As with most schools and businesses, Colorado Springs School district 11 struggled with malware entering the District through various means–e-mail attachments, personal devices and things that were too new to catch. Antivirus was simply not enough. The district tried several vendors in our environment, all of whom performed well. However, we selected FireEye due to overall cost, protection, and best value. We now have both an internal facing malware appliance and external malware appliance that blocks malware from e-mail and stops outgoing malware. Having the two appliances–FireEye Network Security (NX) and the E-mail Security (EX) managed by a Central Management System (CMS) allows the Network Services staff some piece of mind and ability to sleep at night, knowing we are protected.
“We now have both an internal facing malware appliance and external malware appliance that blocks malware from e-mail and stops outgoing malware”
The FireEye NX solution protects against known and unknown advanced attacks with the signature-less engine, conventional Intrusion Protection System (IPS) and intelligent-driven detection. This enables faster detection, more accurate alerts and reduced “noise”. Identifying these traditional threats allows us to focus on alerts that pose a genuine threat and reduces the overall operational cost of false positives. All organizations need to be able to quickly identify and respond to, and share information about attacks to prevent data loss. FireEye does this by providing a solution that: 1) detects threats that traditional security products miss; 2) reduces noise to optimize the security staff’s time and effort; 3) continually adapts to the evolving threat landscape; and 4) scales and remains flexible as the organization grows.
Utilizing the FireEye Multi-vector Virtual Execution (MVX) engine, the NX confirms zero-day attacks, creates real-time threat intelligence and captures dynamic callback destinations. In monitor mode, it signals incident response mechanisms. In out-of-prevention mode, the NX issues TCP resets for out-of-band blocking of TCP, UDP or HTTP connections.
The resulting dynamically generated, real-time threat intelligence produced by the NX helps all FireEye products protect the local network. This intelligence includes callback coordinates and communication characteristics that can be shared globally through the FireEye Dynamic Threat Intelligence (DTI) cloud to notify all subscribers of new threats. Cyber criminals often use spear phishing attacks as well as malicious file attachments and URLs in e-mails to launch an advanced cyber-attack. These e-mail attacks routinely bypass e-mail security that uses conventional signature-based defenses such as antivirus and spam filters.
To aid in counteracting these threats, FireEye developed the Ex product line. These products detonate and analyze suspicious e-mail attachments and embedded URLs and block malicious activity to enhance e-mail security. With these capabilities, organizations can prevent, detect, and respond to e-mail-based cyber-attacks. Customers can also select the E-mail Threat Prevention Cloud (ETP) for a complete, off-premise e-mail security solution with no hardware or software to install. ETP includes antivirus and anti-spam protection to handle attacks hidden in bulk e-mails and to manage nuisance traffic.
To block spear-phishing e-mails, the EX analyzes every attachment and URL using the MVX engine that accurately identifies today’s advanced threats. If an attack is confirmed, the EX series quarantines the malicious e-mail for further analysis or deletion. The resulting dynamically-generated real-time threat intelligence helps all FireEye products protect the local network through integration of the FireEye Central Management System (CMS)
The CMS intelligence gathering is shared globally through the DTI cloud to notify all subscribers of emerging threats, keeping everyone up-to-date on old or newly discovered threats.
By deploying all three systems: NX, EX, and CMS together, the analysis of blended threats, such as pinpointing a spear-phishing e-mail used to distribute malicious URLs and correlating a perimeter alert to the endpoint becomes possible. Security analysts now have the ability to correlate phases of a blended attack, giving them the actionable intelligence necessary to protect the organization against advanced targeted attacks. The CMS also consolidates activities and improves situational awareness with a unified security dashboard. The dashboard gives administrators a real-time view to see the number of infected systems and the ability to drill down to the real infection details to determine the next steps.
The CMS also has features for efficient, consolidated reporting. If activated, the CMS can collect and store audit-relevant security events to meet long-term data retention requirements. For added accessibility and a visitor wow factor, the NX dashboard shows region and industry-based malware trends, has customizable options and audit logging. The screen is completely dynamic showing where threats are coming from, what type and where they are going. The capability exists to show the top infected hosts and malware callback events including geo-location details. Finally, the trending view can help demonstrate progress in reducing the number of compromised systems.
FireEye has proven very effective in protecting D11 from phishing attacks, ransomware, and many botnets. It has allowed us to identify the source of malware that attempts to run on the network, finding malicious products that antivirus completely overlooked. Having FireEye in place and fully operational gives our networking team a sense of security and peace of mind, knowing that it is still working to allow us a good night’s sleep.