3 Institutions Deploy FireEye Appliances To Battle Breaches

• By Dian Schaffhauser
• 03/27/09

San Francisco State University, Santa Barbara City College, and Connecticut College have all gone public with deployment of FireEye appliances on their campuses to preemptively stop data breaches caused by malware that steals student identity data, misappropriates faculty research, and exploits campus computing resources.

San Francisco State's IT infrastructure supports 30,000 students and 3,500 faculty and staff. According to a statement from the vendor, the university had no prior campus-wide anti-malware protection and selected FireEye based on the product's ability to protect against zero-day threats, low false positive rate, and ease of use. The university deployed the appliances at the virtual egress point of the campus border to help monitor campus network traffic for malware and botnet activities.

"The FireEye appliance identifies bot-infected computers and detects malware on the campus network, allowing us to take a proactive approach to stop bots before they have a chance to do more widespread damage," said Jack Tse, senior director, network and operations. "The FireEye appliance also helps mitigate the possible theft of sensitive and confidential student, faculty, and staff data."

Santa Barbara City College made the decision to deploy the FireEye security appliances after a six-week trial uncovered bots that were previously undetected by up-to-date antivirus and other security systems. The college, which serves 15,100 full time students and 1,200 faculty and staff, had also evaluated a deep packet inspection device that proved too costly to implement and provided a higher false positive rate than FireEye.

"The FireEye appliances accurately found malware immediately, even the smallest intrusions, and detected activity in callback channels initiated from compromised machines," said Jerry Thomas, network specialist at the city college. "FireEye also eliminated false positives and reduced the syslog numbers, saving me critical man hours. I now have a very high confidence level, when we get an alert from FireEye, we know we have something."

Connecticut College, which has 1,900 students on its New London-based campus, recently selected FireEye equipment to fortify defenses against stealthy malware infiltration due to infections outside the campus gateway.

"Connecticut College takes user security seriously and hence, we enforce patches and antivirus on the desktop, and use firewalls and [intrusion detection and prevention] (IDP) systems on the gateway," said John Schaeffer, systems & server administrator at Connecticut College. "But because of remote users who are infected outside our gateway, compounded by the reality of spear phishing, zero-day, and targeted attacks, we realize that a signature-based solution does not provide complete protection against today's Web exploits and botnets."

FireEye appliances use a multi-stage analysis engine called the "FireEye Analysis and Control Technology" (FACT). FACT detects zero-day malware and botnets by analyzing real-time Web and network traffic flows. Zero-day exploits attempt to find computer vulnerabilities before they've been patched by vendors. When malware is confirmed to infect a virtual victim machine, the appliances alert administrators and repel attacks via integration with existing security software in place. Linked into the FireEye "Malware Analysis & Exchange" (MAX) Network, the appliances gain additional malware signatures, call-back coordinates, and botnet. Participating FireEye appliances generate and share real-time malware intelligence to respond to known and unknown malware and botnets.