During her talk at the 13 th Virus Bulletin international conference in Toronto late last month, Janette Jarvis, a security systems product manager with Boeing Corp. in Seattle, spoke about how the company runs its incident management program. Jarvis said the Boeing environment is a good test bed for antivirus incident management, since it has a “convoluted environment” using everything from state of the art to legacy systems, and has offices and partners all over the world.
In order to even react to a virus threat, a company needs to have a clear vision of the entire enterprise so employees can discern where and when damage is occurring, she said.
Ian Hameroff, security strategist with Computer Associates in Islandia, N.Y., agreed this is necessary, but increasingly difficult as companies are becoming more restrained in the way they buy technology. “The day of the big-site licence is going away,” he said. This means companies have to make more of an effort to find out exactly where a given technology is in a company and how it is being used. No longer can a company push out a patch to all machines assuming they are all running a given application.
Regardless, the overall key to successful incident management is concise and controlled communication so only the affected parties are aware of the situation, Jarvis said. At Boeing, this is often done via pagers. There is also a corporate desire to keep a lid on virus outbreaks, less due to media relations than corporate survival.
“We don’t like to let our entire enterprise know of our vulnerability,” Jarvis explained, through she admitted it is not an easy task with today’s pervasive levels of communication.
In order to rate and track a given incident, Boeing has designed a tool which takes data from intrusion detection systems, antivirus software and firewalls, and co-relates the information.
“It is really critical in helping us identify incidents,” she said.
Ironically, the simplest problem for many companies is often one related to language, not technology. When there is a new outbreak, simple virus taxonomy can often get in the way. Are you infected by W32/Welchia (Symantec); W32/Nachi (McAfee), WORM_MSBLAST.D (Trend Micro) or Lovsan.D (F-Secure)?
“There is a need to have a common ground,” said David Perry, global director of education for Trend Micro in Cupertino, Calif. “Our taxonomy is disparate.”
But Perry left his harshest words for the vendors, and their relationship with end users. “The assumption (in the early 1990s) was that end users were all morons,” he said. Today, this is finally changing as vendors are “working very hard to understand what the customers need.”
Years ago, security technology vendors dealt mostly with the most sophisticated IT staff within a corporation – which was fine until the technology proliferated. “(Now) a lot of the people we want to talk to are the non-experts,” he said, especially at the executive level.
Educating end users is an ongoing challenge for most companies, Perry said, though even he admitted “it is an unanswerable question” as to how to get end users to understand the seriousness and importance of being vigilant when using computers.
“The problem is that the computer looks too much like a television,” he said, adding that users still view their interaction with a computer as passive rather than active.