A veritable who’s who of global computer virus experts descended on Toronto late last month for the 13th Virus Bulletin international conference, where discussions covered everything from worm charming to educating end users.
During one talk, Janette Jarvis, a security systems product manager with Boeing Corp. in Seattle, spoke about how the company runs its incident management program. Jarvis said the Boeing environment is a good test bed for antivirus incident management, since it has a “convoluted environment” using everything from state of the art to legacy systems, and has offices and partners all over the world.
In order to even react to a virus threat, a company needs to have a clear vision of the entire enterprise so it can be discerned where and when damage is occurring, she said.
Ian Hameroff, security strategist with Computer Associates in Islandia, N.Y., agreed this is necessary, but increasingly difficult as companies are becoming more restrained in the way they buy technology. “The day of the big site licence is going away,” he said. This means companies have to make more of an effort to find out exactly where a given technology is in a company and how it is being used. No longer can a company push out a patch to all machines assuming they are all running a given application.
Regardless, the overall key to successful incident management is concise and controlled communication so only the affected parties are aware of the situation, Jarvis said. At Boeing this is often done via pagers. There is also a corporate desire to keep a lid on virus outbreaks, less due to media relations than corporate survival.
“We don’t like to let our entire enterprise know of our vulnerability,” Jarvis explained.
In order to rate and track a given incident, Boeing has designed a tool which takes data from intrusion detection systems, anti-virus software and firewalls, and co-relates the information. “It is really critical in helping us identify incidents,” she said.
Ironically, the simplest problem for many companies is often one related to language, not technology. When there is a new outbreak, simple virus taxonomy can often get in the way. Are you infected by W32/Welchia (Symantec); W32/Nachi (McAfee), WORM_MSBLAST.D (Trend Micro) or Lovsan.D (F-Secure)?
“There is a need to have a common ground,” said David Perry, global director of education for Trend Micro in Cupertino, Calif. “Our taxonomy is disparate.”
But Perry left his harshest words for the vendors, and their relationship with end users. “The assumption (in the early 1990s) was that end users were all morons,” he said. Today this is finally changing as vendors are “working very hard to understand what the customers need.”
Years ago security technology vendors dealt mostly with the most sophisticated IT staff within a corporation, which was fine until the technology proliferated. “(Now) a lot of the people we want to talk to are the non-experts,” he said, especially at the executive level.