By Greg Bartay, chief technology officer and Arturo Gonzalez, network manager, Pearland Independent School District
Pearland Independent School District covers 27 sites that include 23 campuses and four support buildings just south of Houston. Our district includes over 21,000 students and about 3,500 full-time employees, more than 1,300 of those being faculty. We are a far-flung K-12 district that faces the same challenges as many of its peers. In this mobile age, students are coming into the schools with a host of devices, from smartphones to tablets to laptops. Teachers also bring in their share of devices, and increasingly lessons, presentations and classwork are being done digitally.
Our Wi-Fi network is an integral part of our district’s learning environment, and in this world of BYOD and IoT, the demands on the network are increasing. We have used Aruba for our wireless network since 2013, and the performance and reliability we’ve seen has made it an easy decision to again turn to Aruba for help securing our Wi-Fi. Last year we brought in Aruba IntroSpect, a user and entity behavior analytics (UEBA) solution that leverages artificial intelligence, machine learning, analytics and forensics to give us greater visibility into the network and the ability to quickly detect, investigate and remediate attacks.
IntroSpect Keeps Student and Faculty Data Safe
When we were introduced to IntroSpect, we immediately saw how it could be useful to our school district. With IntroSpect, we can analyze internet traffic in near real time, establish baselines to detect anomalies and attacks to our network, map devices in near real time throughout the network to track user behavior and pinpoint problems such as when students try to bypass our security systems. When a problem is detected, the solution sends out prioritized alerts, allowing us to quickly begin investigating.
Our faculty and staff are not tech experts, so it’s our job as the IT department to make sure they can securely connect to a highly reliable network. Faculty and staff can fall victim to having their accounts compromised from internal as well as external threats, which can lead to incidents such as where they’re seen logging into the system from multiple campuses at the same time. With IntroSpect, we can detect that quickly, see where the logins are happening and start the investigation in order to protect the integrity of the grading system and other data on the network.
We recognize that unlike private businesses, as a school district we have to give access to all of our users, which can make the network more vulnerable. We need to know as fast as possible if a virus or other threats get on the network to minimize any negative impacts. Through IntroSpect’s ability to detect attacks based on behavior, investigate the problem and remediate/mitigate the issue quickly, we can do just that.
The IntroSpect POC Catches Polymorphic Trojan Malware
We saw almost immediate results early in our POC when IntroSpect detected that the network was under attack by the Emotet Trojan, which is spread via malicious emails. Somebody from the outside was doing a brute-force attack on every account, which meant that faculty were being locked out. Within 90 minutes of detection, we were able to isolate the subnet the virus was on, shut it down, find the offending machine and deliver it to our IT staff. Financial and other sensitive data was protected, the attackers were unable to move laterally throughout the network and the district’s business and educational efforts were uninterrupted.
We’ve seen other school districts hit with the same Emotet malware take six weeks to clean it up because they were initially unable to find and isolate it. We did all that in less than two hours because IntroSpect sent us alerts with detailed information about the anomalous activity. It collected and correlated Active Directory authentication data and network traffic from endpoints, tying the attack to a specific entity and eventually a single user’s machine.
ClearPass Integration on the Horizon
In order to continue securing our network, we have also purchased ClearPass to replace a legacy NAC (Network Access Control) solution from Avaya/Extreme. We’re beginning to migrate onto ClearPass and once it’s in place, we’ll determine how to leverage the integrations between IntroSpect and ClearPass. This will help automate many of the detecting, policy making and enforcement processes that are now done manually, which means a faster time to detecting, investigating and remediating security threats.
As with many K-12 districts, it’s difficult to get additional full-time employees, which means we have to better leverage the systems we utilize to enhance and improve the performance of the network without having a negative impact on services and accessibility. The more systems can help us be efficient with the number of people we have, the better. As such, we strive to be leading adopters of automation technology.
Looking ahead, when we integrate ClearPass with IntroSpect, we’ll be able to expand our automation capabilities. This will enable us to continue to improve our network visibility and security, all without having to add additional personnel. We’ll be able to quickly detect and see problems when they arise and respond to them without our students and faculty feeling any impact.
