Case studies in IT security and disaster recovery

Here are examples of three IT managers who have taken creative approaches to dealing with issues such as recovering from laptop crashes and monitoring all of those security sensors.

Organization: Womble Carlyle Sandridge & Rice PLLC, Winston-Salem, N.C.

Mission: With approximately 450 lawyers, Womble Carlyle is one of the largest law firms in the mid-Atlantic and the Southeast, as well as one of the most technologically advanced. Founded in 1876, the firm celebrated its 125th anniversary last year.

Challenge: As hundreds of laptop-toting attorneys travel across the globe, they expect to get the same level of reliability as with desktop systems. When something goes wrong with a laptop, the IT staff needs to be able to restore the laptop's functionality -- fast.

In the past, the IT department responded to a laptop crash by talking travelers through the restoration process by phone, which often took hours, or by sending a CD or new hard drive overnight. But the firm wanted something faster to reduce the productivity loss for its lawyers.

Technology: The IT department considered several options, including homegrown backup procedures and backup products from Veritas Software Corp. in Mountain View, Calif. But it ultimately decided to use a PC/laptop backup technology called Connected TLM from Connected Corp. in Framingham, Mass.

Compared with simple backup/restore programs, Connected was able to do a more comprehensive backup of all files, including "registry files, data files, browser favorites and all of the little details that make that laptop theirs," says Sean Scott, CIO at Womble Carlyle. "And it did it in the background so that end users didn't even know it was happening."

After a pilot test with "power users," the Connected system was deployed on 400 laptops and 50 desktops.

Payoff: Laptop restorations that used to take four to six hours can now be done in 45 to 60 minutes, Scott says. For example, with Connected, it only takes eight minutes to restore Microsoft Word to its original state, he says.

Scott says Connected's backup is more storage-efficient than anticipated, because after backing up the operating system and standard applications once, it only backs up the files that are different on each machine. For example, if you need to back up 20 laptops, the first laptop may take three hours, the next one will take less time and each one after that will take a lot less time. Scott says the Connected backups have used only one-third of the disk space and one-half of the archival tapes that he expected.

Organization: Corio Inc., San Carlos, Calif.

Mission: Corio is an application service provider that delivers enterprise software over a secure global network for a fixed fee. Customers include Fortune 500 companies, midsize businesses, universities and government agencies.

Challenge: Corio manages mission-critical data for its customers, so they want real-time security event monitoring on a per-customer basis.

Technology: Corio uses Counterpane Internet Security Inc. in Cupertino, Calif., as its managed security provider. "Counterpane has been phenomenal, but in the last six months, security-conscious customers have asked for a real-time event monitor that's specific to their environment and to have some level of control," says Mark Milatovich, director of security at Corio. So he brought in software from Sunnyvale, Calif.-based ArcSight Inc., which monitors and correlates a wide range of security devices, such as firewalls and intrusion-detection systems, and provides reports.

Payoff: ArcSight provides "a window into our environment" at a central console while also providing customer-specific views. "Each customer's traffic has a signature, a pulse, and ArcSight allows us to look for anomalies," Milatovich says. But it takes several months to tune the software for each customer "to eliminate the noise and get the signal," he says.

Milatovich also likes the potential for labor savings from ArcSight's collecting of data from numerous security devices. "I'd have to have an army of people [to monitor] all of the logs from sensors," he says.

And customers like the ability to get high-level executive reports on security activity or to examine technical details, he adds.

Organization: American Tower Corp., Boston

Mission: The company builds, owns and operates towers for cellular phone companies. It has about 14,400 sites in the U.S., Mexico and Brazil, including about 300 broadcast tower sites.

Challenge: American Tower is an unpopular company because there are so many opponents to building towers, so the goal of the IT staff is to keep hackers, critics and competitors out of its systems, says Rob Sherman, manager of IT storage and network operations.

Technology: Instead of waiting for vendors to post signature files for new hacker attacks and cleaning up after virus attacks, Sherman and network engineer T.J. Mitchell wanted something that would stop intruders before they could get in at all. So they turned to StormWatch software from Okena Inc. in Waltham, Mass. Unlike software that relies of attack signatures, StormWatch focuses on the behavior of critical applications. The proprietary technology intercepts all requests to the operating system, correlates the behavior with its rules engine and makes a real-time decision on whether to allow or deny that activity, based on the customer's security policy.

Payoff: The software has been in production use for several months at a cost of $18,000, and "it's amazing the things it has stopped," Sherman says. "Most software detects. This software detects and prevents." And by stopping viruses before they have a chance to get inside, StormWatch means the end of virus cleanup emergencies. "When the Code Red virus hit, a dozen people spent a week cleaning machines. We wasted a lot of time and money last year" before getting StormWatch, Sherman says.

In addition, the StormWatch reports that lists all of the hacker attacks that have been rebuffed "are nice to show to the boss," he says.

The CPU performance hit from StormWatch has been minimal, at just 2% of CPU utilization, Sherman adds.

Special Report

The Security Action Plan

Stories in this report:


Copyright © 2002 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon