Security @UNB - a presentation to AtlSecCon

Security @ UNBHow UNB is using policy, practice and technology to enhance cyber security

What are we here to talk about?

uUNB’s titanic cyber security struggle

uUsing threat intelligence for both tactical and strategic decisions

uMoving away from playing a losing game of cyber security whack-a-mole

My backgroundu Bachelor of Arts in Information and Communications Studies

(‘05). Master of Business Administration (‘15)

u Former Canadian Army reservist (armoured vehicle driver & gunner)

u Former reporter for the provincial newspaper

u Former web content strategist for UNB Communications & Marketing

u Accidental IT Security professional and fortunate member of an amazing team

The Security Action Team (SAT)u Provides IT security leadership

u Formulates, implements and coordinates polices, plans and projects

u Incident Response

u Advises IT security resourcing, technologies, and community education.

About UNBu North America’s oldest

English public university (Est. 1785)

u 11,000 students

u 2,000 FTE Faculty and Staff

u Hybrid IT environment (centralized and decentralized)

In defence of “cybersecurity”

Officially, ISO/IEC 27032 addresses “Cybersecurity” or “Cyberspace security”, defined as the “preservation of confidentiality, integrity and availability of information in the Cyberspace”.

In turn “the Cyberspace” (complete with definite article) is defined as “the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form”.

What I think we do:

What clients think we do….

Why are universities a target?

u We we’re designed to be open (we’re easy)

u We have a treasure trove of PIIu We have valuable intellectual propertyu We have others valuable intellectual

propertyu We are a route into more secure orgs

Our challengesu We average between 83 and 55 attempts per second

to breach our network (massively automated threats)

u We have more than 2.2 million security events daily on our network

u We have more than 500 offences weekly

u We have as many as 120 compromised endpoints a month (half of which are students)

u We are the ultimate BYOD environment

The cost of a breach

u $184 dollars on average per record in education, based on figures from a 2014 Ponemon Institute Study

Threat Intelligence Sources

u QRadar Security Inteligence Event Management (SIEM)

u Trend Micro Deep Discovery Malware detection tool

u Kaspersky Anti-Virus Reporting Systemu Government, industry contacts and

listservsu InfoSec News Sources and Social Media

Malware CNC CallBacks (30 days)

Affected Hosts

Threat Patterns

Remote Intrusion Attempts Source

Remote Intrusion Attempts Destination

Security Offences

Moving beyond tactical response

UNB’s move to IT Risk Management

Day-to-day IT Operations

IT Security Operations

Threat Analysis, Policy & Procedure Development

IT Risk Management

Maturity

Iterative improvement model

Risk Management

IT Operations

Security Operations

Threat AnalysisPolicy &

Procedure Development

The Security Building Blocks

Operations Service Desk

Security Action Team

Communications:

Risk Management, Quality Assurance and Standards Development

Service Desk

uHelp Desk escalates threats to SAT

uAssists with user education

uDesktop Group helps harden end points and triage compromises

Operations

uSystems and Network monitoring, reporting of threats, ensuring patching and reporting policy or procedure compliance issues. Participates in incident response.

Communications

u Assists with development and execution of user awareness and culture change campaigns.

u Assists with developing and executing incident communications

Security and Operationsu Operations: Trying to keep the lights on

u IT Security: ensuring compliance with protective measures

u Critical to avoid ineffective communications. Security and Operations groups in IT have different goals and in some cases cultures. Critical to ensure alignment with overall IT Strategy

The cross-functional workflow

Client provides username and

password in phishing attempt

Help Desk or Level One advises + assists client

with safe password reset

IT Security initiates incident investigation

Operations staff engaged to assist with

log review / access checks

UNB Privacy Officer engaged in event of a potential data breach

Client advised of investigation,

encouraged to take awareness course

What fighter jets in the Korean War can teach us about cybersecurity

The OODA Loop

Observe

Orient

Decide

ActOODA Cycle

A harsh truth:

uSimply buying the latest and greatest big shiny security technology will not make your organization safer

uStrategy + Technology + Process + People = Success

Security Strategy Pillars

Security Strategy

IT Security PolicyData Governance

Security Architecture:Tools, People, Process

Culture Change:User Awareness +

Behaviour Change

Translating Cyber Security-ese to Business-ese

Making the case

Where cybersecurity fits in Porter’s Value Chain

The disconnect between threat awareness and concern about threats

Do you believe your organization has an accurate picture on the threats it faces on a daily basis?

61% weren’t sure or weren’t confident

Anonymous, non-scientific poll conducted during a webinar I delivered in April 2015.

How concerned are you about an attack leading to a data breach?

Anonymous, non-scientific poll conducted during a webinar I delivered in April 2015. N = 40

65% very concerned

Anonymous, non-scientific poll conducted during a webinar I delivered in April 2015. N = 34

We need to change the cybersecurity story.

Questions?