Presentation is loading. Please wait.

Presentation is loading. Please wait.

Working Together to Improve Cyberintelligence in the Big Ten

Published byMaryann West Modified over 6 years ago

Similar presentations

Presentation on theme: "Working Together to Improve Cyberintelligence in the Big Ten"— Presentation transcript:

1 Working Together to Improve Cyberintelligence in the Big Ten
Helen Patton, Ohio State University Robert Turner, University of Wisconsin Don Welch, University of Michigan

2 Agenda Threat OSU Strategy U-W Strategy U-M Strategy Collaborations
Personal Technical Legal Conclusions

3 Threat

4 In the News UCF alumni sue school over data breach

5 Value to Attackers $50-100 per identity $17 per credit card
Medicare and insurance fraud Intellectual property Tracking dissidents Blackmail Turning spies

6 OSU Strategy FY16-17 Projects: Security Framework
Enhance and Expand Security Functions: Identity and Access Management Security Operations Endpoint Protection Security Governance (Policy, Assessments & Awareness) FY16-17 Projects: Multi-Factor Authentication Training & Awareness Phishing Website Training Vulnerability Management

7 U-W Strategy (Year 2) Planned Buys FY16/17 Working hard to get…
Complete RMF Pilot in May 5 year phase in SETA (Security Education, Training and Awareness) IT/Security Staff (April) Student (Pilot Complete) Partnerships Industry & Government Others in Higher Ed Planned Buys FY16/17 End Point Protection (Currently in source selection) SIEM (RFP by May) Working hard to get… ATP Phase I – NGFW ATP Phase II – SOC Tools ATP Phase III – Extend to UW System & 24/7 Ops

8 U-M Strategy One Program 4 Levels of Information
Uniform risk Centralized detection 4 Levels of Information Focus on the top 2 Make the right choice the easy choice Services

9 Gartner Attack Chain Strategy
Time Real-Time/Near-Real-Time Post Compromise Where to Look Network Network Traffic Analysis Network Forensics Payload Payload Analysis Endpoint Endpoint Behavior Analysis Endpoint Forensics

10 U-M Strategy Policy People Revision to meet the strategy
Points to 16 Standards DR Plans People Building Academic Medical Center IA Program and team Creating detection teams Centralized IA Team

11 U-M Strategy Technology MFA Expansion IAM Program
Advanced Detection Capability Network Traffic Analysis, SIEM, NGFW, Threat Intelligence Enclaves for Level 3 and 4 General Purpose and Research

12 Collaborations

13 Personal CIC CISOs Data Sharing Agreement
Started an “Information Sharing Sub Committee” Initial action items and goals: Learning current state of incident response dashboards, queries and alterations Improving the SOC capabilities of CIC schools Improving cross institution incident detection by sharing early warning information Additional activity: Define a mechanism to share process documents (i.e., Google Docs) Define a common format to share indicators of compromise (Collective Intelligence Framework - CIF) Define types of indicators of compromise (significant events vs. routine) Define Traffic Light Protocol definitions

14 Cybersecurity Information Sharing Map

15 Technical

16 Principles The data should be as vendor agnostic as possible
When sharing time-sensitive threat data, the solution should be as automated as technically and procedurally feasible Though Splunk is not universally used, Common Information Model (CIM) compliant field extractions will be used to define how log entries will be interpreted and labeled The Collective Intelligence Framework (CIF), a format used by REN-ISAC to share threat intelligence data, will be used to transfer the data. Traffic Light Protocol (TLP) could be considered when determining when to share threat intelligence data.

17 Phase 1 Initial options that allow schools to exchange data manually.
The final production system will require some development work. Indicators of Compromise (IOC) will be shared via the group. Surface any concerns such as data format criteria and applicability. Identify and prioritize the most critical incidents and corresponding IOCs. Develop and share Splunk queries and dashboards.

18 Phase 2 Automated data exchange (IOC) between CIF Servers
Shibboleth API keys Splunk queries will be shared via a GitLab instance Hosted by UM Secured using Shibboleth. group will be used to Communicate status Coordinate improvements Share any data that does not fit into the other 2 categories.

19 Current State Proof of concept CIF server installed and tested
Production server is being built The GitLab instance is built and ready The Shibboleth configuration is underway The group is being used to Work out the details of which IOCs to share Serves as a discussion forum for the efforts The group continues to meet every 2 weeks.

20 Legal Data Sharing Agreements Enables: IOC/Threat Sharing and Modeling
With Security AND Management Shared Security Assessments/Results Incident Response Collaboration Product evaluation collaboration

21 Conclusions Don’t let bureaucracy get in your way
Use the teams you have, and/or use your vendors Leverage the influence of higher ed Crawl, walk, run Need strong CIO commitment

22 Questions?

Download ppt "Working Together to Improve Cyberintelligence in the Big Ten"

Similar presentations

International Course on Development and Disasters with Special Focus on Health February 10 – 21, 2003: St Anns, Jamaica CDERA Experience in Institutional.

International Course on Development and Disasters with Special Focus on Health February 10 – 21, 2003: St Anns, Jamaica CDERA Experience in Institutional.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Security Controls – What Works

Security Controls – What Works
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Network security policy: best practices

Network security policy: best practices
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
12/12/2013 Cluster Workshop on Cybersecurity 1 Michele Bezzi (SAP) Kazim Hussain (ATOS) SecCord & CYSPA Projects.

12/12/2013 Cluster Workshop on Cybersecurity 1 Michele Bezzi (SAP) Kazim Hussain (ATOS) SecCord & CYSPA Projects.
Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Internet Drivers License CSS411/BIS421 Computing Technology & Public Policy Mark Kochanski Spring 2010.

Internet Drivers License CSS411/BIS421 Computing Technology & Public Policy Mark Kochanski Spring 2010.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
Salsa Bits: A few things that the analysts aren't talking about... December 2006.

Salsa Bits: A few things that the analysts aren't talking about... December 2006.
AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.

AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.

INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

Similar presentations

Ads by Google