Unfortunately, we didn't have enough IDS, IPS and other monitoring tools to see what they had touched, so it was a risky decision to disconnect from the network. Some of my sister labs were attacked at a later date by similar entities and they decided not to disconnect because they were able to see more of what happened and where they were, and I guess had also learned some lessons from us.
So what you do is obviously dependent on the risk. Today we have a better picture of what's going on in our network. We've re-architected to provide better monitoring, to see better what's going, so we can disconnect 20-30 machines versus 20,000.
SHIMEL: The kind of assets you guys are talking about at Oak Ridge are national and strategic and you can't afford to risk them getting out. So disconnecting as a means of stopping the information from being exfiltrated is certainly viable, not a long-term solution, but faced with what you were faced with, what else could you do? But Kevin, it's not just about having more IDS and IPS, is it? It's having the plan in place about what to do when this happens, and I'm sure part of re-architecting is putting in place procedures and processes in case this sort of thing happens again, right?
KERR: Correct. Just to give it some context, as a CISO I had started at Oak Ridge about two months before this happened. So I was still learning the lab and when this happened I asked for our Incident Response Plan and someone reached up on the shelf, blew all the dust off of it and gave it to me and basically it was how to address a Trojan or a virus on a system. It had nothing to do with how to deal with an advanced persistent threat, and it had nothing to do with how and where to disconnect or anything like that. So there were a lot of lessons learned really quickly about how to react, and unfortunately it was a lot of ad hoc, fly by the seat of the pants stuff.
SHIMEL: Adam, what are companies like Sourcefire doing to help Kevin and those like him in these frontline situations?
O'DONNELL: Sourcefire is very much behind the "See it, Control it" idea. And that means giving visibility into any kind of connection or threat that comes into the network, as well as giving the user the ability to control the threat. We have structured all of our products and technologies along those lines. So if you have an attack that comes in through the network, you would see it on your IDS/IPS. If it gets over to the host side, you would use our host technologies to see what files were introduced, what files those files introduced, and what systems those files talked to.
Sign up for Computerworld eNewsletters.