Monday and Tuesday found me working on an eval install of the NitroSecurity NitroView SIEM product at a local educational institution in the medical center (I did a quick write up on them a few days ago - my opinion has remained pretty much the same now that I have seen the product warts and all). My last job as an information security manager was at an institution with an educational background, so I am somewhat aware of how these places work when it coomes to their freedoms, but I frankly never get used to the openness of these places when it comes to the Internet and security.
Basically, these guys don’t have any private network at all. All boxes have public IPs on them. That doesn’t mean that all devices are directly accessible via the Internet, but it seems so foreign when you see it. But the real problem is that they really cannot control any access to the Internet and have to fight an almost purely defensive / reactive battle for security. I wrote at Computerworld about us catching an attack while we were installing the SIEM product, and that was pretty neat to see. But it was really not even a drop in the bucket for these guys. They pretty much spend all day watching these exploits happen and then cleaning them up.
One of the analysts there tracks bad networks as best as he can and sets up IDS rules that alert him when traffic is seen from these IP’s. Anyone who has been in security for a month knows that is a losing battle. It is just crazy what they have to do.
Of course, it is kind of exciting as well since these guys get to really play and see the latest stuff. Makes me think that these guys need to be getting paid a stipend from 3com, McAfee, et al so they can let them know about some of these trojans they see before the major players know about it. Pure and simple, this is an untapped resource. The same analyst regularly sees malware that the major AV vendors don’t know about (and quite a few of the more nible minor ones as well).
Of course, that analyst probably can’t work with those vendors due to employment, but there are ways around that, like submitting problems anonymously.
Vet
