Cisco Security Agent

Westinghouse Electric Corporation, part of the Nuclear Utilities Business Group of British Nuclear Fuels (BNFL) is a provider of nuclear plant products and services to utilities around the globe. The company employs more than 9,000 people at 36 locations worldwide-many of whom are engineers generating revenues by meeting customer deliverables and schedules.

"We have a global business that requires collaboration and sharing of information and data worldwide," says Thomas Moser, manager of Information Technology Services for Westinghouse. "Having networks that are up and available to continue the revenue stream is highly important."

Recognizing the impact a network outage could have on the business, the company's network security staff had always used strong anti-virus systems and had been vigilant about immediately distributing new anti-virus software updates. But even with these protections in place, Westinghouse was still vulnerable to "day zero" attacks-viruses or worms that hit the network before the anti-virus software vendors had released updates to block them.

In February 2004, the company found out just how damaging this vulnerability could be when the network was hit with the MyDoom virus. Moser and his staff realized that the network was under attack by something the anti-virus software wasn't recognizing, and immediately began disconnecting the affected segments. Only 103 PCs were infected-less than two percent of worldwide workstations-and they were isolated within 35 minutes. But by that time, the damage had been done: 24 locations worldwide were affected. More than 9 million files, representing 1.4 terabytes of data, were deleted. And in the aftermath, more than 12,000 hours of employee productivity were lost, at an estimated cost of more than US$1 million.

"It took us several days to get back on our feet," says Moser. "The virus deleted files at random across the network. So even when the network was restored, our engineers and IT staff had to spend hours inventorying their files to identify what was missing. It was a huge, very costly disruption in the business process."

Moser and the Westinghouse network security team knew they needed to find a way to protect the company against such attacks in the future. But finding a solution would not be easy. At the time, most virus protection tools were still based on matching virus signatures-which were useless if the virus hit before the signatures were released, as had happened with MyDoom.

In addition, a full 40 percent of the company's worldwide workstations are mobile laptops that are frequently used by engineers in off-site customer networks, and highly vulnerable to infection by viruses, worms, and Trojans. Westinghouse needed to protect its customers' networks by keeping "clean" PCs. Three thousand employees also connect to the network regularly from home computers, which are even more difficult to regulate.

Westinghouse also faced the same risks from vulnerabilities in Microsoft operating systems as every other large enterprise. Even when weaknesses were discovered and patches made available, the company still had to spend several days testing the fixes before installing them worldwide, during which time the network was at risk.

Just one month after the MyDoom attack, Moser became aware of a new kind of network endpoint protection that had recently been introduced by Cisco Systems®: Cisco® Security Agent. A host-based threat defense system, Cisco Security Agent analyzes actual operating system behavior of PCs and servers, and blocks suspicious or malicious activity-without relying on matching a virus signature. As a result, the solution can provide protection against both known and unknown day-zero threats. It was exactly what Moser and Westinghouse were looking for.

"We first looked into Cisco Security Agent in March, 2004, and we immediately purchased licenses for all our users, without even seeing it," says Moser. "We tested and piloted it over the following three months, and then began rolling it out site by site later that year. By February, 2005, we had implemented it across the world, and we've been using it ever since."

Moser admits that he likely would not have purchased a new technology sight unseen under other circumstances. But the fact that Cisco Systems was behind the solution gave him the confidence to move forward. Westinghouse had also had very positive experiences with other Cisco solutions, including Cisco PIX® security appliances and Cisco Intrusion Prevention System (IPS) solutions, and relied on a network infrastructure built almost entirely with Cisco routers and Cisco Catalyst® switches.

During the first seven months that Cisco Security Agent has been deployed at Westinghouse, the company was assaulted by numerous viruses, worms, and Trojans, as well as six day-zero denial of service (DoS) attacks. Cisco Security Agent blocked every one.

"The other day-zero attacks likely would not have been as serious as MyDoom had they managed to infiltrate our network, but they still would have had an impact," says Moser. "I would estimate $50,000 to $100,000 in damage for each one."

The most recent and serious of these attacks was the ZOTOB worm, which began circulating in mid-August 2005. The worm did not delete files, but it was designed to take a user's PC offline by causing it to continually reboot. While other large companies were struggling to cope with the attack-including at least one national news organization that had to use electric typewriters to prepare the evening news broadcast-it was business as usual at Westinghouse. At the peak of the attack, the ZOTOB worm attempted to launch on Westinghouse PCs more than 8,000 times. Cisco Security Agent thwarted every single attempt.

"In May, we saw a day-zero virus that was morphing twice a day," says Moser. "We were right on the forefront of the attack, and we even forwarded information to our anti-virus vendor so they could update their software. We could see these things hitting, but they weren't bringing us down, because Cisco Security Agent was stopping them."

Cisco Security Agent also protects the network from vulnerabilities in Windows operating systems-even before Microsoft has released patches to correct the problem.

"When we receive patches from Microsoft, we still go through about a week's worth of testing before we perform the global installation," says Moser. "During that period of time, we used to be vulnerable. Now, Cisco Security Agent covers that window. We can't shorten the testing process for new patches, but if I didn't have Cisco Security Agent on all our PCs, I'd be sweating bullets during that process."

Ultimately, Westinghouse is now better protected than ever before against even the most dangerous, unknown network attacks, and able to support its highly mobile workforce with confidence.

In the coming year, Moser plans to expand the Cisco Security Agent deployment to companywide servers, in addition to employee PCs. Westinghouse is also currently piloting an 802.1x implementation for its wired and wireless networks, based on the 802.1x port-based authentication technology developed by Cisco Systems and Microsoft. Westinghouse is deploying the technology with Cisco Catalyst® 3750 switches, Cisco Aironet® 1230 and 1231 Access Points, and Cisco Access Control Servers.

When fully deployed, the solution will allow Westinghouse to examine all PCs attempting to connect with its network, and automatically quarantine those infected with viruses, as well as those that do not have the most up-to-date anti-virus software and operating system patches. The solution will provide yet another layer of protection for Westinghouse networks and employees, and serve as a robust line of defense against attacks exploiting mobile employee laptops and home-based PCs.

Cisco Systems has already helped organizations worldwide deploy the robust, intelligent security solutions necessary to protect against constantly evolving threats. To find out how Cisco Security Agent can help your organization, contact your local account representative, or visit: