for accounting are secured and free of intrusions is fundamental to the governance process.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLB) is a federal law which stipulates that financial institutions must implement security programs to protect ‘non-public personal information’ (NPI). Specifically, the law prescribes that covered organizations must establish safeguards “to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer” ⁸ An important note is that the definition of what constitutes a ‘financial institution” is far broader than most people are aware. While it is generally understood that banks, credit unions and brokerages must comply with GLB, just about any organization that provides consumers with financial products or services must comply with GLB. Some examples from the FTC include:

Tax preparation firms
Insurance Companies
Mortgage brokers
Collection agencies and credit counselors
Investment advisors

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a Federal law designed to protect the privacy of student educational records. All educational institutions and agencies that receive funds under any program administered by the US Secretary of Education are required to protect against the unauthorized disclosure of student information.

Payment Card Industry Data Security Standard (PCI DSS)

In late 2004 MasterCard, Visa, American Express, and Discover got together and developed a ‘security guideline’ dubbed the Payment Card Industry (PCI) Data Security Standard. “The PCI Data Security requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all ‘system components’ which is defined as any network component, server, or application included in, or connected to, the cardholder data environment.” ⁹ There standard is comprised of 12 requirements and specifically requires organizations to “Use network intrusion detection systems, host based intrusion systems, and/or intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up to date.” ¹⁰ The deadline for compliance with the new standard was June 30th, 2005 and merchants that are not in compliance with industry standard can be subject to fines (up to $500,000) or lose the right to accept/process credit card payments ¹¹.

Can we get third party validation of our information security efforts to provide partners and clients when subscribing to the Ensure service?

Yes. Demonstrating sound network security governance is an important criterion in selecting partners or vendors. Beyond the documentation provided through the Ensure reports, BearHill can provide you, your partners and/or your clients with third-party validation of your ongoing security efforts.

How can I get more information about BearHill’s Ensure Network Security Service?

You can contact a BearHill representative by clicking here or calling (800) 618-4487.

¹ 2005 CSI/FBI Computer Crime and Security Survey, Security Technologies Used, pg. 16 - pdf link

² Overview of Attack Trends, CERT/CC, link

³ California Senate Bill 1386 Section 2(a) which was subsequently enacted and added to section 1798 of California Civil Code - link

⁴ Ed Parry , “Be afraid of the catastrophic data breach,” SearchSecurity.com: Dec 1, 2005 - link

⁵ California Senate Bill 1386 Section 2(a) which was subsequently enacted and added to section 1798 of California Civil Code - link

⁶ The FFIEC or Federal Financial Institutions Examination Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions.

⁷ FFIEC Information Security IT Examination Handbook, Security Controls Implementation: Intrusion Detection and Response, pg. 68 - pdf link

⁸ Gramm-Leach-Bliley Act, 15 USC, Subchapter I, Sec. 6801(b)(3) Protection of nonpublic personal information: Financial institutions safeguards - link

⁹ Payment Card Industry Data Security Standard, MasterCard International Inc., Jan. 2005, pg. 1 - pdf link

¹⁰ Payment Card Industry Data Security Standard, MasterCard International Inc., Jan. 2005, pg. 17 - pdf link

¹¹ Steve Marlin, “Visa, Amex to Drop CardSystems,” Information Week: July 25, 2005 - link