Avon and Somerset police
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
Avon and Somerset Constabulary, like all UK police forces, is cyber-attacked every day. But identifying the genuine attacks from the false alarms has become a time consuming chore.
The requirement
When the false alarms from Avon and Somerset Constabulary's intrusion detection system (IDS) reached 500 per week, Rik Kershaw-Moore, the constabulary's information security administrator, decided that it was time to act.
Lacking the time and resources to investigate every warning, what Kershaw-Moore needed was either a better IDS or some kind of filter that would ensure that he was only alerted about genuinely worrying events.
If anything were to get through, it would not only be a huge embarrassment for the constabulary, which covers 1.5 million people from Bristol to Bath, it could also disrupt its ability to respond to emergencies.
"Crime fighting is what we do and we can not afford things going wrong. It can cost peoples' lives," says Kershaw-Moore. "We are an easy target because we are a police force."
The constabulary's network security system was not unsophisticated. It consisted of Check Point firewalls at every gateway, an open source IDS and an intrusion prevention system (IPS), developed in-house by Kershaw-Moore. "There was nothing wrong with the product I had developed, I just could not spend any more time developing it further."
The solution
In early 2003, Kershaw-Moore decided to look into replacing his home-grown system with a packaged product, but his budget was not large: just 15,000 GBP.
"After evaluating a few vendor's products I decided to go with ActiveScout [because] it was a simple product that took about two hours to install and was within budget."
Instead of ripping out and replacing the IDS and IPS, the idea was to use ActiveScout to filter out potentially malicious activity at the firewall, forestalling many potential attacks before they happen - and dramatically cutting the number of alarms, false or otherwise.
ActiveScout monitors activity at the network perimeter for evidence of reconnaissance by hackers - the intelligence gathering they have to conduct before they launch an attack. This reconnaisance includes such activities as port scanning.
When such activity is detected, the originating IP address is identified and can be shut down at the firewall.
The benefits
Active Scout was installed just a few days before the start of the ground war in Iraq, and Kershaw-Moore had the satisfaction of seeing a wave of attempted attacks from the Middle-East effortlessly beaten off by the new system.
"The automatic blocking function has been really good. It provides an early warning indicator," says Kershaw-Moore.
"We can also track how viruses are spreading across the Internet," he adds.
Installing ActiveScout has also helped the constabulary to identify genuine attacks. "We no longer have the problem of false positives, which used to comprise one-third of the alerts we received," he says.
The software has also made Kershaw-Moore's life much easier. He is no longer woken up in the middle of the night to troubleshoot what turns out to be a bogus attack and it enables him to keep track of potentially nefarious activity targetted at the constabulary. "The technology has helped us to save time as well as resources," he concludes.
