Securing The University of Massachusetts, Lowell Research Network



BusinessPublic University on the U.S. East Coast
Organization Size2,200 employees located in a single region
Core Business Supported by LinuxEducation, Teaching, Research
CoverageMore than 60 Linux Devices
SystemsStandard distributions, including Ubuntu and CentOS with some older distributions in research labs; 40% are virtual builds

At the University of Massachusetts, Linux servers are running critical web apps and databases supporting students, instructors, analysts and researchers. Even in a hosted environment with controlled builds and vulnerability scanning, it’s impossible to know if bad things are actually happening in the Linux boxes and how to stop them.

We already did vulnerability scans, firewall logs and traffic logs, but what we didn’t have was monitoring inside the Linux systems for Indicators of Compromise. We needed deeper monitoring for more insight than just a scan provides.

Unrivaled Visibility

After researching solutions, he found that Sandfly was the only comparable product for visibility into Indicators of Compromise (IOC) on all of his Linux systems, including legacy systems.

I didn’t see any other compatible product that focuses on IOC for Linux. Sandfly gives us a lot of insight into how our systems are being used—and in ways that just firewall logs and traffic logs don’t indicate.

For example, Sandfly revealed that some of their Linux servers were being used as jump hosts with netcat into other systems. It turned out that the actions were not malicious, but the security team did use the information to assist their users to switch hosts in a more secure method with SSH.

Sandfly also alerted the security team to some other issues regarding incorrect permissions on user’s home folders, which they were able to repair immediately.

Although we haven’t found an active attack, we have gained tremendous insight on how systems are being used. This in itself is valuable.

Agentless Compatibility

He particularly likes that Sandfly doesn’t require agents to be able to see any of the thousands of IOCs that Sandfly can detect inside their Linux devices. This saves his organization from costly and frustrating experiences when the agents need upgrading (breaking the Linux service) or when the Linux systems are upgraded (breaking the agents).

Since Sandfly’s agentless system only requires a secure user account to administer, Sandfly is much easier to manage, direct, and roll out across devices. Sandfly’s accurate detection also makes it easier to follow-up on and recover from any type of incident, he explains.

Knowing that we have this extra level of monitoring and protection on all existing and new servers helps us, particularly when deploying Linux servers that aren’t necessarily managed by our central IT department.

Agentless compatibility

Requirements Scorecard

Visibility into malicious activity on your systems
Reduced dwell time of malicious actors on your systems
Accuracy of detection/reduced false positives
Responding to Linux-based incidents
Ability to work with other detection and reporting systems
Insight on how systems are being used
  1. Did not detect any incidents that needed responding to. Did detect some accidental misuse that was easily addressed based on the information provided through Sandfly detection.

Let Sandfly keep your Linux systems secure.

Learn More