Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Cybersecurity and ResearchIndustry perspectives for ASEE ERC annual meeting13 March 2018Arlington, VA
Christian Schreiber, CISM, PMPGlobal Pursuit Specialist – FireEye
Introductions
©2018 FireEye | Private & Confident ial
Professional background
20 years higher education experience•CISO positions: The University of Arizona,
University of Wisconsin – Whitewater• IT leadership: University of Wisconsin – Madison,
Central Michigan University•Serv ice prov ider leadership: Ellucian / SunGard
Higher Education
FireEye roles•Global Pursuit Specialist with focus on higher
education•Program Executive supporting the University of
California System
©2018 FireEye | Private & Confident ial
4
To relentlessly protect our customers with innovative technology and expertise learned on the front lines of cyber attacks.
FIREEYE MISSION
©2018 FireEye | Private & Confident ial
FireEye built unique visibility across attack lifecycle
Adversary IntelligenceDeploying global researchers with local knowledge
• 22 countries• 30+ languages• 150+ analysts & researchers
Machine IntelligenceGenerating attack telemetry globally
• 15,000 network sensors• 16 million endpoints• 56 countries• Tens of millions malware analysis / hour
Victim IntelligenceResponding to the most significant breaches
• 13+ years investigative expertise• 200+ of the Fortune 500• 26 countries with consultants
Campaign IntelligenceWitnessing attacks as they unfold
• 7 Security Operations Centers• 99m+ events ingested• 21m+ alerts validated by Intel• 33,700+ incidents dispositioned
24% of R1 institutions are
FireEye customers
©2018 FireEye | Private & Confident ial
Experts frequently cited about cybersecurity trends6
Understanding the threat
7
©2018 FireEye | Private & Confident ial
Reasons attackers target universities
8
•Financial gain•Attackers steal information that can be sold (such as personal information or financial information) or extort victims for money (such as Ransomware)
Organized Crime
•Disruption and political statements•Attackers spread political messages (such as defacing w ebsites with political messages)Hacktivism
• Theft of intellectual property•Attackers steal information for economic or political gain (such as research or politically sensitive information)
Economic Espionage
•Exploit resources for further attacks•Attackers use university technology to attack other organizations (such as compromising a server to carry out other attacks or using email to launch spear phishing attacks)
Pass-through Attacks
•Disrupt operations•Attackers aim to interrupt normal university business operations (such as launching a denial of service attack)
Destructive Attacks
©2018 FireEye | Private & Confident ial
Types of university data targeted by attackers
Sensitive Enterprise Data
• Credentials• Employee data• Student records• Financial data• Recruitment and
marketing data
Research with Potential Economic Value
• Energy technology• Biotechnology,
medical, and pharmaceuticals
• Engineering• New materials, such
as semi-conductors• Information
technology
Politically or Commercially Sensitive
Information
• Climate modelling• Economic data and
projections• Live animal research• Product
development data• Information used for
expert testimony
9
* Adapted from: Universities UK. “Cyber security and universities: managing the risk.” November 2013.
©2018 FireEye | Private & Confident ial
Some of the earliest publicly reported APT attacks leveraged university computer networks
10
“To run their spying campaign, the [Chinese] attackers used a number of compromised computer systems registered to universities in North Carolina, Arizona, Wisconsin and New Mexico…”
©2018 FireEye | Private & Confident ial
Attackers consistently breach cyber defenses
11
* FireEye. “M aginot Revisited.” 2015.
2015 FireEye study analyzed more than 1,600 organizations•96% actively breached during 30-day
test period•27% had ev idence of advanced
attacks
Study included more than 100 universities
•100% actively breached during test period
•37% had ev idence of advanced attacks
Impact on research processes
12
©2018 FireEye | Private & Confident ial
Cybersecurity not just about keeping data secret
13
Information Security
Confidentiality
IntegrityAvailability
Most people associate cybersecurity with CONFIDENTIALITY•Prevent attackers from stealing personal
information, intellectual property, etc.
AVAILABILITY and INTEGRITY of research data are also important•Prevent attackers from destroying years of
research making it unrecoverable•Prevent attackers from modifying data to
produce inaccurate research results
©2018 FireEye | Private & Confident ial
Cybersecurity expectations beginning to solidify
14
George W Bush• Designation and Sharing of Controlled
Unclassified Information (CUI) (07 May 2008)
Barack Obama• Executive Order 13556 – Controlled Unclassified
Information (04 Nov 2010)• Executive Order 13636 – Improving Critical
Infrastructure Cybersecurity (12 Feb 2013)
Donald J Trump• Presidential Executive Order on Strengthening
the Cybersecurity of Federal Networks and Critical Infrastructure (11 May 2017)
Core concepts for due diligence consistent across three administrations
©2018 FireEye | Private & Confident ial
Institutional impact not limited to research
15
“[Reminding] institutions of their legal obligations to protect student information used in the administration of the Title IV Federal student financial aid programs.”
“We also adv ise institutions that… NIST SP 800-171 identifies recommended requirements for ensuring the appropriate long-term security of certain Federal information in the possession of institutions.”
US Department of Education notices GEN-15-18 and GEN-16-12
Addressing the requirements
16
©2018 FireEye | Private & Confident ial
Many approaches for achieving compliance
Delegate to individual researchers
Shared services at institution level
Collaborative shared services across institutions
Commercial hosting & compliance services
•PRO: Low initial institutional investment•CON: Duplicated costs across many programs•CON: Responsibility rests with individuals who are not experts in IT,
cybersecurity, compliance•CON: Limited institutional visibility into risk exposure
•PRO: Economies of scale for core infrastructure, personnel, and compliance processes
•PRO: Strengthens institutional visibility into risk exposure•CON: Individual researchers may lose some flexibility in order to
w ork w ithin broader infrastructure and processes
•PRO: Additional economies of scale•CON: Individual researchers and institutions may lose flexibility•CAVEAT: Understand institution roles and responsibilities for
shared governance, compliance, and cybersecurity processes
•PRO: Allow s some risk transference to third party•PRO/CON: M ay be higher or lower cost, depending on vendor•CAVEAT: Understand institution and vendor roles and
responsibilities for compliance and cybersecurity processes
17
©2018 FireEye | Private & Confident ial
Responsibilities when adopting cloud services
18
Hosting your research in the cloud does not remove compliance responsibility
"Security and Compliance is a shared responsibility between AWS and the customer…
Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations.”
* Amazon AWS. “Shared Responsibility Model.” Available online at https://aws.amazon.com/compliance/shared-responsibility-model/
©2018 FireEye | Private & Confident ial
Institutions should take holistic approach to compliance
19
Don’t delegate to individual teams
•Replicating compliance across every group is not cost effective, so approach the process more strategically
Research-focused groups should not have to tackle this issue alone•DOE letters regarding protection of financial aid data extends scope to administrative systems
Build a consistent campus-wide program
•Build a program that addresses all potentially regulated data in a consistent manner
•Include (at a minimum) faculty, Research, CIO, CISO, Privacy, Risk Management, Audit, Insurance, and Legal
Thank you!
20