SkyRecon Systems –
This Best Practice is part of a collection of advice provided by information technology professionals on how they have solved various challenges, and addressed IT priorities within their organizations.
Company: FN Manufacturing
Makers of M16 assault rifles, FN Manufacturing still faced a common IT challenge: managing laptops. Employees frequently travel for work, and they take along laptops containing sensitive data. As more and more employees rely on laptops as their main workplace computer, volumes of information that used to remain in the office are increasingly put at risk.
As with many security problems, laptops pose the dilemma of balancing productivity and risk. Of course, traveling employees are far more productive if they have workplace applications and information at their disposal. However, what is good for productivity is often bad for security. Laptops that travel are exposed to more risks. They get left behind in taxis, airplane cabins, restaurants and coffee shops, and every now and again they are exposed to hackers when they connect to poorly secured public networks. Another emerging risk is that of the targeted attack. More and more phishing attacks focus on specific individuals and companies, rather than simply casting a wide net and seeing what turns up.
It is critical for traveling laptops to have the same level of security as PCs within the workplace; otherwise the data on those laptops is at risk. According to the U.S. Commerce Department, intellectual property theft costs U.S. business about $250 billion each year, while also slashing nearly 750,000 jobs from the U.S. economy.
FN Manufacturing, LLC, knew that it needed to address this problem. The company is a precision machining manufacturer specializing in the production of small firearms. Located in Columbia, SC, the company supplies arms to the U.S. military and law enforcement.
At first glance, FN Manufacturing doesn’t seem to be a prime candidate for a new class of data security. After all, they don’t have large consumer databases, such as those common at healthcare, financial, and retail organizations, and while any military information can be considered sensitive, the weapons they supply are fairly standard.
However, in the manufacturing sector, as in much of the twenty-first century U.S. economy, information is the lifeblood of the business, and a data breach could bring serious trouble.
“There is a lot of sensitive data on our laptops,” said Olivier Vanderstraeten, FN Manufacturing’s network security systems manager. “Besides the employee’s own personal information, there are often product drawings and schematics. These are highly confidential.”
Often times, it may not even necessarily be the design of the product that is sensitive, but the way it is made. The machining process itself could be confidential, and in an industry that relies so completely on a single customer – the U.S. military – even slight incremental advantages are critical. Losing information to a competitor, who could then outflank and perhaps under-bid you, could be a disaster.
Another highly sensitive type of information is customer information. This isn’t the privacy related information involved in most breaches, but the kind of customer data critical to ongoing supplier-buyer relationships. Contract specifics, contact lists, deal terms, and even the due dates for contracts are all details best kept in-house.
Initially, FN Manufacturing responded to the problem with personal firewalls. These do a pretty good job of protecting against inbound threats, but they do have problems. For starters, losing sensitive information is often an outbound issue. If someone is intercepting packets as they travel over a poorly secured wireless network, the personal firewall is none the wiser.
Next, there are configuration and compatibility issues. With Windows machines and the accompanying Windows firewall issues often arise. When Windows updates, it occasionally turns the Windows firewall back on, which can then conflict with third-party firewalls. In-house, this isn’t a huge problem. IT takes care of it, but for users on the road, they can be unprotected and not know it.
This compatibility problem foreshadows an even bigger issue: remote manageability. FN Manufacturing had to install these traditional personal firewalls on a machine-by-machine basis. Afterwards, patching and updating the machines was itself a labor-intensive process.
Yet, an even larger problem occurred when the machines re-entered the corporate network.
“In the past, our security system didn’t verify laptops as they re-entered the corporate network,” Vanderstraeten said. With 60+ laptops coming in and out of FN Manufacturing, this was no small problem. “We had to hope that the antivirus and firewall weren’t disabled and were doing their jobs.”
Solution: SkyRecon Systems' StormShield Security Suite
FN Manufacturing began researching better security options. As FN Manufacturing realized that anti-virus and personal firewalls are simply not enough to protect their mobile workers while they are traveling, they considered various vendors, including Cisco, before selecting StormShield from SkyRecon Systems.
StormShield offers integrated system and data protection in a single product. Relying on behaviors rather than signatures or heuristics – approaches that are becoming more and more vulnerable to exploits – StormShield protects data where it is most at risk: on the endpoints. StormShield provides integrated device control, data encryption, application control, host-based intrusion prevention (HIPS), system firewall, wireless security, and Network Access Control (NAC). Its client-side agent also provides zero-day protection without the need for signature or rule updates – all using only a few megabytes of memory, a fraction of the size of competing products in the market.
“Now, we’re not so worried about where those laptops go and what they do when they’re away from the office,” Vanderstraeten said. “StormShield gives us the ability to set dynamic policies, such as prohibiting connections to ad-hoc networks, so we know we can trust that users are protected where they are most vulnerable – outside of our corporate network.”
Once the mobile laptops return to the office, FN Manufacturing can use StormShield’s integrate network access control capabilities to enforce yet another set of policies. “If antivirus is disabled, for instance, we have a lockout policy,” he said. “Users can’t connect to the corporate network until IT vets that machine and makes sure it is safe.”
StormShield Provides Visibility into Remote Behaviors
StormShield also sheds light on what happens when employees travel. Before, if the AV was disabled or if information was lost, no one would necessarily know what happened – or even if something happened. Now, everything is logged and reported. “If something happens when employees travel, we know,” Vanderstraeten said. “And we know what exactly happened, be it a misconfiguration, a problem with a USB key, or even a false alarm.”
Another advantage of StormShield is centralization. Before, Vanderstraeten and his IT staff had to spend time on each and every laptop, installing firewalls and setting up policies.
“Now, this is all done centrally over the Internet,” Vanderstraeten said. “It’s streamlined. StormShield also serves as a policy generator. For instance, if we need to open a communications port for a new application, we do it through StormShield. Before, we had to go to every laptop to change the policy. We can also monitor the status of the endpoints centrally to see, for instance, which laptop needs a critical update.”
In addition to being able to centrally manage policies, StormShield gives FN Manufacturing the ability to implement multiple policies. In a manual, laptop-by-laptop setting, flexible policies just aren’t feasible. IT had to establish broad umbrella policies. “With StormShield, we can change policies based on user groups or context. We can have one policy for when they are in the office and another for when they are on the road,” Vanderstraeten said, “and StormShield manages it all. Once we set the policies, everything is taken care of.”