Case Study: Securing The University of Massachusetts, Lowell Research Network

Sandfly Security is proud to be part of the

Vodafone Xone Accelerator Program

At-A-Glance

Business Type: Public University on the U.S. East Coast

Size of Organization: 2,200 employees located in a single region.

Core Business Supported by Linux: Education, Teaching, Research.

Number of Linux Devices Covered by Sandfly: More than 60.

Type/Flavor of Linux Covered by Sandfly: Standard distributions, including Ubuntu and CentOS with some older distributions in research labs; 40% are virtual builds.

At the University of Massachusetts, Linux servers are running critical web apps and databases supporting students, instructors, analysts and researchers. Even in a hosted environment with controlled builds and vulnerability scanning, it’s impossible to know if bad things are actually happening in the Linux boxes and how to stop them.

UMASS case study sandfly security

“We already did vulnerability scans, firewall logs and traffic logs, but what we didn’t have was monitoring inside the Linux systems for Indicators of Compromise,” says the principal security engineer with oversight for these Linux systems. “We needed deeper monitoring for more insight than just a scan provides.”

Unrivaled Visibility

After researching solutions, he found that Sandfly was the only comparable product for visibility into Indicators of Compromise (IOC) on all of his Linux systems, including legacy systems.

“I didn’t see any other compatible product that focuses on IOC for Linux,” he explains. “Sandfly gives us a lot of insight into how our systems are being used—and in ways that just firewall logs and traffic logs don’t indicate.”

For example, Sandfly revealed that some of their Linux servers were being used as jump hosts with netcat into other systems. It turned out that the actions were not malicious, but the security team did use the information to assist their users to switch hosts in a more secure method with SSH. 

Sandfly also alerted the security team to some other issues regarding incorrect permissions on user’s home folders, which they were able to repair immediately.

“Although we haven’t found an active attack, we have gained tremendous insight on how systems are being used,” says the engineer. “This in itself is valuable.”

Agentless Compatibility

He particularly likes that Sandfly doesn’t require agents to be able to see any of the thousands of IOCs that Sandfly can detect inside their Linux devices. This saves his organization from costly and frustrating experiences when the agents need upgrading (breaking the Linux service) or when the Linux systems are upgraded (breaking the agents).

Since Sandfly’s agentless system only requires a secure user account to administer, Sandfly is much easier to manage, direct, and roll out across devices. Sandfly’s accurate detection also makes it easier to follow-up on and recover from any type of incident, he explains.

“Knowing that we have this extra level of monitoring and protection on all existing and new servers helps us, particularly when deploying Linux servers that aren’t necessarily managed by our central IT department,” he adds.

Agentless Intrusion Detection for Linux

Sandfly Performance Scorecard

YES

NO

N/A

Visibility into malicious activity on your systems.

X

Reduced dwell time of malicious actors on your systems

X

Accuracy of detection/reduced false positives

X

Responding to Linux-based incidents

X*

Ability to work with other detection and reporting systems

X

 Other (please specify).
“Insight on how systems are being used”

X

*Did not detect any incidents that needed responding to. Did detect some accidental misuse that was easily addressed based on the information provided through Sandfly detection.

Got questions?