SANS WhatWorks: How VCU uses FireEye for Advanced Threat Detection and Prevention

  • Tuesday, 10 Feb 2015 1:00PM EST (10 Feb 2015 18:00 UTC)
  • Speaker: John Pescatore

About the User
Dan Han is the Information Security Officer for Virginia Commonwealth University (VCU) andis responsible for the development and management of the information security program forthe University. With over 15 years of experience, Dan has spent a majority of his careerworking in the higher education and healthcare sectors, within various roles of ITranging from application development to infrastructure management. He has been focused inthe information security field for nearly 10 years, with an emphasis in informationsecurity architecture and security risk and compliance. In addition to various industryrecognized IT and security certifications, Dan holds a MS and MBA in Information Systemsand IT Management.

About VCU and the VCU Medical Center
Virginia Commonwealth University is a major, urban public research university with national and international rankings in sponsored research. Located in downtown Richmond, VCU enrolls more than 31,000 students in 222 degree and certificate programs in the arts, sciences and humanities. Sixty-seven of the programs are unique in Virginia, many of them crossing the disciplines of VCU's 13 schools and one college. MCV Hospitals and the health sciences schools of Virginia Commonwealth University comprise the VCU Medical Center, one of the nation's leading academic medical centers. For more, see

SANS Summary
A University with a centralized Internet connection but decentralized PCoperations found that it was experienced too high a level of malwareevents at user PCs. They decided to look at network advanced threatdetection devices that could inspect traffic at the Internet border pointto address the problem. After a bakeoff they selected technology fromFireye, which gave them visibility into malware that existing AV solutionswas not detecting and allowed them to more quickly respond to malwareevents before major damage was incurred. The FireEye product wasintegrated with VCU's SIEM product for day to day reporting andmonitoring. To deal with the high speed (10 G) network speeds at VCU, overtime the University moved to 3 FireEye appliances in a load balancingconfiguration.