New Jersey invests in security

New Jersey Information Technology

Officials in New Jersey's technology office are better prepared to respond to cyberattacks after deploying an advanced enterprise security appliance that detects and mitigates threats across the statewide network.

They are using a product called PN-MARS 200 developed by Protego Networks. The appliance receives raw network and security data from various devices, such as network switches, routers, vulnerability analysis tools, intrusion-detection systems, servers and firewalls. With that information, PN-MARS, which stands for Mitigation and Response System, provides a topology or virtual map of the state's network. The appliance, which does not affect network performance because it does not operate as a device on the network, can correlate and consolidate thousands of network and security events per second. Those events can be viewed on a centralized, Web-based console.

Officials at "state agencies, like other corporations, face similar [information technology security challenges: how to optimize operations, prevent threats, respond to incidents and demonstrate due care compliance standards with a limited budget and resources," said Scott Gordon, Protego's vice president of marketing. "PN-MARS cost-effectively addresses these challenges in a scalable, high-performance threat management appliance that is easy to purchase, deploy, use and maintain."

Jim Hammond, a network engineer at New Jersey's Office of IT (OIT), said a single PN-MARS appliance, which has been in use for a year, has adapted to about 11,000 state networks. His group is responsible for the state's wide-area network and acts as an Internet service provider for about 60,000 users.

The Protego appliance helps his 11-member staff effectively use their time and resources, he said. Some use the appliance as a network management tool that can show traffic patterns, chokepoints and other problems. It also helps them better respond to threats and false positives, or alarms.

For example, Hammond said intrusion-detection system sensors generate many alarms. Turning off the sensor's parameters would reduce these alarms, but that defeats the purpose of using such sensors. By learning a network's underlying structure, the PN-MARS appliance uses that baseline knowledge to determine whether something is a false alarm.

"In the Protego box, we can say, 'Confirmed false positive,' and it's very granular," Hammond said. "You can say, 'From this server on this port to that server on that port.' So it builds those rules for you if you go through their script to confirm it's a false positive."

PN-MARS' strength is acting as a bridge between network and security operations, enabling officials to more efficiently identify, investigate and respond to valid incidents. Color-coded alerts that correspond to high-, medium- or low-level attacks are displayed on a summary screen, which provides a look at the network's health, he said. PN-MARS visually shows the attack path in real time and lets administrators view details about the attack to perform post-event forensic analysis. The system can automatically mitigate the breaches and generate options that can be manually applied, which is how OIT officials address threats.

Hammond described it as a "network diagram of where all the incidents are showing up at that time. We have a lot of people out there, and we have a lot of false positives, and we have a lot of shapes, but they definitely change if there's a new virus coming out or a new worm. We'll actually see changes in the traffic patterns there."

Anna Thomas, OIT's chief for strategic development and digital communications, said cybersecurty has been a top concern for New Jersey's chief information officer, Steve Dawson, for the past two-and-a-half years and for many other state government officials to some degree, despite dwindling resources and staff.

Officials said a return on investment from the product includes operational productivity improvement and lowered mitigation costs from responding to incidents earlier. Thomas said there are also less capital expenditures and maintenance when considering alternative solutions.

Hybrid appliances

Phebe Waterfield, an analyst at the Yankee Group, said Protego is among the first vendors to produce hybrid appliances, which she calls network security solutions. Most security event management (SEM) vendors designed systems around events, not devices.

It's easier for IT administrators to justify expenses related to managing devices, she said. Protego also utilizes an organization's existing infrastructure, which resonates with IT managers who need to justify every penny spent on security, she added.

Although Protego, which was founded about two years ago, is still new, it's likely to drive the market in a new direction based on the correlation, visualization and mitigation features of its products, Waterfield said.

SEM vendors "have already started adding some features, but it wasn't their kind of focus, originally. If you ask them about it a lot of them would say, 'Our customers don't want us to take action; they don't trust us to take action.' So yes, it's going to make the SEM [market] more competitive," Waterfield said.