The IT security team at Wayne State University in Detroit wanted to get better visibility into the traffic crossing the urban institution's main and satellite locations. With some 33,000 students and 10,000 faculty, staff and employees using the network - which includes 10,000 internal and 50,000 external hosts - the team turned to network behaviour analysis (NBA) software from Q1 Labs.
NBA tools monitor and analyse network traffic, looking for abnormalities and patterns that could indicate a zero-day attack, such as a server sending too many queries or one that is trying to connect to the Internet in the middle of the night. The products prove to be another layer of security: in addition to identifying top talkers on the network, NBA technology can help network and security teams detect undocumented vulnerabilities and symptoms of unknown threats, before the environment is impacted.
"We have so many sources for network traffic and we needed better insight into the network," says Morris Reynolds, director of information security and access management at Wayne State. "We had a funding opportunity that enabled us to purchase the technology that would help us see what vulnerabilities were coming across our network and how we were at risk."
The university implemented Q1 Labs QRadar technology, which is packaged as an appliance, in July 2007 and upon installation detected between 10 and 15 bot-controlled computers on the network. The security policy at the university cuts such computers off from the outside world and gives systems administrators four days to remediate the problems. Finding these vulnerabilities helps the security team spot potential vulnerabilities and monitor traffic sources.
"Right off the bat, QRadar gave us a general idea of what was going on in our network. It broke down the traffic by applications - I think it can handle more than 1000 types of network traffic - and we were able to see which of our networks were most vulnerable and which had the most problems," says Graydon Huffman, Wayne State's senior systems security specialist responsible for QRadar.
Reynolds adds that the information QRadar serves up from more than 50 devices (at a rate of 600 events per second) helps the security team protect the integrity of the entire network. It also provides data on the potential vulnerability to support their requests to other IT staff. Wayne State University is currently planning a move to a distributed deployment model to monitor university-wide inter-hub traffic, and has plans to expand the use of QRadar to its medical campus in 2009.
"We want to give our systems administrators the best insight into their environments, so they can prevent issues before they happen," Reynolds says.