Security for the Real World.
Customer Case Study
Sourcefire RUA™ (Real-time User Awareness) Overview About AutoTrader.com AutoTrader.com, created in 1997 and headquartered in Atlanta, GA, is the Internet’s leading auto classifieds marketplace and consumer information website. AutoTrader.com aggregates in a single location more than 3 million vehicle listings from 40,000 dealers and 250,000 private owners, which provide the largest selection of vehicles attracting more than 13 million qualified buyers each month.
About Tamara Fisher Tamara Fisher is a security engineer for AutoTrader.com, the Internet’s leading auto classifieds marketplace and consumer information website. Tamara manages a wide range of security technologies at AutoTrader.com, including wireless security, intrusion detection/prevention, and vulnerability testing. Prior to joining AutoTrader.com in 2005, Tamara was a system engineer at AT&T, where she worked for 17 years. Tamara presently has the CCNA, SANS GSEC, and GCIA certifications.
AutoTrader.com is widely regarded as the Internet’s leading source for auto classifieds. Headquartered in Atlanta, Georgia, AutoTrader.com aggregates more than 3 million vehicle listings from 40,000 dealers and 250,000 private owners from across North America, attracting more than 13 million qualified buyers each month. The award-winning Sourcefire 3D™ System has protected AutoTrader.com’s network infrastructure for nearly four years. AutoTrader.com now has more than 25 Sourcefire 3D™ Sensors providing intrusion defense at the perimeter, within the core, and at critical internal network segments. All of AutoTrader.com’s 3D Sensors are managed using two Sourcefire Defense Center™ appliances, and are equipped with Sourcefire’s innovative RNA (Real-time Network Awareness) and RUA (Real-time User Awareness) modules. Sourcefire RNA™ provides passive, 24x7 monitoring of internal network segments. RNA compiles valuable network intelligence that provides context when analyzing network security events. RNA also enables AutoTrader.com to gain valuable insight into the network assets they’re “Mapping a username to an protecting. IP address was taking us Sourcefire RUA™ is the newest addition to the away from a backlog of other Sourcefire 3D System. RUA pairs Active Directory and important tasks. What used to LDAP usernames with host IP addresses. Now when a take up to an hour now takes host is involved in a network security event, customers just a second or two.” not only know the IP address of the host under attack, but they also know who to contact. To better utilize their dedicated IT security resources, it’s important that AutoTrader.com select solutions that are integrated, easy-to-use, and enable their team to work smarter, not harder, when defending their network against today’s dynamic threats. That’s why AutoTrader.com chose Sourcefire.
Network Security Challenge Even though AutoTrader.com is able to reduce the overall number of actionable IPS security events through Sourcefire’s highly acclaimed Impact Flags capability, high-priority security events still occur. And when they do, it’s not only important to know which host is under attack, but also who to contact to quarantine the threat. Without having insight into user identity, a security analyst is limited to the IP address of the host under attack. If it is a static IP address assigned to a server, the security analyst usually knows immediately who to contact. But if the host is a laptop or desktop computer, and the IP address changes on a daily basis (using DHCP), which is most often the case, then identifying who to contact becomes a much bigger challenge. “When a high-priority event occurs, the security analyst on duty is instructed to contact a member of the Windows Support Group to determine which user has been affected. Assuming a member of that team is available, that person will manually sift through a series of LDAP and DHCP log files in an attempt to identify the username associated with the host under attack,” notes Tamara Fisher, Security Engineer at AutoTrader.com. “Once an appropriate person is contacted, and they agree to drop what they are doing to perform this query, the task could take up to an hour to complete. In the meantime, the host targeted by the exploit may still be under attack, or it may be infecting other hosts, or both.” AutoTrader.com needed a better way.
Sourcefire RUA™ (Real-time User Awareness) Customer Case Study - 1
Discover. Determine. Defend.
Sourcefire RUA—Greater Visibility with Integrated User Awareness AutoTrader.com solved its user identity challenge by leveraging Sourcefire RUA. RUA passively detects Active Directory and LDAP logons and “pairs” usernames with their corresponding IP addresses. Now when a security event occurs— whether low or high priority—the security analyst can instantly see the username affected by the event. Additional user attributes, such as the user’s first and last name, department, email address, and phone number, are also available right at the analyst’s fingertips. A strategic component of the Sourcefire 3D System, Sourcefire RUA provides integrated user awareness never before available, including: 24x7 passive identity discovery with comprehensive user identity information
Figure 1. Security analysts can view user identities related to security events without performing an external lookup.
Real-time “pairing” of host IP addresses with corresponding Active Directory/LDAP usernames, for use when analyzing security and compliance events
Significantly improves audit controls and assures regulatory compliance by linking events directly to individual users User identity integration within all Sourcefire Enterprise Threat Management (ETM) solutions, including Intrusion Prevention (IPS), Network Behavior Analysis (NBA), Network Access Control (NAC), and Vulnerability Assessment
Sourcefire RUA Benefits
“Sourcefire RUA is a great addition to our environment. We saw immediate value from RUA, and now we rely on it for all of our alert investigations.”
“Mapping a username to an IP address was taking us away from a backlog of other important tasks. What used to take up to an hour now takes just a second or two,” explains Fisher. “I feel much better knowing that I can contact a user immediately in the event they are affected by a network attack.” Shortly after implementing Sourcefire RUA, AutoTrader.com was able to track a risky form of malware to an employee’s laptop. “Because we were able to immediately identify and contact the user affected by the malware, this discovery became the justification for our purchase of Sourcefire RUA,” recalls Fisher. “Sourcefire RUA is a great addition to our environment. We saw immediate value from RUA, and now we rely on it for all of our alert investigations.” For AutoTrader.com, Sourcefire RUA: Eliminates steps in the alert reaction process Accelerates incident containment Saves time and improves the efficiency of the network security team
©2008 Sourcefire, Inc. Sourcefire 3D System, RUA, RNA, 3D Sensors and Defense Center are trademarks or registered trademarks of Sourcefire.
REV 2 | 2.2008
Sourcefire RUA™ (Real-time User Awareness) Customer Case Study - 2