Home improvement merchant achieves PCI compliance and operational efficiencies using web traffic security monitoring tools
Each year Howdens supplies around 400,000 complete kitchens to over 260,000 building trade professionals, as well as more than 350 local authorities and housing associations.
Founded in 1995 in order to serve the needs of small builders undertaking routine joinery and kitchen installation work, Howden Joinery is now one of the UK’s leading suppliers of kitchens and joinery products to the trade. Since it's establishment, with just 14 depots, the company opened its 500th depot in 2011.
Regulatory self-service implications
In 2010 Howden Joinery was looking to implement a new service that would allow customers to access an internally hosted website for them to manage their accounts remotely. The initial scope of the project included taking payments through the site. As this would involve processing card payments, the site needed to comply with PCI DSS regulations.
Ru Gardner, senior security analyst for Howden Joinery Group, commented: “I am responsible for gaining board approval for our end-to-end security policies and ensuring that they are in line with the business strategy at the top level. I am also responsible for evaluating solutions and managing the implementations across the organisation.
"As we were planning on taking card payments online we had to get an intrusion prevention system (IPS), which in the circumstances, was a necessity rather than best practice as this is one of the requirements of the standard.”
Staying ahead of the competition
As the Group was looking for a solution to protect its internal web server, a key requirement was that the IPS selected should be capable of inspecting Secure Sockets Layer (SSL) encrypted traffic. SSLs are cryptographic protocols that provide secure communication across the internet to help safeguard encrypted key exchange, privacy and message authentication. In recent years the use of SSL-encrypted traffic has exploded due to the enterprise-wide usage of cloud computing, secure e-commerce, Web 2.0 applications, email and virtual private networks (VPNs). Surveys show 25-35% of enterprise traffic is SSL-encrypted, and this number is even higher when dealing with internal web servers.
Conscious of the fact its current system was not geared to inspect SSL-encrypted traffic, the company was keen to plug this hole in its defences. It spoke to data specialists, Synetix Solutions
, to help find the best IPS system to meet its requirements.
Gardner continued: “After speaking to Synetix it was evident that Sourcefire
and HP Tipping Point were the only products that would allow us to use IPS on SSL traffic, which narrowed the field considerably. While SSL traffic can be high-jacked with malicious content and enter undetected, the ability to decrypt SSL traffic would allow us to debug applications that run over SSL, in particular HTTP traffic, and would also give us greater visibility of what was happening on our network.”
Working to tight deadlines
Howden Joinery was working to a tight timescale of just three weeks to ensure a pilot of the website would be available to present to the board. On the advice of its partner Synetix, and following a series of penetration tests, it was evident that Sourcefire would be the most suitable product for Howden Joinery Group to deploy. The initial implementation took place in September 2010 and the pilot website went live in June 2011.
Gardner commented: “Sourcefire’s technology stood up to the penetration testing well. The initial deployment was very quick. Sourcefire was able to get us up and running in just a couple of weeks. To ensure we met the timescales they first deployed kit that would allow us to see the pilot through and get the site going and then replaced this later on with two new 3D 1000 sensors when we signed a full deal.”
Today, Howden Joinery uses Sourcefire’s SSL appliance to decrypt SSL traffic and send it to existing security and network appliances via dedicated high-speed Ethernet links. This enables The Sourcefire 3D sensors to identify risks normally hidden by SSL such as regulatory compliance violations, viruses, malware, data loss and intrusion attempts. Once the SSL traffic has been inspected and approved, the SSL Appliances place the SSL-encrypted traffic back on the network for its final destination—all with minimal latency and without altering SSL packets.
Dynamic security monitoring
The SSL Appliance sits at the front-end of the Sourcefire 3D 1000 sensors, which are positioned on the primary and secondary web servers. Howden Joinery Group also implemented Sourcefire’s FireSIGHT technology, which provides the ability to build a dynamic profile of all assets on the network. These sensors are designed to provide real-time, passive profiling information on traffic flowing across the network, identifying hosts, devices and services, and then feed this information into the Sourcefire Defence Centre (DC).
The intelligence delivered by FireSIGHT provides context to help prioritise the potential impact a threat could have on the Howden Joinery network, thus decreasing the number of false positives the system delivers and, as a result, reduces the demands on the Howden Joinery security team.
Gardner said: “We are using the Virtual Defence Centre and have found it to be a very useful tool with an intuitive interface that is easy to use and understand. I find that 95% of my queries can be handled using the DC interface. It is a vital aid in monitoring incidents through its easy-to-follow flagging system; it works well with the sensors to help us know what events we need to react to and what ones we don’t need to worry about.”
Potential to be so much more
Initially Howden Joinery received technical support through a third party. However, in 2011 when the pilot website had gone live, the company decided to go directly to Sourcefire for support as it had originally set up the sensors and Howden Joinery Group felt that more help was needed on the implementation.
Since receiving the additional training, Howden Joinery Group has found that it uses the Sourcefire 3D System a lot more, as Gardner explained: “I do a lot more work on the box now that I have had the training. It taught me a lot and filled gaps in my knowledge. I found it very useful and am keen to arrange more. Compared to a lot of technical courses, this was one of the good ones and it has really opened up more benefits of the technology.
“We now have better control and understanding of the immediate environment surrounding the web server, which has proved to be very useful. The FireSIGHT technology has also given us some unexpected efficiency gains. For example, it highlighted that the initial protocols used for our web server back-end databases weren’t operating the way the documentation suggested they should be. As a result it enabled us to identify more quickly why things weren’t working and get things configured correctly. The FireSIGHT technology has also helped us to identify some areas where proper procedures relating to accessing information were not being followed properly, giving us the opportunity to correct behaviour.”
Strengthening third line of defence
Since embarking on this project Howden Joinery reduced the scope of its original web project and outsourced the payments element to a third party. While the PCI compliance is no longer a primary driver, the company is still seeing the benefits of having the system in place and is considering future projects with Sourcefire.
Gardner concludes: “While there is no longer a regulatory reason for having IPS, I am still happy that we embarked on this project as it has made me see the benefits of IPS for our business. Sourcefire acts as a third line of defence to catch anything that makes its way through our traditional and application firewalls. The IPS sits behind that in case anything gets through and gives us peace of mind that we are well protected.
"At the moment we are mainly using it to protect HTTP traffic, but we know it has the capability to do so much more. For example' I have seen that the compliance and whitelists work and would like to be able to use that functionality in other areas of our network. I am definitely interested in expanding out the project to make further use of IPS. If we do go down that route, Sourcefire will definitely be our first port of call.”