Profile of an Internet Superhero: Inside the X-Force

They may not wear capes, carry futuristic laser guns or live in underground lairs, but members of Internet Security Systems’ (ISS) X-Force team are accustomed to being summoned to work in the wee hours of the morning, on holidays and on weekends to fight crime and save the world — or, at least, the business world as we know it.

ISS formed X-Force in 1994 to proactively detect network vulnerabilities, threats and design weaknesses that could allow hackers to misuse or attack operating systems and applications, Dan Ingevaldson, director of X-Force research and development, told the E-Commerce Times.

While X-Force is not a profit-oriented business unit, ISS uses the knowledge gathered by the team to develop new products and manage customers’ network protection services, Ingevaldson said.

Toy Box

As part of their job on the front lines of Internet security, X-Force members get to play with some of the latest high-tech equipment. “We are engaged by our customers to attempt to go out and compromise their networks,” Ingevaldson said. “It’s a really good way to provide to our customers a peek at how secure their networks are and what can happen.”

Toward that goal, “ISS spends about 18 percent of revenue on research and development to provide dynamic security,” Ingevaldson added. “A typical security company spends approximately 10 to 11 percent.”

Typically, X-Force concentrates its efforts on the types of products used by many of its approximately 11,000 enterprise and government clients. Still, individual users and small companies also can reap the rewards of the team’s labor.

Spread the Word

After X-Force discovers and confirms a vulnerability, the team works with the software developer, which then has 30 days to develop a patch or fix. A day after alerting the vendor, X-Force issues a security brief to the X-Force Threat Analysis Service (XFTAS), a paid service for ISS clients that allows prenotification of discovered vulnerabilities under a nondisclosure agreement (NDA).

Before alerting the public at large, X-Force works with the vendor to understand the vulnerability and provides detailed information about the flaw, proof-of-concept and exploit code, and any special testing instructions, said Ingevaldson. “The X-Force is also available to test the effectiveness of the patch developed,” he said. “[Usually], X-Force will issue an advisory to the general public after 30 days, recommending the specific action set forth by the vendor.”

In addition, if a highly transmittable worm or virus is emerging, X-Force members analyze the malware to figure out how damaging it could be if left to roam, then decide how to neutralize it. ISS subsequently releases this data through an automatic, self-installing product update for its clients.

The group also works with national entities, such as Information Technology-Information Sharing and Coordination (IT-ISAC), the U.S. Department of Homeland Security and Carnegie Mellon’s Computer Emergency Response Team (CERT).

Join the Team

The organization, which has about 150 employees, maintains two Security Operation Centers in the United States, plus one each in Padova, Italy; Tokyo; Rio de Janeiro, Brazil; and Brussels, Belgium. Although some security companies have hired — or have been founded by — “reformed” hackers, this is not one of ISS’ hiring practices, according to Ingevaldson.

“We do not hire hackers. I think it’s a really interesting business plan to go into the government or a bank and say you’ve hired a bunch of ex-hackers who will handle their security now,” he said. “People think hackers are the only ones who can do this stuff. They’re not. Our guys are athletes. They really know what they’re doing.”

For example, X-Force recently hired a former Intel engineer — someone who had worked on chip architecture and compilers — as part of the team, Ingevaldson told the E-Commerce Times.

“Developers are trained to build things. Security people are trained to destroy them,” he said.

Perks and Pain

For any tech-savvy person, the main perk of working at X-Force or a similar security threat center seems obvious: access to high-end equipment in an atmosphere that encourages creative thinking. But drawbacks exist as well, primarily in the form of emergency phone calls at inconvenient hours of the day and night.

“All of us are on call basically all the time,” Ingevaldson said. “It’s certainly not an easy job.”

Even when there is no emergency, X-Force monitors the “global threat landscape for any unusual activity, and analyzes that information to understand exactly what is happening and what it means for ISS customers,” he added.

Between 1998 and 2002, X-Force represented “53 percent of all high-risk vulnerabilities discovered by commercial research entities,” he said, adding that this is three times more than any other similar group.

Getting Tougher

In today’s security climate, the team’s job is not about to get easier. A growing number of hackers are pursuing profit, not glory, and are therefore not bragging about their technological conquests. Instead, they are keeping their discoveries secret in hopes of exploiting them for financial gain.

“The real black-hat hackers have really kept quiet for the past few months,” Ingevaldson confirmed. “I think the [hacker] community is driven by the fact there’s a real paycheck out there.”

Despite increased security awareness among consumers and businesses, risks still abound. For example, X-Force members recently were able to download 300,000 credit card numbers and related information from one e-commerce client, look up life insurance policies at an insurance company, and display a wealth of patient information — including MRIs — for one hospital client, according to Ingevaldson.

“We feel every time we find a vulnerability … we’re effectively removing a tool from a hacker’s toolbox,” he said. “It’s very much an arms race. Our Web sites are targeted constantly. It’s just the cost of doing business.”

Despite this ongoing threat, organizations like ISS, enterprises and government groups that are quick to fix and prevent security holes, and developers anxious to eliminate — or at least drastically reduce — security concerns continue to make the world a safer place to surf. “I do plenty of buying on the Internet,” Ingevaldson said. “I think credit card companies have done a good job of removing some of the risks.”