(back to 2007 CIPA Winners)
British Columbia Ministry of Labour and Citizens' Services
Intrusion Prevention System Project
Keeping All the Bugs Out
Challenge
Malicious attacks on the British Columbia government's information network were getting out of control, until a resourceful security team found an innovative way to drive out the pests.
Access to the B.C. government's electronic data and services is provided by the Shared Provincial Access Network/British Columbia (SPAN/BC). It is accessed via the Internet, a virtual private network and the Third Party Gateway, a network for the province's business partners.
SPAN/BC users include about 30,000 government employees; 600,000 schoolchildren, teachers and college students, hospitals, pharmacies and health authorities; some crown corporations and government agencies.
SPAN/BC is protected by the Information Security Branch (ISB), which reports to the government's chief information officer within the B.C. Ministry of Labour and Citizens' Services. It has 35 staff.
Until December 2005, ISB's primary resources were the customary firewalls and router filtering and a cumbersome threat-assessment procedure. They were not enough, and SPAN/BC was suffering a major worm or virus infection every year. In 2005, it was the Zotob virus.
ISB estimates that the cost of repairing the damage caused by a major infection such as Zotob is at least $500,000. There are less easily measured costs, such as negative media publicity and losses suffered by users and clients when a network fails.
SPAN/BC's susceptibility to infection was highlighted by a survey in January 2004, which found that about four million malicious information packets were traversing the network every week.
Identifying and managing harmful attacks was becoming increasingly difficult for four basic reasons. First, each of the three access modes (the Internet, VPN and Third-Party Gateway) has a different security profile, controls and administrative groups.
Second, in order to determine attack patterns, help clients secure their systems and make tactical security decisions, ISB used network data stored in mainframe computers, and it took about 24 hours in elapsed time and two hours in actual manual operations to retrieve, interpret and analyze the relevant information. Third, ISB had the capacity to investigate only about 50 incidents a month.
Fourth, SPAN/BC's traffic was increasing by 50 per cent a year.
Solution
In collaboration with the government's Workplace Technology Services and with help from the private sector, ISB embarked on the Intrusion Prevention System Project. Their goal was a system that blocked malicious traffic, provided a detailed record of both blocked and non-blocked suspicious traffic and established supporting business processes for monitoring traffic, reporting, alert creation and human intervention.
The intrusion prevention system they developed leapfrogs such network controls as router filtering and firewalls by responding to attack signatures, rather than blocking suspect traffic according to protocol, ports and IP address. Up and running in December 2005, the new system:
- Monitors all traffic 24/7;
- Analyzes blocked and non-blocked traffic;
- Keeps detailed traffic records;
- Recognizes and stops new threats;
- Finds and fixes infected and compromised systems within SPAN/BC.
Results
Six months after implementation, the new intrusion-prevention system had reduced SPAN/BC's monthly malicious traffic by 75 per cent. It was also identifying malicious traffic that originated within SPAN/BC and was directed at external sites.
Whereas it once took ISB 24 hours to get data from mainframe computers and analyze and interpret it and otherwise tend to serious threats, the time has been cut to about 30 minutes. ISB has the capacity to investigate 140 incidents a month instead of 50. But, because malicious traffic has been severely reduced and all monitoring and primary analysis is done by Seccuris Inc. of Winnipeg, branch staff are now available for other work.
The Third-Party Gateway and the other two SPAN/BC access avenues now have a common security profile and control point.
Since the system was implemented, SPAN/BC has not had a worm or virus infection. An early test came in January 2OO6. The Metafile virus could infect even fully patched Windows systems and was said to be one of the most pervasive threats to strike the Internet in two years, but the B.C. government was spared.
Innovative use of technology
According to Public Safety Canada's Canadian Cyber Incident Response Centre, B.C.'s system was the country's first large-scale government intrusion prevention system that blocked malicious traffic. To ISB's knowledge, it was the first Canadian government deployment of any size.
And as one of the IPS team puts it: "The endlessly escalating growth of network traffic has made firewall solutions obsolete and challenged router controls. The intrusion protection system, with its custom-designed network chips, has been able to easily meet the increased load and is expected to meet future demand. This is a subtle but very large victory for the B.C. government."
A 2007 CIPA Winner!
For its excellent application of information technology to transform processes and bring benefits to its stakeholders, the B.C. Ministry of Labour and Citizens' Services has been awarded a CIPA Silver Award of Excellence in the Innovation, Not For Profit category.
(back to top)
