FIRST - Improving Security Together 18th Annual FIRST Conference - June 2006 - Baltimore, Maryland

A Strategy for Inexpensive Automated Containment of Infected or Vulnerable Systems

Platinum Sponsor


Silver Sponsor


Local Host

CERT Coordination Center

Supporting Sponsors






Korea CertCC

Conference Schedule

Business/Management Track

Wednesday – June 28th, 15:00

Early warning and detection mechanisms including distributed intrusion detection systems and honeynets are often deployed to detect new worm and virus infected machines. In a large enterprise network, especially in universities with more than 30,000 online nodes, it is often a challenge to cost-effectively contain and remedy these infected or critically vulnerable machines. Universities are unlike corporations because they cannot impose overly restrictive policies that could hamper research and sharing. In corporate environments, network users are primarily rule-abiding employees. However, in university environments, bulk of their network users are student customers.

In this paper, I shall detail an inexpensive strategy currently deployed in the National University of Singapore that has proven pretty effective in containment and remediation of these infected or critically vulnerable machines. The strategy involves in-house integration of opensource early warning and detection mechanisms coupled with self-developed quarantine mechanisms and self-help portals on the technology side as well as user process workflow formalization.

With the framework and infrastructure in place, we are able to contain both infected and vulnerable systems rapidly and sent new virus variants undetected in our environment for our corporate antivirus vendor to come up with new detects. In the period of from Jan 2005 till Sep 2005 alone, we submitted more than 30 binaries.

This strategy plays an important role in aiding the National University of Singapore to become one of three finalists in the MIS Asia Best IT Security Strategy international award 2005.3

I will discuss how management approval for this project was justified, how the project involving multiple groups including helpdesk and network teams was implemented, what successful steps that could be followed and the pitfalls to avoid. Through this paper, I hope that sharing our experience with the strategy that helped us and the pitfalls to avoid can prove valuable to both universities and similar organisations in the FIRST community that do not already have a similar strategy in place but are facing enterprise-level threat mitigation issues and inhibiting cost factors.

Authors & presenters

  • SGSteven Sim Kok Leong Presenter (NUSCERT – National University of Singapore, SG)

Conference Schedule