Network Security

Case study: Fit for a queen


The list of its alumni who rose from humble beginnings to prominence stretches from Robert Moog, the inventor of the Moog synthesizer, to musicians Carole King and Paul Simon and comedians Joy Behar, Roy Romano and Jerry Seinfeld. But none of these distinguished figures ever had to contend with the challenges Morris Altman, director of network services and internet security officer at Queens College, faces on a daily basis: malware.

Queens College is located in Flushing, Queens, the easternmost and largest in area of the five boroughs that make up New York City. Perhaps most readily identified as the home of LaGuardia Airport and Mets ballpark, CitiField, the borough is also home to a diverse population – of its 2.3 million residents, half are foreign born.

The college is one of nearly 20 schools spread throughout New York City comprising the City University of New York (CUNY) system. With 20,000 students and 5,000 faculty and staff, Queens College faced the modern-day plague of network attacks. And Altman, along with about 40 full-time and 100 part-time personnel on his IT security staff, were challenged with preventing computers from becoming infected and adversely affecting network performance of both the student and faculty population. 

Our experts:
Preventing malware

Morris Altman, director of network services and internet security officer, Queens College 

Jack Marsal, director of solution marketing, ForeScout

“So we needed a solution that would not only let us better manage and organize corporate assets, but also provide continuous monitoring of our network, and ultimately comprehensive visibility and policy-based control over devices accessing or on our network,” says Altman. 

Before searching for a network security solution, his team had no way to effectively estimate the number of devices, including desktops and laptops, that were connecting to the Queens College networks. Therefore, he says, being able to identify and classify these endpoints was imperative while at the same time he looked to improve the school's network security posture. “More so, we had to securely manage users, students and faculty and their personal mobile devices connecting to our computing resources.”

Another issue that prompted his team to search for a new network security platform was the increasing incidence of more sophisticated threats – including zero-day and propagating worms. It was not uncommon, he explains, for hundreds of computers on the network to be regularly infected – leading to the spreading of malware to other machines. These threats even consumed enough bandwidth to take the college network services offline on a number of occasions.

The network group – specifically the CIO – began the search for a solution. A number of offerings either failed evaluation or could have potentially created future limitations, such as bandwidth limits of in-line network security solutions, says Altman.

“We initially turned to ForeScout CounterACT to help protect us against advanced threats and propagating worms, which, in the past, would have infected hundreds of computers, literally bringing the network to a crawl.”

Eliminating infections

Once the college had CounterACT in place, the first time a new worm broke out, Altman's team only saw three computers become infected. Those three were immediately isolated from the network and the infection was contained. Additionally, those three users were automatically notified of the problem and were instructed to call the help desk so the IT team could rectify the situation. “Instead of weeks, problems were solved in less than a day and had minimal impact on our students, faculty or staff,” Altman says.

After such a positive experience with the initial implementation, the IT team expanded its use of ForeScout CounterACT to enhance visibility and control over who and what types of devices were connecting to the networks. 

“Prior to CounterACT, we were forced to conduct manual investigations – even going through firewall logs to identify infected devices and one by one disabling their network ports,” says Altman (left). At that time, the user and help desk didn't know why their network ports went down, he adds, which required more resources to determine the source and scope of problems and could take weeks to resolve. As a result, both the network group and the help desk shouldered a huge workload.

“ForeScout CounterACT works with a majority of existing networks, both wired and wireless, and integrates with the existing switch, identity and access infrastructure,” says Jack Marsal, director of solution marketing at ForeScout, a Campbell, Calif.-based network security company.

“ForeScout CounterACT automatically identifies, classifies and applies security policy to all network devices,” he says. “Unlike first-generation network access control systems, CounterACT continuously monitors devices on the network to ensure that they remain compliant with the organization's security policies.”

The tool ships with numerous policies out-of-the-box and offers customers a great deal of flexibility in terms of designing custom policies that are tailored to their environment, Marsal says. “For example, CounterACT can inform users if they are running prohibited kinds of software. This allows users to take corrective action. If corrective action is not taken, CounterACT can block the user's device from the network.”

The offering also includes the ability to identify when malware is trying to spread through a network and it blocks the propagation, Marsal says. This is done without any need for signatures or signature updates, so the management overhead is very low compared to traditional IPS systems. 

“We needed a solution like ForeScout CounterACT to help us reduce the risk of security breaches and threats to our students' computing resources,” says Queens College's Altman. Prior to implementing the appliance, the college had a significant number of network outages that cost Altman's team time and money and severely disrupted the experience of students and staff. “We needed a solution that could protect our network while providing us with ROI. Plus, in higher education, the students are your organization's customers, and if they are inconvenienced or unhappy, it affects the business.”

The solution is easy to operate, says Altman. And, he adds, “It has done a great job for us for many years. We've maintained our CounterACT appliance as updates have been released, and we are currently using the CounterACT Enterprise Manager, which has centralized administration of our four CounterACT 4000s.”

Improved network uptime

Altman and his IT team also use CounterACT to automate help desk alerts. Prior, individuals with a networking, system or security issue would have to call the help desk on their own. Now, he says, with the ForeScout solution, the help desk knows of the issue – often before the user does – and calls them first to resolve the issue quickly and conveniently. 

“CounterACT benefits span across the entire IT team at Queens College,” says Altman. “Asset management uses it for visibility into the network. For example, the endpoint team is monitoring device posture, the help desk is examining what's going on with the device when an issue is reported, and the network and security teams are constantly monitoring for risks and exposures.” Further, he adds, students and staff can even use CounterACT desktop support for personal patches. 

The implementation improved network uptime. Whereas prior in the early 2000s, the school would have security incident-related network outages at least two or three times per year, now it no longer has outages and enjoys nearly constant uptime.

Another benefit, the tool allows Queens College to comply with copyrights as it is able to limit P2P software, says Altman. “We're using CounterACT to block unauthorized and noncompliant users.” That's an added benefit because, like all colleges and universities, the school must comply with such regulations as the Digital Rights Millennium Copyright Act, which makes it illegal to produce and disseminate technology, devices or services aimed at getting around DRM measures that regulate access to copyrighted works. The ForeScout solution assists IT in resolving take-down notices for music and movies with copyright violations being downloaded from peer-to-peer software.

Easy installation

In many situations, CounterACT does not require any agents to be installed on the endpoint, ForeScout's Marsal points out. “This makes CounterACT much easier to install and maintain than other NAC products that require agents.”

The gadget integrates with many different types of security systems, he adds. “The goal is to share information and automate actions. By coordinating security intelligence and automating security responses, you obtain a higher return on investment from your existing systems, and you shorten the window of time that an attacker has to gain a foothold in your network.”

At Queens College, this means that unauthorized applications are blocked from running on the network and CounterACT allows the IT teams to notify students and faculty when their machines are lacking up-to-date software. This feature also supports the Family Educational Rights and Privacy Act (FERPA) – a federal law that protects the privacy of student education records – by keeping all endpoints up-to-date.

The tool itself does not require constant updates. Thus, it requires very little in terms of management overhead, Marsal (left) points out. “If CounterACT discovers that an endpoint computer is running old software, it can trigger the endpoint to fetch an update, or it can automatically run a script on the endpoint to install the updated software.”

The offering is deployed on all parts of the Queens College wired and wireless network. Some other CUNY colleges have adopted ForeScout following success at the Queens campus.

And, Altman says his team will continue to add appliances to support additional users. For example, they recently added FireEye to the edge of its network to act as a sensor for computers that have become part of a botnet. The FireEye appliance is integrated with the ForeScout network, which alerts the end user and the Queens College help desk, and then blocks internet access until the endpoint is remediated. 

“Being vigilant with regard to updating signatures and reputation lists, or monitoring for network anomalies, is no longer good enough,” says Altman. “With FireEye and ForeScout, we know the details, security posture and activity of all devices on our network, and we can automatically isolate violations, malware and affected systems before anything gets out of hand.”

Altman says there is no resting on laurels, however. His team has seen a huge increase in phishing over the years in the college environment. He also needs to make sure systems are up-to-date and have active defenses. “Until we had CounterACT, we really didn't have an idea of how many devices were on our networks, or if they were compliant and up-to-date.”

The tool, he says, allows his team to “discover all sorts of things. We now know that there are about 6,000 wireless and 5,000 wired endpoints at any given time.” 

This detailed insight on network endpoints allows his team to understand the diversity of devices and prioritize the devices or operating systems it supports when new applications are released, he says. For example, if only 10 users have Windows phones and thousands have Android and iPhone devices, the priority shifts, he explains. n

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.