Miami Cybersecurity Gets a Makeover

A chat with Joe Bazeley, assistant vice president for security, compliance, and risk management,
can leave you wondering if it wouldn’t be a smart idea to turn in all your devices and live “off the grid.” Bazeley is quick to share his deep knowledge of the many ways the bad guys are out to use our connections to the Internet or WiFi, steal our information, and further their nefarious aims. They may be simply looking to harvest credit card or Social Security numbers, they may be using your account to access a colleague’s and steal research data, or they may be maliciously attacking Miami’s network – just because they can.

It’s Bazeley’s job to prevent, or at least limit, that kind of negative activity on Miami’s network. And that job is becoming more challenging every day.

To strengthen Miami’s virtual security environment, a one-time allotment of $410K and a continuing budget increase of $200K was recently awarded. This pool of new funds will allow Bazeley to pursue 4 specific tool sets. Unified logging of activity on Miami’s network, paired with the ability to identify and protect personally identifiable data stored in potentially risky locations, and the implementation of a vulnerability management program comprise the offensive strategy being deployed this summer. The fourth effort is centered around the proverbial weakest link – people – and will institute a new program of security awareness training sometime next year.

Unified Logging

Basic level security means monitoring network traffic. This is about investigations and there are two critical questions that must be asked and answered. Was any confidential data exposed? If so, was it accessed? That means capturing records of each time a file on a network drive is opened, deleted, or modified, and seeking any anomalous or suspicious activity in those records.

Currently, Miami uses a tool called Splunk to capture those network transactions – and our license allows us to capture up to 100 gigabytes of log data each day. Bazeley estimates that 7 times that total is generated each day. Splunk locks us out when we exceed our allowance, so Miami loses potentially important information on a nearly daily basis. It is the Maserati of logging tools and is priced to reflect that. To increase our Splunk license to accommodate our needs would take a $500K one-time license fee, with a continuing annual expense of $120K, Bazeley estimates.

So, do we need the Maserati, or would a Honda meet Miami’s needs? It turns out that what we need is an ELK. ELK is a trio of open source tools that provide the same functionality with no capacity constraints. The primary expense is new hardware to store the tools and data. Not only does ELK reduce the direct costs of logging, but it will also provide savings in personnel resources by unifying the reporting. Currently, each system generates its own logs. If there is an outage or disruption to any IT service, it means tracking down the log for each system that might be causing the problem. ELK uses its search tool (Elasticsearch), along with a data management tool (Logstash), and generates a single view of Miami’s network via a dashboard (Kibana). Saves cash, saves effort, increases security.

Personally Identifiable Information

Attacking from a different angle, the second prong of Bazeley’s security expansion is powered by tools named CloudLock and Identity Finder. Each is designed to search out data that appear to be confidential: numbers in a 3-2-4 pattern like Social Security numbers, 4-4-4-4 numbers like credit cards, and more. Bazeley describes these as “pattern matchers.”

Why is this protection important? According to IBM and the Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis the average cost of a data breach increased 23% over the past two years to $3.79 million. The average cost per record exposed is $145. The risk of a serious data breach may not be high, but the potential damage in dollars and in reputation is huge.

Like ELK, these tools bring automation to the table. “Rules” are established to determine when something that looks like a breach is discovered, and actions are assigned based on the situation. If someone is sharing a file that contains student grades and accidentally shares it with everyone instead of just approved individuals, these tools can be set to break that sharing and generate an email to notify the sharer. Bazeley says that most “exposures” are personal – you email a copy of your tax return to yourself or your spouse.That exposes SSNs, but as a very small incident, the system can be tuned to simply notify you to consider being more careful.

Between CloudLocker, searching cloud-based systems like Google mail and drive, and Identity Manager, targeting local network drives, these tools provide another significant layer to keep the bad guys out.

NOTE: Identity Manager does have the capability to search any device connected to the network, including laptops and desktop computers. Bazeley is working with the University Senate IT Policy committee to discuss when, or if, searching at that level will be enabled.They will take the issue to the full University Senate before any decisions are made.

Vulnerability Management

As the hackers and phishers of this world become more sophisticated, the software developers are constantly working to keep ahead of them – or catch up, in many cases. All software products offer occasional updates, but the larger products like Microsoft or OSX operating systems issue a seemingly never-ending series of patches. Servers or computers in Miami’s network that are not diligently patched create vulnerability in the network. That means there may be a path that bad actors can use to get past our firewall and potentially wreak havoc.

The third element of the security improvement is designed to improve our ability to identify potential vulnerabilities and test them. Like the logging tool, this asks two questions: does a machine appear to be vulnerable and, if it does, can that vulnerability be exploited. This means security staff can focus their efforts on the more “real” risks. “We will never eliminate the risks and vulnerabilities entirely,” says Bazeley. “But we can ensure that the time and energy we have is directed against the most significant threats.”

Security Awareness Training

The final piece of Bazeley’s new comprehensive security strategy is the human element.Training packages will be evaluated and, working with HR and Academic Personnel, guidelines will be created that identify what training should be offered, when it should be offered, and who should be trained. More information on this phase of the program will be announced, as it develops.

Wrap Up

A coordinated attack using four specific tactical initiatives will greatly advance Miami’s cybersecurity position as they are deployed. But, the benefits also include the reduction of manual processes, supporting Miami’s LEAN goals. A higher security profile supports reliability for all technology services on the Miami network, supporting the call of the Governor’s Task Force on Higher Education’s call for improvements in efficiency and effectiveness.

Will this new investment solve all of Joe Bazeley’s headaches? No. Will it mean he can sleep a little easier at night? Maybe. And that’s about as good as it gets in the world of phishing, hacking, threat actors, malware, screen scrapers, keyloggers, blackhats, botnets, honeypots, and zombies.