Ask Ray Keller, CEO of security services provider Intelink, to describe his worst nightmare and he sneers with a stiff upper lip like his idol John Wayne: “down time on Cyber Monday.” Intelink monitors a complex network of servers, applications, databases, storage arrays, firewalls, and networking gear for hundreds of retail customers.
While you and I engaged in acts of mass consumerism December 1, Ray’s team was on high alert making sure no threats compromised the performance or security of his customers’ businesses. Each day, Intelink processes more than a billion events and correlates them against thousands of patterns to detect anomalies. This past Cyber Monday that number spiked to nine billion or roughly 104k events per second.
No anomalies the first hour. None the second or third. It wasn’t until 4:35 AM GMT that trouble surfaced. A Masque Attack was detected from a single buyer’s iPhone. It generated a traffic spike when malicious HTTPS requests flooded a shoe retailer’s e-commerce site. Before performance degraded Ray’s NOC team saw the security dashboard light up like a Christmas tree.
AccelOps triggered the first incident by detecting deviations from the ICMP request baseline using the ICMP Request Traffic Profile report. That anomalous activity was then correlated with unexpected user-location events using the Identity and Location Report. It was the equivalent of the janitor logging into Oracle with admin credentials from the broom closet. Something was amiss. The Intelink NOC team investigated the source IP, confirmed it was on a malware watch list, isolated the user’s login and location, blocked the transaction, and watched as the spike flatlined minutes later and baseline activity resumed.
Days after the Masque Attack had first been identified, hours into the most critical day of the year, minutes into the start of a malicious attack, the attempt had been thwarted, the system healed itself, and new patterns had been created in AccelOps to detect the same issue from impacting other customers. All worked as expected in the NOC but what mattered most was Uncle Lew got his rawhide boots on schedule. Intelink got a Christmas card signed by every employee at the shoe company… and an order to manage another 10,000 servers.
Ray’s not a jovial man. He only watches spaghetti westerns and boycotts YouTube to avoid kittens and babies. When I met him in December his perpetual scowl gave way to a toothy grin when he shared this story.
Ray, from our whole team, you’re welcome :). You’re going to love what’s ahead.