As CSO for Thomas Weisel Partners, a San Francisco-based financial services firm specializing in trading, investment banking and research services, Cannon didn't even see a pair of spybot worms coming. Well, she had some minor clues, but when she tried to track the anomalies, wading through all of the logs or reports always left her security team a step or two behind.
The worms first entered the network in late 2004, then again in early 2005. The result has come to be known as the "March 2005 incident" within the firm's IT department.
"We had a couple of spybot worm issues," Cannon said. "It was one of those things; both times, we started seeing odd behavior with our Internet connection."
But the problems didn't stop there, she said. The company put out a Sniffer to try to snuff out the problem, but to little avail.
It was that infection that opened a few eyes.
"Before it even hit, we didn't really have a way to look at what's going on in the network," Cannon said. "We needed something to let us look at what's going on on the network so it doesn't happen again."
Thomas Weisel Partners looked at several options. Outsourcing was too expensive, and intrusion detection systems (IDS) wouldn't work, not just because they too were expensive but because an IDS deployment would require a large number of probes, and managing them would have been crazy time-consuming for the firm, which has four offices and roughly 600 end users to support.
"You have to put [a probe] everywhere you want to stop traffic," Cannon said.
So the firm called on Arbor Networks, a Lexington, Mass.-based security vendor. Thomas Weisel Partners deployed Arbor PeakFlow X, a network monitoring and analysis tool that gives visibility into the network to deter the spread of Internet-borne attacks. PeakFlow X is an internal IPS that uses flow information to give network administrators visibility into what's happening on the network. Users then can add the proper security measures to prevent insider misuse, phishing and pharming attacks, botnet armies and zero-day attacks.
"It gives you an idea of not just what's trying to get in through the outside, but what's going on on the inside," Cannon said.
Cannon uses PeakFlow X to collect information from all pieces of the network and aggregate it. All of the information is in one central location, making it much easier to wade through mountains of data.
And in the few months since Thomas Weisel Partners rolled out PeakFlow X, Cannon said, she and her staff have stumbled upon some interesting traffic, such as peer-to-peer applications on some desktops and users violating the company's IM policy, which allows IM only when used on the proxy.
"We haven't had any major … issues since the March '05 incident," Cannon said. As for the incident itself, there are several theories kicking around about how the spybot worms got in. Cannon said they most likely wiggled in through IM or the Web.
But now, if the Internet connection or other network applications start to give off trouble signals, she can get to the root of the problem much faster.
"When we start to think something odd is happening, we can check and see what's going on on the network," she said. The PeakFlow X has also been integrated with Active Directory, so when there is a problem, IT can dig right down to the specific user who is generating bad traffic.
Overall, Cannon said, she now has a little peace of mind, with the emphasis on the word "little." She still has security concerns, but she's glad to be able to see what's coming down the pipe. Also, she looks at the "March 2005 incident" as a wake-up call and an education.
"There were a lot of good things on the security side that came out of that," she said. "But I'm still always waiting for what's around the corner."