As a member of Okinawa Prefectural Board of Education, Okinawa Prefectural Education Center supports scholastic growth in local schools. In recent years, the Center has aimed to enrich IT education and optimize school administrative duties through the promotion and development of IT environments.
The infrastructure at the core of this movement is an IT education network which connects the Center to 76 schools - 60 senior high schools and 16 special-need schools. Teachers and students at each school access the Internet entirely through this IT education network. In short, the network is the main artery between school environments. Security problems have occurred in the network in recent years. The Center discovered a malicious program connecting a PC within the network to a C&C server. If it had not been cleaned up, an attacker could have controlled the PC remotely, leading to information leakage or other damage.
“The problem was caused by personal USB memory devices and PCs which students and teachers were bringing to school,” says the Center’s Ken Shiroma.
As the PCs used by teachers handle data containing the personal information of students, security countermeasures at schools are essential. In addition to installing antivirus software on PCs, the Center had implemented virus countermeasures at the gateway to the Internet, as well as anti-spam and URL filtering.
“However, there were some PCs with insufficient security countermeasures which were being brought to the schools. We considered prohibiting them, but we didn’t have enough PCs so had no choice but to allow them. We allowed USB memory devices because there were many who felt that they were vital to deliver data used for developing teaching materials, and also because we wanted to actively promote more IT usage with less restrictions,” says Hayato Arakaki.
How could the level of IT security be improved without sacrificing the flexibility of IT usage? The Center needed to dramatically reconsider security countermeasures.
The number of PCs which are provided by the Center and are brought to schools by teachers and students reached around 20,000 and the Center had to administer them. Which PCs had security holes and how would the Center proceed with the review? In the midst of continual trial and error, it was Trend Micro that provided the breakthrough.
“We were on our own and didn’t know where to begin. However, Trend Micro came to us as security professionals and provided us with advice about the most suitable policies to improve the level of security step-by-step,” says the Center’s Kinue Yamashiro.
In addition to traditional virus countermeasures, the status of the network and connected PCs was visualized in an integrated manner. Once the Center understood the situation, it adopted policies for countermeasures appropriate to the security risks that had been identified.
Based on Trend Micro’s advice, the Center built their security countermeasures with Deep Discovery Inspector™ (hereafter, DDI). DDI monitors network traffic all the time, and analyzes and detects security risks through its behavior analysis. In other words, it is a radar that detects threat.
For example, when PCs without the latest pattern files of their antivirus software or PCs which are suspected to be infected try to connect to the network, DDI identifies them as risks. Furthermore, it is possible to pinpoint the devices and applications that have been used on each PC. “For example, if a student uses P2P software without permission, it is automatically detected,” explains Arakaki. Even if threats infiltrate and initiate malicious actions, DDI detects behavior such as suspicious communications to C&C servers, emails containing suspicious URLs, and repeated log-in failures.
DDI utilizes these functions to control the lateral-movements of threats which are difficult to defend against using traditional countermeasures.
Once the Center used DDI to visualize risks and knew the precise security requirements, it established a multi-layered security operation system leveraging several Trend Micro products which the Center was already using. The system not only improved the level of security, but could also be an effective countermeasure which eliminates the triggers of targeted attacks using a variety of techniques.
“Specifically, based on the real-time detection of malicious behavior and date and time logs from DDI, we take immediate action against a variety of threats and risks. For example, if DDI detects PCs without the latest OfficeScan™ pattern files, we perform virus scans and update the pattern files to the latest version. If it detects infected PCs, we immediately isolate them from the network and eliminate any risk of the infection spreading. We then remove the virus with Trend Micro Portable Security™, a tool that detects and removes viruses on off-line terminals,” explains Shiroma. In addition, the Center registers malicious URLs or emails detected by DDI on blacklists of gateway countermeasure products such as InterScan WebManager™ for URL filtering, and InterScan Messaging Security Virtual Appliance™ which deletes malicious email before it reaches the network, preventing malicious access and infiltration of malicious files in the future. Consequently, this prevents attacks which lead to information exploitation, such as the communication with the C&C server which was discovered in the past.
These were not the only results. In addition to detecting threats, the threat logs of DDI were also useful for instructing teachers. “By using the logs to collate details of threats and provide a weekly summary of them, it is possible to clearly demonstrate what happened, and where and when it happened. This has been useful for elevating the security consciousness of both students and teachers,” says Yamashiro.
Through the usage of Deep Discovery Inspector™ Advanced Optional Services, the Center receives reports analyzed by a Trend Micro specialist engineer. The report also includes an evaluation of the security level, and the latest report showed that the Center’s security level has improved dramatically.
“The engineers analyze the extensive logs and provide us with reports which indicate threats and the behavior of those threats accurately and in a manner that is easy to understand. We feel that this know-how is exactly what is expected from a specialized vendor. Thanks to Trend Micro it has been possible for us to make our countermeasures more effective,” explains Shiroma, appraising the feature.
The Center is considering a variety of IT initiatives such as the implementation of tablet devices in classes, and it has high expectations of Trend Micro as a company that supports security to utilize IT without restrictions.