Cybersecurity and Research · Cybersecurity and Research. Industry perspectives for ASEE ERC annual meeting. 13 March 2018. Arlington, VA. Christian Schreiber, CISM, PMP. Global Pursuit

Cybersecurity and ResearchIndustry perspectives for ASEE ERC annual meeting13 March 2018Arlington, VA

Christian Schreiber, CISM, PMPGlobal Pursuit Specialist – FireEye

Introductions

©2018 FireEye | Private & Confident ial

Professional background

20 years higher education experience•CISO positions: The University of Arizona,

University of Wisconsin – Whitewater• IT leadership: University of Wisconsin – Madison,

Central Michigan University•Serv ice prov ider leadership: Ellucian / SunGard

Higher Education

FireEye roles•Global Pursuit Specialist with focus on higher

education•Program Executive supporting the University of

California System


4

To relentlessly protect our customers with innovative technology and expertise learned on the front lines of cyber attacks.

FIREEYE MISSION


FireEye built unique visibility across attack lifecycle

Adversary IntelligenceDeploying global researchers with local knowledge

• 22 countries• 30+ languages• 150+ analysts & researchers

Machine IntelligenceGenerating attack telemetry globally

• 15,000 network sensors• 16 million endpoints• 56 countries• Tens of millions malware analysis / hour

Victim IntelligenceResponding to the most significant breaches

• 13+ years investigative expertise• 200+ of the Fortune 500• 26 countries with consultants

Campaign IntelligenceWitnessing attacks as they unfold

• 7 Security Operations Centers• 99m+ events ingested• 21m+ alerts validated by Intel• 33,700+ incidents dispositioned

24% of R1 institutions are

FireEye customers


Experts frequently cited about cybersecurity trends6

Understanding the threat

7


Reasons attackers target universities

8

•Financial gain•Attackers steal information that can be sold (such as personal information or financial information) or extort victims for money (such as Ransomware)

Organized Crime

•Disruption and political statements•Attackers spread political messages (such as defacing w ebsites with political messages)Hacktivism

• Theft of intellectual property•Attackers steal information for economic or political gain (such as research or politically sensitive information)

Economic Espionage

•Exploit resources for further attacks•Attackers use university technology to attack other organizations (such as compromising a server to carry out other attacks or using email to launch spear phishing attacks)

Pass-through Attacks

•Disrupt operations•Attackers aim to interrupt normal university business operations (such as launching a denial of service attack)

Destructive Attacks


Types of university data targeted by attackers

Sensitive Enterprise Data

• Credentials• Employee data• Student records• Financial data• Recruitment and

marketing data

Research with Potential Economic Value

• Energy technology• Biotechnology,

medical, and pharmaceuticals

• Engineering• New materials, such

as semi-conductors• Information

technology

Politically or Commercially Sensitive

Information

• Climate modelling• Economic data and

projections• Live animal research• Product

development data• Information used for

expert testimony

9

* Adapted from: Universities UK. “Cyber security and universities: managing the risk.” November 2013.


Some of the earliest publicly reported APT attacks leveraged university computer networks

10

“To run their spying campaign, the [Chinese] attackers used a number of compromised computer systems registered to universities in North Carolina, Arizona, Wisconsin and New Mexico…”


Attackers consistently breach cyber defenses

11

* FireEye. “M aginot Revisited.” 2015.

2015 FireEye study analyzed more than 1,600 organizations•96% actively breached during 30-day

test period•27% had ev idence of advanced

attacks

Study included more than 100 universities

•100% actively breached during test period

•37% had ev idence of advanced attacks

Impact on research processes

12


Cybersecurity not just about keeping data secret

13

Information Security

Confidentiality

IntegrityAvailability

Most people associate cybersecurity with CONFIDENTIALITY•Prevent attackers from stealing personal

information, intellectual property, etc.

AVAILABILITY and INTEGRITY of research data are also important•Prevent attackers from destroying years of

research making it unrecoverable•Prevent attackers from modifying data to

produce inaccurate research results


Cybersecurity expectations beginning to solidify

14

George W Bush• Designation and Sharing of Controlled

Unclassified Information (CUI) (07 May 2008)

Barack Obama• Executive Order 13556 – Controlled Unclassified

Information (04 Nov 2010)• Executive Order 13636 – Improving Critical

Infrastructure Cybersecurity (12 Feb 2013)

Donald J Trump• Presidential Executive Order on Strengthening

the Cybersecurity of Federal Networks and Critical Infrastructure (11 May 2017)

Core concepts for due diligence consistent across three administrations


Institutional impact not limited to research

15

“[Reminding] institutions of their legal obligations to protect student information used in the administration of the Title IV Federal student financial aid programs.”

“We also adv ise institutions that… NIST SP 800-171 identifies recommended requirements for ensuring the appropriate long-term security of certain Federal information in the possession of institutions.”

US Department of Education notices GEN-15-18 and GEN-16-12

Addressing the requirements

16


Many approaches for achieving compliance

Delegate to individual researchers

Shared services at institution level

Collaborative shared services across institutions

Commercial hosting & compliance services

•PRO: Low initial institutional investment•CON: Duplicated costs across many programs•CON: Responsibility rests with individuals who are not experts in IT,

cybersecurity, compliance•CON: Limited institutional visibility into risk exposure

•PRO: Economies of scale for core infrastructure, personnel, and compliance processes

•PRO: Strengthens institutional visibility into risk exposure•CON: Individual researchers may lose some flexibility in order to

w ork w ithin broader infrastructure and processes

•PRO: Additional economies of scale•CON: Individual researchers and institutions may lose flexibility•CAVEAT: Understand institution roles and responsibilities for

shared governance, compliance, and cybersecurity processes

•PRO: Allow s some risk transference to third party•PRO/CON: M ay be higher or lower cost, depending on vendor•CAVEAT: Understand institution and vendor roles and

responsibilities for compliance and cybersecurity processes

17


Responsibilities when adopting cloud services

18

Hosting your research in the cloud does not remove compliance responsibility

"Security and Compliance is a shared responsibility between AWS and the customer…

Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations.”

* Amazon AWS. “Shared Responsibility Model.” Available online at https://aws.amazon.com/compliance/shared-responsibility-model/


Institutions should take holistic approach to compliance

19

Don’t delegate to individual teams

•Replicating compliance across every group is not cost effective, so approach the process more strategically

Research-focused groups should not have to tackle this issue alone•DOE letters regarding protection of financial aid data extends scope to administrative systems

Build a consistent campus-wide program

•Build a program that addresses all potentially regulated data in a consistent manner

•Include (at a minimum) faculty, Research, CIO, CISO, Privacy, Risk Management, Audit, Insurance, and Legal

Thank you!

20

Documents

Cybersecurity and Research · Cybersecurity and Research. Industry perspectives for ASEE ERC annual meeting. 13 March 2018. Arlington, VA. Christian Schreiber, CISM, PMP. Global Pursuit