Joint Solution Identifies and Contains Compromised Devices with Automated Threat Response
Western Michigan University (WMU), located in Kalamazoo, Michigan, is one of the country’s leading research universities — and also a tempting target for cyber criminals. To fortify its network and prevent breaches from cyber threats, WMU has deployed Bradford Networks’ Network Sentry to integrate with its Palo Alto Networks Next-Generation Firewall to identify and contain compromised devices.
ResNet: the wired network for WMU dormitories and residence halls
WMUnet: WMU’s campus network
Prevent inevitable cyber attacks and breaches within a university network used by thousands of students
Contain a threat detected by the firewall before it can spread to other devices
Quickly access multiple systems to assemble the information needed to contain a threat — a process which places the network at risk at a critical time
Bradford Networks’ Network Sentry for Palo Alto Networks enables Continuous Incident Response by correlating security events from the firewall with real-time information associated with compromised devices
When the firewall detects a threat, the compromised device, user, switch port and other key details are immediately identified
Eliminates the need to examine multiple silos of information when the network is under attack
Ability to isolate, restrict or block compromised devices in real-time according to policy settings
The integrated solution automatically correlates security alerts from WMU’s firewalls with details about compromised devices supplied by Network Sentry’s Live Inventory of Network Connections (LINC). A foundational component in Network Sentry’s platform, LINC addresses a variety of Network Access Control and Continuous Incident Response use cases. When a breach is detected, WMU’s IT staff receive critical intelligence at a glance so they don’t lose valuable time sifting through silos of information. “Network Sentry picks up the IP address and threat information from the Palo Alto Networks Next-Generation Firewall and correlates the device with the user along with network connection information,” explains Fawn Callen, manager of the network architecture team at WMU. “Together, the two types of information give us a complete picture of the threat — including its source and intended target on the network.”
Fawn and her team can also dynamically control network access using Network Sentry’s policy enforcement engine. When the firewall identifies a security event, Network Sentry launches a response action based on the nature and severity of the threat. For example, if the threat is deemed critical, an automated workflow can instantly block a compromised device while simultaneously alerting the user and IT staff. If the threat is categorized as low severity, another policy-based workflow can give the user time to remediate the device. When attacks occur and devices are compromised, the ability to correlate contextual information — device, user and network connections — with the security event detected by the firewall, shortens the containment time and prevents exfiltration of sensitive data.
With thousands of WMU students constantly accessing the internet using a variety of devices, network breaches are almost inevitable. A prompt and effective response is needed to detect the threat and contain it before it spreads throughout the network — a primary reason for WMU to deploy Network Sentry. The solution correlates threat information detected by the university’s Palo Alto Networks Next-Generation Firewall with real-time information about devices, users and connections, allowing WMU to contain cyber attacks before they cause widespread damage.
Fawn notes that Network Sentry protects the network and saves IT staff time by bridging previously isolated silos of security information. “Using Network Sentry, IT will have a complete picture of the network threat from a single pane of glass. If a high-threat virus passes through our firewall onto a student’s machine, they’ll be able to take action faster because all the information they need is in one place.”
Automated Threat Containment
Network Sentry’s LINC leverages detailed information about compromised devices, including type, user name, other devices owned by the same user, installed applications, operating system, switch port, connection duration and compliance status. This information is used to launch automated workflows to isolate, restrict or block compromised devices according to predefined security policies. Depending on the severity of the threat, actions could range from sending the student to a self-remediation page to alerting IT to launch a full-scale investigation. “Network Sentry provides us with the value we’re looking for,” Fawn adds.
WMU is already a long-time user of Bradford Networks’ Network Sentry, enabling easy self-service BYOD for students while providing IT with real-time visibility into network connections and policy-based access control for users and devices. The university is now extending that network visibility and access control to the ResNet network used in student dormitories and residence halls and will also support wired Windows, Mac and Linux devices. Future plans call for including wireless connections and expanding coverage to include faculty and staff devices.
Saving Time, Staying Safe
At WMU, Fawn expects Network Sentry to reduce the impact, time and cost of containing cyber threats. “Without Network Sentry, we would have to sift through a home-grown registration system to identify the owner of the IP address, or decipher the IP address to determine what building the device was in, what subnet it was in and who we think is responsible. In either case, it would take us a long time to track down the user and their device.” Using Network Sentry, WMU will be able to reduce the time to contain threats from hours to a few seconds.