The University of Adelaide has adopted Lancope's StealthWatch network behaviour analysis tool to identify anomalies such as network intrusions and interface congestion.
Previously the university used command line based tools to analyse Cisco's NetFlow network protocol, according to Lindsay Whitbread, University of Adelaide network operation and information security team leader. "We were able to get the answers we wanted but the amount of effort required was such that we would often not conduct the analysis," he said, adding that not many of the staff had the skills to carry it out.
Now, all that is required is a mouse click instead of writing a script, taking three minutes instead of three hours. "We rely on this tool so much we couldn't live without it," he said.
Before the tool was installed, the university had missed important network events. "We've been the victims of a few DoS attacks -- services being compromised," he said. Whitbread added that if the tool had been operating, the IT staff might have picked them up.
Security was one of the triggers for seeking a network analysis tool, according to Whitbread, with the other being that the University of Adelaide is currently conducting an AU$3 to AU$4 million network upgrade to achieve better performance and provide new network services, and the university wanted to get better value from the big investment.
The university considered a number of vendors, he continued, narrowing down the final choice to Lancope or Arbor Networks' Peakflow X. The University trialled both on site for a few weeks and, although both were found to be suitable, he said StealthWatch's graphical user interface was very strong compared to other products, the way it scaled was cost-effective and the way it performed analysis and represented data was well thought out.
The university paid in the region of AU$100,000 for StealthWatch, which Whitbread said decreases downtime, creates a better network and makes efficient use of staff time, although they do not spend less time on the network than previously. "In some ways you could say it hasn't freed up any time because it's made us aware of other problems," he said.
Ease of use was another benefit, he said, with staff requiring no training to use the product: after a few weeks of teaching themselves, they felt comfortable with the system.
Whitbread said the university uses the software for three different activities: security, network operations monitoring and application administration. Around three people are involved in each activity, although those handling security use the system the most.
The security specialists within the university use StealthWatch to scan for anomalies such as large data transfers and port scans which might ultimately result in a box being attacked.
"It's not an intrusion prevention tool," Whitbread said, instead it's a way to see if and where vulnerabilities have occurred. StealthWatch can pick up, for instance, if an attack was successful by looking for large data transfers. If there were none, security employees can be relatively confident the attack was unsuccessful. If there was a large data transfer, StealthWatch can determine which of the servers was attacked and run server analysis.
StealthWatch is integrated with the university firewall, Whitbread said, so that staff can block IP addresses which have scanned the university for vulnerabilities. IT personnel are alerted via a dashboard that a scan has occurred, and after some analysis to see if the scan has really taken place, the IP address can be blocked.
Application administration receives a boost from the system in situations such as migrating to new systems: "You can use this tool to watch clients connecting to the old system drop off over time and clients coming to the new system increasing over time," he said.