As malicious network viruses increasingly resemble terrorist attacks, the security industry is developing its own version of SWAT teams that aim to swiftly diffuse crises and get hostages out of a jam.
Recently, security vendor Network Associates (NAI) was faced with a difficult virus to eradicate when its customer MCI WorldCom contracted the Remote Explorer virus, which affects Windows NT machines and encrypted data.
To combat the virus, NAI called on its anti-virus researchers in the United States, Japan, and England to fix the damage. The company even recalled a team manager from vacation in Mexico.
"That is the job. The guy carries a beeper. The customer has a problem, and the customer wants it fixed now," says Peter Watkins, general manager of the Net Tools Secure division at Network Associates, in Santa Clara, California. "The guy we had to pull back from Mexico was the manager of the lab. This is the guy that has to determine the priorities. We just pull them in. You have to."
No longer is it enough to purchase anti-virus or intrusion-detection software and install it on a network. Users must now evaluate security vendors' capability to address a new virus or attack and quickly respond with a fix to the problem.
"As the networks become ever more intertwined and the code becomes more self-replicating and vicious, the amount of damage is growing exponentially," says Jim Balderston, an industry analyst at Zona Research, in Redwood City, California. "The key, now and into the future is shrinking response times so the damage can be limited or minimized."
As customers evaluate possible security solutions, most SWAT teams point to several key points of differentiation of which to be aware.
-- What is the size and availability of the team?
-- What kind of turnaround time does the group usually have on viruses?
-- What is the ease of attaining updates for products?
-- Do they provide the services you need to keep up and running?
-- Which platforms do they support?
-- What is their virus-detection track record?
But SWAT team members often enjoy the challenges of their positions regardless of strange hours and extreme demands.
"I love my job," says Vincent Gullotto, manager of Anti-Virus Emergency Response Team at Network Associates, in Beaverton, Oregon. "It's definitely what we live for. Most of these people are hard-core anti-virus people. A lot of them eat, sleep, and breathe these sort of things."
"I love my job a lot," says Carey Nachenberg, chief researcher on Symantec Anti-virus Research Team, or SARC, at Symantec, in Santa Monica, California. "I look forward to every day. It's actually quite challenging."
Users dealing with security issues, however, expect this level of commitment when it comes to getting networks back online after a virus attack.
"Any kind of company that deals with the ongoing threat of viruses would have some system in place where if we came to them with a virus they would come to us with a fix," says a virus security administrator at a large software publication company in California, who wished to remain anonymous. "You don't hear a lot of stories about viruses, but our company has been passing a lot of viruses lately. Thankfully none that have been very malicious."
The simple fact is, however, if a major virus hits, the first thing most administrators will do is remove their systems from a network.
That leaves users without network access and unable to conduct business as usual, and a company at a standstill is a company not making money.
"Basically if you don't have to wait and your users don't have to wait, that's important. Turnaround time is going to be critical in this field," says SARC's Nachenberg. "Every minute that an IS manger is waiting, they have people who are waiting to get their systems back."
SARC has an average response time of 19 hours. In an effort to cut response times to virus alerts, SARC is working with IBM to create and perfect a digital immune system that will use computers to scan, identify, and fix viruses without the need for human intervention.
"Rather than humans doing the analysis, we're going to have computers do it," Nachenberg says. "That way we won't have to come back from our vacations."
NAI has set the bar high for itself and is taking a slightly different approach, according to Watkins.
"I'd like to get that cycle time to less than six hours," Watkins says. "Over the next year, I'd like to have some of our electronic analysis tools onsite on the server.
"What I'm doing here is having more points of analysis near the customers, because the key here is quick containment," Watkins adds.
Chronology of the Remote Explorer virus
Dec. 17, 1998 Network Associates' Anti-Virus Emergency Response
Team (AVERT) branch of NAI Labs was approached by
MCI WorldCom, where the virus was found.
Dec. 17, 1998 AVERT received samples at approximately 6 p.m.
Dec. 21, 1998 Removal and inoculation was made available to the
public at 8 a.m. after being tested in the customer
(*) Total AVERT labor hours for the project were approximately 200 to 225.