For more than a century, Arkansas State University has prided itself on academic freedom, and that openness hasn’t changed in an evolving era of digital connectivity and mobile computing.
ASU, which serves 10,000 students at its main campus in Jonesboro, Ark., runs 65,000-plus public IP addresses on its network, doesn’t filter end-user access to the internet and grants just about everyone administrative privileges on their own devices.
This policy, while beneficial for the university’s educational and research mission, has also made it a prime target for nefarious attacks. Even so, ASU continued to operate a largely decentralized, reactive security approach — until recently.
“We utilized firewalls to block access to computers and other university assets,” says IT Security Coordinator Timothy Cureton. “But where access was more open, we had no idea what was traveling across the network or inside the university.”
That changed dramatically in 2012, when 250 of ASU’s employees and retirees discovered that someone had used their personal and financial information to file fraudulent tax returns. Although the IT team could never pinpoint exactly how the breach occurred, it marked a turning point in ASU’s security strategy and philosophy.
“Before that point, we had some policies about IT security, and we did some things to comply with Payment Card Industry Security Standards, but the rest of it was an afterthought,” Cureton says.
A Paradigm Shift Following a Data Breach
After the breach, with support from senior leaders, the ASU security team took steps to implement a comprehensive, end-to-end security solution. They’ve since made significant strides in developing stronger enterprisewide policies and employing the best technology solutions.
For example, to increase visibility into activity inside the network, the security team installed a Palo Alto Networks next-generation firewall, which can detect and mitigate network intrusions and malware. It also provides real-time insight and control over who and what is traveling within the network.
“We are able to be much more dynamic in our ability to look at users and applications and determine who within an Active Directory group is allowed to use a certain port,” says Cureton, adding that IT can also set access by user and by application.
“The intrusion detection portion of the tool is constantly watching the data for known threats and known files, and keeps us alerted to what is going on at all times. With traditional firewalls, we just didn’t have the dynamic ability to do that.”
Cureton and his team also moved to lock down endpoints. ASU now uses Carbon Black Protection to automatically block users from downloading unapproved applications or running any embedded script and other malicious code sent through email attachments.
To increase end users’ understanding of their role as the last line of defense and to encourage vigilance, ASU plans to incorporate a tool such as the PhishMe Human Phishing Defense Solution, which sends fake phishing emails to users and transfers anyone who pushes the embedded link into a training module.
“We are constantly working to make sure that we incorporate layers of security, all working together to help protect the university’s data and assets,” Cureton says.
He notes that many of the security solutions, including the Palo Alto Networks firewall and Carbon Black Protection, “talk” to each other and share information about emerging threats, which adds one more layer of protection. “At the same time, this approach still allows us to have that openness that we’ve always had and want to continue to have.”
Prepping for Sneaky and Sophisticated Security Threats
Moving to an end-to-end security approach often requires a great deal of resources and resolve. This type of across-the-board strategy is increasingly necessary, says Donald Schattle II, information security officer for Providence (R.I.) College, which has implemented a fully layered, end-to-end defense.
“The threats are just so sophisticated now, from highly morphing, complex viruses and malware to the advanced persistent threats from all the national and international players that are constantly probing the network for exploits,” Schattle says. “Email has also become a huge vector of attack for schools like us, whether from phishing emails or attachments that contain a payload for a virus, ransomware or a root kit that can go out, get installed and download information in the background. So nowadays, you’ve got to constantly work to cover any gaps into and out of your network.”
Providence College long ago replaced traditional firewalls with a next-generation firewall. It now uses encryption to protect personally identifiable information and other highly confidential data, while two-factor authentication and network segmentation limit access to information on a need-to-know basis. The latter tools would also limit the damage if an intruder did somehow make it through perimeter and network defenses. A mix of data loss prevention and anti-virus, anti-spam and anti-phishing tools helps harden the endpoints.
Tools to Hit a Moving Target
Central to Providence’s defensive posture, however, is FireEye’s Network Threat Prevention Platform. The tool is designed to identify and block polymorphing advanced persistent threats such as malware, ransomware and botnets, which are increasingly adept at slipping through a firewall undetected. It can also scan endpoint devices for these types of infections, block them from entering the network and send an alert to the security team.
“For us, FireEye has been a phenomenal asset,” Schattle says, noting that the college was one of its early adopters. “We have a very high level of trust in it. If we get a new device that comes onto the network and FireEye says there’s a problem on that machine, we have a high level of confidence in the alert and immediately send our incident response team out to quarantine and then reimage that machine.”
Still, Schattle says, technology only goes so far. Sophisticated solutions radically increase real-time visibility into network activity and empower administrators to proactively shut down threats before they inflict damage. However, he says, it’s still important to continuously bolster compliance programs, incident response, patch management infrastructure, change management and review processes, and security awareness training.
“You’ve got to have communication and good working relationships and understand that potential gaps and vulnerability are always a moving target,” says Schattle. “So you’ve got to be constantly on guard and always asking, If someone gets through one layer of defense, what is your next layer and how strong is it?”
Transforming Security Policies from Reaction to Action
Tulane University in New Orleans has had an end-to-end security solution in place for years, relying on a mix of firewalls, intrusion detection systems, and anti-virus and anti-spam programs. The weakness, however, was that it provided only minimal protection across the spectrum.
“Nothing was proactive,” says CISO Hunter Ely. “We found things just by happenstance or when someone would report a problem.”
In 2015, Ely and his team took steps to enhance and strengthen their defenses at every point — and beyond. They first installed Cisco Systems Umbrella (then known as OpenDNS), a cloud-delivered enterprise security solution that provides an initial, proactive line of defense for the network perimeter. The team later added a Palo Alto Networks next-generation firewall and the FireEye Network Threat Detection platform. Together with Cisco Umbrella, these tools share information and work in tandem to layer protection even further.
It didn’t take long for Tulane to see the benefits of a more proactive, hard-core approach.
“When we turned on OpenDNS, it was immediately apparent that we had a fair number of machines that were all participating in a botnet, which was a huge concern because that meant it was either exfiltrating Tulane information or using our network to launch denial-of-service attacks against someone else,” Ely says. “So between OpenDNS and FireEye, we have since removed dozens and dozens of machines from the network that were participating in that botnet. That was a huge deal for us.”
Focus on the Network for Security
Although Ely describes his approach as end to end, he also says that his team focuses on network-based, rather than host-based, security. One reason is that hardening endpoints remains a challenge. The university does rely on a Trend Micro anti-virus solution for its own computers, but it has less control over those belonging to students, who use an average of five devices each.
“That always takes us back to the idea that we really have focused our efforts on looking for solutions that can work on the network layer, instead of closer to the host,” Ely says.
As part of that effort, he worked with other institutions to implement OpenDNS on the state research network. “That puts protection even farther up the network, which not only improves our situation but those of others who use that network,” he says.
Still, the OpenDNS Updater client is “a huge help” for host-based protection, he says. In addition, the Palo Alto Networks next-generation firewall features a cloud-based network threat detection service, WildFire, which complements and overlaps the FireEye platform in its ability to analyze outgoing and incoming file attachments for malware and other malicious code.
Even though Ely and his team have achieved significantly more performance and visibility, they stay on the hunt for ways to bolster their defenses.
“It’s no longer a case of either/or when it comes to security,” Ely says. “It’s an additive function, and you’ve got to constantly be fighting with a multipronged approach.”