Consider strengthening security measures in response to damage from targeted attacks at other universities

Yokohama National University, which upholds the four philosophies of "practicality," "advancement," "openness," and "internationality," is currently conducting the "New YNU Project," an initiative to develop human resources required for the new global era of the 21st century. promoting. The university has active student exchanges with more than 60 countries around the world, and has established international branches (overseas collaborative education and research bases) in several countries. Most recently, in November 2015, the University of Oulu Branch (Finland) was opened. In addition, the establishment of a new faculty, the Faculty of Urban Sciences, was approved for the first time in 50 years, and a five-faculty system is scheduled to start in 2017.

The information planning section of the library and information department of the university is in charge of promoting the use of IT in office work, operating and managing terminals, servers, networks, etc. for the information systems used by staff, but also security measures. It's part of that. Regarding the previous security situation, Toshiaki Nimura, head of the Information Planning Division, said, ``We had only introduced the minimum security measures, specifically anti-virus software and filtering products, but we had not suffered any particular damage, and added I didn't feel the need to take any more measures until I spent 100,000 dollars," he recalls.

However, in recent years, there have been large-scale information leaks caused by targeted attacks at other universities. The dangers of targeted attacks are becoming more and more a topic of discussion at meetings where people in charge of information systems at national universities gather.

Under these circumstances, in October 2015, we were introduced to Macnica 's endpoint-based targeted attack prevention product, CrowdStrike Falcon.

Detected ransomware that slipped through existing security measures Highly evaluated its performance and decided to introduce it

In response to this introduction, Yokohama National University decided to conduct a PoC (Proof Of Concept/Trial) of CrowdStrike Falcon for the VDI environment used by staff from March 2016.
“To be Member of the Board, we only tried it because it was a free trial, and at first we didn’t even think about implementing it. , there was no need to introduce new security measures." (Mr. Nimura)

The university also received proposals for security measures from other vendors. Satoko Otsuki, deputy manager of the Information Planning Division, said, "There was a big difference in the time and effort required to introduce CrowdStrike Falcon and the security measures of other companies. With other companies' products, it was necessary to change the settings of the existing environment just to perform a trial. It was difficult to conduct even a trial.

On the other hand, CrowdStrike Falcon can be introduced without any changes to the existing environment. Because it is a cloud-based product, it is serverless, and all you have to do is deploy a sensor (software) on the client. Ms. Tomoko Negishi of the Information Systems Section of the Information Planning Division evaluates this point by saying, "Because there is no load on system resources, operations do not slow down. This is a great advantage for VDI environments."

One month after the university launched the CrowdStrike Falcon PoC, an incident occurred. CrowdStrike Falcon detected the ransomware Locky. At that point, one of the users accidentally clicked on an attachment in the email, revealing that 27,000 of the files on the client and file server were encrypted. Regarding the situation at that time, Mr. Yasuhiro Ishiguro, Information System Section of the Information Planning Division, said, "The encrypted files were restored from backups, but we were busy with this work for two to three days. Thanks to CrowdStrike Falcon's early detection, we were able to prevent the damage from spreading."

Therefore, the university continued the PoC with CrowdStrike Falcon's detection function and blocking function enabled, and a second attack occurred a week later. At this time, the defense succeeded without allowing the intrusion.
“Although CrowdStrike Falcon was already compatible with Locky, it wasn’t until the third attack, two weeks after the second attack, that existing antivirus software was able to detect it. If CrowdStrike Falcon It horrifies me to think how much damage would have been done without it,” says Nimura.

Having witnessed the effects of CrowdStrike Falcon, the university highly evaluated its ability and decided to officially adopt it in July.

Accurately grasp the damage situation with the forensics function Minimize the burden on the person in charge with the operation support service

Currently, Yokohama National University has introduced CrowdStrike Falcon for 450 clients in a VDI environment used by staff. Mr. Otsuki commented on its effectiveness, saying, "It gives me a great sense of security that CrowdStrike Falcon blocks unknown threats that may have slipped through existing countermeasures."

In general, system administrators have multiple jobs, so the truth is that they don't want to be bothered with security measures. In that respect, CrowdStrike Falcon does not require extra effort for operation management. In addition, forensics capabilities provide real-time visibility into documents accessed by attackers and commands executed. In addition, CrowdStrike Holdings、Inc. engineers monitor events 24/7.
"Even in the unlikely event that a network is intruded, we can accurately ascertain the extent of the damage. For those in charge of operations, this is a great advantage not only for subsequent response, but also for fulfilling accountability. (Mr. Ishiguro)

In the event of an attack, a report is made to the Ministry of Education, Culture, Sports, Science and Technology, but CrowdStrike Falcon's forensics function enabled us to grasp the damage situation, so we were able to make a brief report.

The university also has a contract with Macnica for operational support services.
"CrowdStrike Falcon issues alerts in five levels: Informational/Low/Medium/High/Critical, but the display is in English, so sometimes it's hard to understand what's going on. With this operational support service, "They give us concrete instructions on what to expect and how to respond, which is very helpful," says Negishi.

Expanding the scope of use to other terminals Considering expansion to the entire university

Yokohama National University currently has 550 licenses of CrowdStrike Falcon. In the future, they plan to expand the scope of use to 40 to 50 fat clients other than VDI environments, and are also considering expanding it to the entire university.

Nimura also introduced the results of this implementation at a presentation attended by information systems managers from national universities across the country.
"We're grateful for being introduced to effective security measures. We also appreciate Macnica 's solid support. It's only been about four months since we started full-scale operations, but going forward we would like to continue building up our own know-how and use it to help raise awareness in the field," said Nimura.

User Profile