Relocation services firm digs out worms

Relocation services firm Sirva was hit so hard by the wave of computer worms and viruses that swept the Internet this time last year, that preventing future attacks became a top priority for the company.

The global giant, with US$2.2 billion in annual revenue, includes the Allied and North American Van Lines, and Trans International and Hoults Removal Group in Europe and Asia. The computer worms and viruses that started hitting Sirva in late August 2003 - including Blaster, Nachi and SoBig.F - disrupted the company's network and e-commerce operations so seriously that upper management couldn't help but notice.

"The experience of the worms getting into the network had the impact of an outage," says Ann Harten, CIO and senior vice president at Sirva. "I was in Europe when this happened and so was our CEO. We experienced firsthand what was going on."

"The Nachi worm played havoc on us," causing massive network congestion, Harten says. Nachi, also known as the Welchia worm, generates what is often a crippling level of increased network traffic and exploits vulnerabilities in unpatched Windows machines to try to remove the Blaster worm.

Much to everyone's horror, viruses also began altering business data in Sirva computers. Under the onslaught of the virus and worm siege, employees were forced to revert to manual processes to get through several days while the IT department cleaned up the mess in the machines.

Ted Kozenko, senior manager of security, and Chuck Shmayel, vice president of infrastructure and security, say Sirva has improved its software-patching process, primarily through more regular updates of Windows servers and desktops. But the traumatic events of last year also prompted the IT department to shop for a worm-killer.

As a foundation defense they chose two products from ForeScout Technologies that detect early signs of worm activity, such as incessant scanning. Because WormScout and Active Scout look for worm behavior rather than the specific signature of known worms, they automatically can block a worm before it is even given a name by security experts.

WormScout, an appliance that guards LAN segments, was first used at Sirva last November, and now 24 of these worm-detecting and blocking appliances have been installed in U.S. offices, Kozenko says.

"Within two hours of putting it in, it alerted us to unwanted traffic on the network," he says. "It was worm spyware trying to travel around." WormScout pinpointed the source computer inside the company, and the IT department cleaned it up.

WormScout works by preventing an infected computer from connecting to the rest of the network. However, because false positives could cause a lot of disturbance to the firm's thousands of employees, the IT department moved cautiously in deploying it.

"For the rollout, we had WormScout in 'listen' mode, then 'monitor' mode, then we went to blocking," Shmayel says.

There have been a few problems in using WormScout, such as it thinking an application was somehow behaving like a worm, and it did block a VPN connection, he says. But these glitches were not too hard to iron out, he adds.

Sirva, which also has installed ForeScout's perimeter defense appliance ActiveScout at its Internet access point in Cleveland, has found the behavior-based technology a reliable search-and-destroy method to prevent major worm infestations.

Further rollouts of the ForeScout worm-killers are targeted for Sirva's European and Asia offices next year. The company so far has spent about US$350,000 on the project.

Another step Sirva has taken to crush worms and viruses is to use the MessageLabs content-filtering services to filter e-mail, Shmayel says.

Sirva investigated a number of virus and worm prevention methods, including Cisco Systems' Security Agent and the Network Admission Control security system that's becoming part of Cisco routers and switches. But Sirva didn't want to pin its hopes on any in-line device that could fail or an approach that required agent software, Kozenko says.

However, the company has no intention of doing away with the line of Cisco firewalls and intrusion-detection systems (IDS) it uses only because the ForeScout worm defense is being fully deployed.

There's no reason to get rid of IDS and firewalls because they offer multiple layers of security, Shmayel says.

Kozenko says he would like to see ForeScout integrate its worm-defense products with the open source IDS Snort so that WormScout and ActiveScout might provide more information on application-layer attacks, such as SQL Injection.

"The ForeScout forensics are very good, and we just want to gather more information," he says. "It's like having a global early warning system."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CiscoForeScout TechnologiesMessageLabs

Show Comments