The saying goes, ‘What happens in Vegas, stays in Vegas’.
For the casino owners, though, the saying should be more along the lines
of, ‘What money they make in Vegas should stay in their bank accounts’.
So when computer hackers try to steal vital information out of the
customer databases of the major Las Vegas hotels and casinos, it’s a big
concern. To combat the hackers — and to keep their information and
money in place — the casinos have worked hard to develop sophisticated
The Riviera Hotel & Casino, for example, is one of them. The hotel,
which will celebrate its golden anniversary next year, has more than
2,000 guest rooms.
Like most other businesses of any significant size, the Riviera was
subject to a wide range of attacks from purveyors of malicious
code. But being a player in the glaring lights of Las Vegas, draws even more attention from the blackhat crowd.
”We’re being constantly attacked,” says Tim Wilbur, network
security specialist with the Riviera.
The company recently decided to shop for an intrusion detection system
(IDS) to better identify and manage the threats. The Riveria’s security
staff had been monitoring attacks by ”drudging” through firewall logs,
watching the network for traffic spikes and trying to monitor the
”But we wanted to take the guesswork out of our security approach,”
says Wilbur. ”I wanted to know the when’s, where’s, how’s and how
The staff decided to look at a few alternatives for intrusion detection
solutions. They considered a product from Recourse Technology, but after
Symantec acquired that company, the Riviera staff detected a dropoff in
customer service and got turned off. They also looked at the Snort open
source software, and its GUI with log consolidation. But in the end, the
team decided on Sentivist from NFR Security.
”Ultimately, we went with NFR based on price and product,” Wilbur
says. ”NFR offered more information in a consolidated way for less
money. The level of detection was more in-depth and provided more
information, including information about ‘false positive’ situations and
a reference guide with information on suggested corrective actions.”
The implementation required a ”crash course in Linux,” since Sentivist
uses a hardened Linux OS within its appliance. That, however, did not
prove to be much of a stumbling block for the Riviera team. The product
has met the IT team’s expectations, and they report a positive
”The Riviera is not just a hotel. It is in the gaming industry,” says
Andre Yee, CEO of NFR. ”So there are many credit card transactions in
their environment, and other confidential financial information related
to clients and guests. They all need to be protected, and a firewall is
not enough. A skillful attacker can circumvent a firewall.”
NFR differentiates on its use of both protocol anomaly detection and
signature pattern matching, in a hybrid approach. The product is priced
at $11,000 for 100Mbps throughput, to $22,000 for 1Gbps throughput.
The biggest trend in the IDS market is the move to intrusion prevention,
says Andrew Braunberg, senior analyst for information security with
Current Analysis, an industry research firm based in Sterling, Va.
These competitors, in addition to NFR in the IDS market, include Cisco
Systems, Inc., ISS, Inc., Network Associates Technology, Inc., and
Symantec Corp. NFR does have plans to move into intrusion prevention in
the second half of this year.
”It has interesting technical advantages,” says CEO Yee. ”Many
security administrators are not comfortable putting an appliance in
line, so we put in a mechanism that allows customers to calibrate the
risk of dropping legitimate traffic.”
A key trend is the ability to reduce false positives and prioritize
threats, says Braunberg of Current Analysis.
”If you have vulnerability assessment data married to threat management
data, that allows you to prioritize what the really important threats
are to the network at any one time,” Braunberg says. ”That is what an
effective IPS does, theoretically. And all these companies are looking
The Riviera’s Wilbur offers some advice about the search for an IDS
implementation: ”Product demonstrations are absolutely necessary.
Intrusion detection can become very labor intensive due to the amount of
information passing through the lines today. In my case, consolidation
and explanation was key.”