Colleges Use Sandboxes, Endpoint Tools to Block Malware

The open culture on many campuses makes colleges a favorite target of hackers.

In fact, Neal Moss, systems and network analyst at Brigham Young University–Hawaii, says hackers often use college networks as a platform to launch more elaborate attacks on Defense Department and other university or business systems.

Combine that reality with the general growing threat landscape and the constant illegal video and audio streaming that goes on across campus, and Moss realized he needed some new security tools. He opted for sandboxing and endpoint tools from Palo Alto Networks.

Moss says Palo Alto Networks WildFire and Traps security tools identify and block advanced persistent threats (APTs) and zero-day exploits in ways he couldn’t in the past.

When WildFire detects malware, it sends it to the sandbox at Palo Alto Networks for analysis. The vendor’s next-generation firewalls then automatically block the malicious files from activating in the network. Palo Alto Networks Traps works in conjunction with WildFire to prevent endpoint attacks.

“All of this is done automatically, often in under two hours,” Moss says. “It saves us a great deal of the manual work we had to do in the past where we had to physically take a computer off the network and remove the malicious code by hand. Plus with Palo Alto Networks, we’re part of a whole community of users and are protected from all the malware that other organizations have blocked.”

Frank Dickson, a research director for Frost & Sullivan who covers network security, says the university wisely came to the conclusion that it needed more protection than anti-virus software alone could provide.

“There’s a lot of talk now about organizations not needing anti-virus software,” Dickson says. “That’s not really the case. What IT staffs need are tools that complement and extend anti-virus. What’s different is that many of these new tools have been developed to detect and block the latest APTs and zero-day exploits.”

Methods to Fend Off Attacks

At Virginia Commonwealth University, Chief Information Security Officer Dan Han uses the FireEye Malware Protection System to fend off malware infections of varying sophistication.

“Once we put the FireEye equipment in, we started seeing malware that the anti-virus software wasn’t picking up,” Han says. “The FireEye equipment is really good at filtering out false positives so we can see the activities that really matter.”

VCU initially deployed FireEye MPS in an out-of-band manner so it wouldn’t disrupt the network. But because there weren’t many false positives adding latency, earlier this year the university began running the appliance in-line.

“Now with the added visibility we get from FireEye, we can prioritize the threats and deploy a more streamlined incident response process,” Han says. “While nothing is perfect, we’re finding that many malware variants aren’t reaching the workstations and that many of the manual processes we used to have to go through to remediate infections have been automated.”

Key Product Considerations

Frank Dickson, a research director for Frost & Sullivan who covers network security, offers three questions IT managers should ask when selecting sandboxing and endpoint security tools to supplement anti-virus software.

1. Which devices do the tools support? Not all sandboxes or endpoint tools support every operating system. Ask the manufacturer which OSs it supports and make sure that support corresponds to what’s used on the network.
2. Which file types do the tools support? Possibilities include basic Microsoft Office apps, along with other types of executables, compressed files and Java files. Every network is unique.
3. How well do the tools respond to anti-evasion techniques? Hackers are clever and cunning. Hundreds of techniques have been developed to evade sandboxes. For example, some malware will check to see if the tools are running in a virtual environment, which would allow it to spread throughout systems.