Posted by : trraju on Oct 25, 2003 - 02:01 AM WebTechnology

Mike Stute of DALLAS wants to nail hackers before they nail you.

The co-founder and chief technology officer of Global DataGuard Inc., a tiny Dallas Internet monitoring firm, has developed a security system that sniffs out attackers before they attempt a network break-in.
Stute, a 34-year-old alpha geek, has been piecing together his hacker profile system for more than 12 years. He calls it behavioral intrusion detection and likens it to a surveillance system watching for burglars scoping out a building.

"When do you want to catch a thief?" asked Stute (pronounced stutee). "When he eventually breaks a window and sets off the alarm or while he's still casing out the place?"

In this case, the "camera" is a black-box sensor that sits on a company's network. It ciphers through billions of lines of data searching for suspicious patterns.

The "surveillance" is round-the-clock monitoring by Global DataGuard computer jockeys who study those network traffic anomalies to determine which ones pose the most danger.

"What Mike has developed is really special," says co-founder and owner Scott Paly, who has invested more than a million bucks in savings to get Global DataGuard rolling.

"The Internet is like 10,000 people wandering through your neighborhood each day trying to open everybody's front door. After a while, nobody pays any attention to it because it happens so often," explained Paly, 44. "But we track that behavior over time and know that the same guy has been at your front door, your side door and your back door every day for the past week, and it's time to call the police."

Global DataGuard's clients, including several well-known regional names, swear that the system routinely saves their skins. Last month, they were unscathed by the Blaster worm because of quick action by Global DataGuard.

But because this is a serious security issue, the clients (ranging from a multibillion-dollar public corporation to a small, locally owned bank) agreed to be interviewed only if their businesses weren't identified.

In the past, companies had to plow through tens of thousands of mostly meaningless alerts each day. Global DataGuard prioritizes the level of danger and recommends defensive action.

"It's amazing and a real eye-opener to see how many attempts there are on us every day," said the information technology security manager for a major Texas-based retailer.

"How many get through? Pretty much zero."

Behavioral monitoring is a hybrid that fits between intrusion detection, which simply sends out endless alerts, and intrusion prevention, which automatically shuts down a system when it senses that the network is under attack.

"The problem with ordinary monitoring is the human fatigue factor where the eyes monitoring the system glaze over," said the director of security for a communications corporation.

We wanted something slightly more automated but not totally so."




A single black-box sensor costs $2,250 a month, with discounts for multiple units and multiyear contracts, says Jeff Anderson, vice president of Global DataGuard sales and marketing. The annual tab for its largest clients, which have up to seven monitored sensors, runs about $150,000 a year.

That's still cheaper, Anderson contends, than hiring a tech-savvy staff of five to man a 24/7 monitoring operation.

In the beginning, Stute's hacker profiling was almost entirely manual.

Stute, who was reared in western Kansas, was the type of kid who took things apart to see how they worked and then tried to rebuild and improve them. He got his first computer that hooked up to the family's TV at age 8 before IBM had introduced its PC.

In 1990, Stute was a sophomore in computer science/mathematics at Fort Hays University. He also worked for a Kansas power cooperative that had just gone online with this new thing called the Internet. It wanted someone to keep tabs of its wire activity, so Stute started putting together a system for spotting hackers.

"We were connecting this big power plant as well as our network to the world. We wanted to watch out for whatever dangers might exist even though we didn't know what those dangers were," recalled Stute. "But we really didn't have a way to watch except to capture the traffic and study the data for funny things going on."

He panicked the first time he saw a hacker trying to crack into the company's system. Then he got angry. But the longer he watched, the more impressed he was with the hacker's skill.

"He finally got down to the route-level access where he could tap into whatever he wanted on the network, but he didn't have a clue what to do next," Stute said. "He was simply following some brainiac's instructions and trying a bunch of different downloaded tools."

Stute made note of each of the hacker's miscues. Then, when he had nothing further to learn from the guy, he summarily bounced him off the system.

From that point on, every time Stute saw something fishy, he wrote down the data.

Then he calculated mathematical algorithms and wrote code that zeroed in on this "door knocking" - the first step of hacker intrusion that randomly probes the Internet with messages to see which servers answer.

As hackers got more sophisticated, so did Stute's code.

By the time he moved to Dallas in 1995 to do network security for CompuCom Systems Inc., the Internet was flourishing, adding millions of users each week - including a growing cadre of troublesome intruders.

Intrusion detection software was cropping up, and the Navy had developed a program for finding unusual network traffic. But both had limitations when it came to analyzing the data. Stute continued to build his profiling software after work.

"As I developed stuff at home, I'd say, `Oooh, this could save me hours at work.' So I'd take it to work the next day and install it there."

A friend who worked for Paly encouraged Stute to refine and package his cyberware.

After Paly sold his staffing company, he decided to invest some of his bounty in the project.

Paly and Stute opened Global DataGuard in October 2000. Unfortunately, after six months of fairly impressive growth, the tech wave crested. Then 9-11 came, and the rest of the economy tanked.

For the next year, Stute, who's married with two children, was sweating bullets.

"Obviously, I'm thinking, `If this goes under, it's going to be real hard to find a job.' The whole industry is

dying at that point," said Stute.

"What saved us were a couple of bigger contracts that paid the bills. We hunkered down and held on."

And Paly continued to plow cash into the business.

One of the customers that kept Global DataGuard's doors open is a marketing and distribution company headquartered in Plano, Texas.

It had already been a client for nearly a year when the computer menace now known as Nimda struck on the Tuesday after 9-11.

"It's about 8:30 in the morning, and we're having a network staff meeting when all of our cell phones and pagers start going crazy," recalled the company's director of technology services. "Mike tells me, `Drop whatever you're doing, get upstairs and pull off these two servers from the network. Run!' and I'm thinking, `Holy crap.'"

Stute had spotted the Nimda worm in its initial attack phase and was able to get the company to pull its servers off line before the infection was complete.

He then gave instructions for fixing the problem.

"By 9 o'clock, we had all our boxes back online fully patched," said the IT director. "Then we started getting reports from Global DataGuard showing the number of failed attacks. You know, `Knock, knock, open up. ... Not by the hair of my chinny chin chin.' We had 100,000 attempts and denials on our Web servers.

"That event and several subsequent ones provide the justification for why we use them."

Today, Paly says, his company is slightly profitable, with sales expected to just top $1 million this year.

Global DataGuard has yet to lose a client, enjoying a 100 percent renewal rate as contracts expire.

The difficulty, however, is in landing new ones. The company would like to attract venture capital to expand its marketing efforts.

"People don't even understand why they even need basic detection technology, much less why they need us. So we end up doing double education," said Paly, who lives in Asheville, N.C., but is active in the company's day-to-day operations.

"That's why we do free trials. We can show companies with their own data how vulnerable they are."

And no one, Stute contends, is safe from computer intrusion.

"You can build a third-floor window on the side of a house and never expect anyone to even attempt to get in," he says, going back to his burglary analogy. "And lo and behold, we'll find signs that somebody's been trying to pry it open."

---

Here are some types of intruders that Mike Stute says are hitting the Web:

Script kiddies:

The largest and least dangerous group of hackers. They use downloaded tools and have limited knowledge.

Ethical hackers:

Slightly more advanced than script kiddies, but because they don't have malicious intent, they feel justified doing whatever they can to get into a network.

Crackers:

Computer criminals intent on causing trouble. They share detailed information over the Internet.

berhackers:

The 1 percent elite who are really bad dudes, including a highly dangerous contingent from Eastern Europe