Working Together to Improve Cyberintelligence in the Big Ten Helen Patton, Ohio State University Robert Turner, University of Wisconsin Don Welch, University of Michigan

Agenda Threat OSU Strategy U-W Strategy U-M Strategy Collaborations Personal Technical Legal Conclusions

Threat

In the News UCF alumni sue school over data breach

Value to Attackers $50-100 per identity $17 per credit card Medicare and insurance fraud Intellectual property Tracking dissidents Blackmail Turning spies

OSU Strategy FY16-17 Projects: Security Framework Enhance and Expand Security Functions: Identity and Access Management Security Operations Endpoint Protection Security Governance (Policy, Assessments & Awareness) FY16-17 Projects: Multi-Factor Authentication Training & Awareness Phishing Website Training Vulnerability Management

U-W Strategy (Year 2) Planned Buys FY16/17 Working hard to get… Complete RMF Pilot in May 5 year phase in SETA (Security Education, Training and Awareness) IT/Security Staff (April) Student (Pilot Complete) Partnerships Industry & Government Others in Higher Ed Planned Buys FY16/17 End Point Protection (Currently in source selection) SIEM (RFP by May) Working hard to get… ATP Phase I – NGFW ATP Phase II – SOC Tools ATP Phase III – Extend to UW System & 24/7 Ops

U-M Strategy One Program 4 Levels of Information Uniform risk Centralized detection 4 Levels of Information Focus on the top 2 Make the right choice the easy choice Services

Gartner Attack Chain Strategy Time Real-Time/Near-Real-Time Post Compromise Where to Look Network Network Traffic Analysis Network Forensics Payload Payload Analysis Endpoint Endpoint Behavior Analysis Endpoint Forensics

U-M Strategy Policy People Revision to meet the strategy Points to 16 Standards DR Plans People Building Academic Medical Center IA Program and team Creating detection teams Centralized IA Team

U-M Strategy Technology MFA Expansion IAM Program Advanced Detection Capability Network Traffic Analysis, SIEM, NGFW, Threat Intelligence Enclaves for Level 3 and 4 General Purpose and Research

Collaborations

Personal CIC CISOs Data Sharing Agreement Started an “Information Sharing Sub Committee” Initial action items and goals: Learning current state of incident response dashboards, queries and alterations Improving the SOC capabilities of CIC schools Improving cross institution incident detection by sharing early warning information Additional activity: Define a mechanism to share process documents (i.e., Google Docs) Define a common format to share indicators of compromise (Collective Intelligence Framework - CIF) Define types of indicators of compromise (significant events vs. routine) Define Traffic Light Protocol definitions

Cybersecurity Information Sharing Map

Technical

Principles The data should be as vendor agnostic as possible When sharing time-sensitive threat data, the solution should be as automated as technically and procedurally feasible Though Splunk is not universally used, Common Information Model (CIM) compliant field extractions will be used to define how log entries will be interpreted and labeled The Collective Intelligence Framework (CIF), a format used by REN-ISAC to share threat intelligence data, will be used to transfer the data. Traffic Light Protocol (TLP) could be considered when determining when to share threat intelligence data.

Phase 1 Initial options that allow schools to exchange data manually. The final production system will require some development work. Indicators of Compromise (IOC) will be shared via the email group. Surface any concerns such as data format criteria and applicability. Identify and prioritize the most critical incidents and corresponding IOCs. Develop and share Splunk queries and dashboards.

Phase 2 Automated data exchange (IOC) between CIF Servers Shibboleth API keys Splunk queries will be shared via a GitLab instance Hosted by UM Secured using Shibboleth. Email group will be used to Communicate status Coordinate improvements Share any data that does not fit into the other 2 categories.

Current State Proof of concept CIF server installed and tested Production server is being built The GitLab instance is built and ready The Shibboleth configuration is underway The email group is being used to Work out the details of which IOCs to share Serves as a discussion forum for the efforts The group continues to meet every 2 weeks.

Legal Data Sharing Agreements Enables: IOC/Threat Sharing and Modeling With Security AND Management Shared Security Assessments/Results Incident Response Collaboration Product evaluation collaboration

Conclusions Don’t let bureaucracy get in your way Use the teams you have, and/or use your vendors Leverage the influence of higher ed Crawl, walk, run Need strong CIO commitment

Questions?