Apr 28 2015

Schools Respond to Growing Threats with Sandbox, Endpoint Tools

IT managers say the latest security tools complement anti-virus software to fight advanced persistent threats and zero-day exploits.

Brett Miller, CIO for Jeffco Public Schools in Golden, Colo., says parents have become very concerned about privacy and IT security in the wake of the Target and Home Depot breaches, as well as media reports on the National Security Agency and Edward Snowden.

“I think we are experiencing an educational landscape that may be maturing in a similar fashion to the medical and financial institutions that occurred much earlier,” Miller says. “We have also seen increased attention on K–12 environments in the form of denial of service attacks on our systems as well as neighboring metro school districts, especially during testing cycles.”

To combat the rise of advanced persistent threats (APTs), zero-day exploits and distributed denial of service attacks, Miller says the district’s security team deployed the FireEye NX appliance at the start of the 2014–2015 school year. The device sits in-line on the district’s Internet segment and does the sandbox malware analysis.

Miller says the district also purchased the FireEye HX appliance for endpoint malware protection. Both of these appliances look for indicators such as callbacks to known malware IP addresses, privilege escalation, registry access and MD5 cryptographic hashes matching known bad executables.

“Our security team spends a lot of time watching the FireEye dashboard and issuing tickets to our field teams to investigate alerts where we have visibility into our Trend Micro anti-virus management tools to better coordinate responses to anti-virus and malware alerts,” he adds.

Frank Dickson, a research director for Frost & Sullivan who covers network security, says the district wisely came to the conclusion that it needed more protection than anti-virus software alone could provide.

“There’s a lot of talk now about organizations not needing anti-virus software,” Dickson says. “That’s not really the case. What IT staffs need are tools that complement and extend anti-virus. What’s different is that many of these new tools have been developed to detect and block the latest APTs and zero-day exploits.”

Secure One-to-One Computing


The number of hits related to a recent zero-day exploit in Adobe Flash used in malvertisement attacks

SOURCE: TrendLabs Security Intelligence Blog, “Trend Micro Discovers New Adobe Flash Zero-Day Exploit Used in Malvertisements,” February 2, 2015

For Justin Lightfoot, network administrator at McLean County Unit School District No. 5 in Normal, Ill., the district’s security posture stems from its one-to-one computing program.

To extend protection for students outside the confines of the school buildings, the district deployed the VPN client and firewalls from Palo Alto Networks, Lightfoot says.

Recognizing the heightened threat landscape today, the district also started using the WildFire sandbox from Palo Alto Networks, he says. The sandbox sends suspicious files up to Palo Alto Networks’ cloud, and Palo Alto Networks’ system then tells the district if the file is malicious or not. Once Palo Alto Networks determines the file is malicious, they automatically block the file.

“This saves a great deal of manual work,” Lightfoot says. “In the past, we would have had to grab the machine, take it off the network, inspect the files and then install packet capture tools to blacklist the files. Now, the inspection process is practically automatic, and it blocks the malicious files for the future.”

Lightfoot says the combined Palo Alto Networks security tools have also greatly improved network performance. He says there’s much less adware and spyware on the network than in the past.

“We’ve had practically no problems with slowdowns,” he says. “The only time we did was during the Christmas holiday season last year when teachers tend to show more videos than normal, but other than that, the network has been fine.”

Key Product Considerations

Frank Dickson, a research director for Frost & Sullivan who covers network security, offers three questions IT managers should ask when selecting sandboxing and endpoint security tools to supplement anti-virus software.

  1. Which devices do the tools support? Not all sandboxes or endpoint tools support every operating system. Ask the manufacturer which OSs it supports and make sure that support corresponds to what’s used on the network.
  2. Which file types do the tools support? Possibilities include basic Microsoft Office apps, along with other types of executables, compressed files and Java files. Every network is unique.
  3. How well do the tools respond to anti-evasion techniques? Hackers are clever and cunning. Hundreds of techniques have been developed to evade sandboxes. For example, some malware will check to see if the tools are running in a virtual environment, which would allow it to spread throughout systems.

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT