Higher Ed Cybersecurity Strategy: Taking a Holistic Approach

Defending campuses from the new cyberthreats

Colleges and universities house significant amounts of sensitive and valuable data in their IT systems, and often have insufficient defenses in place, making them prime targets for cybercriminals. As a result, cyberattacks on institutions continue to increase in frequency and severity.

After a serious cyberattack in May 2015 made UCLA Health a high-profile example of the risks, the University of California system implemented a systemwide strategy to secure its network, email and endpoints against cyberthreats.

In this web seminar, presenters discussed the higher ed cyberthreat landscape, how the UC system is managing cyber risk across all campuses and health care facilities, and some key strategies for an institution of any size to detect and mitigate cyberthreats.


Christian Schreiber
Higher Education Cybersecurity Lead

Monte Ratzlaff
Director, Cyber Risk Program
University of California Office of the President

Christian Schreiber: FireEye is a large private cyberintelligence organization. We spend a lot of time understanding the attackers who are out there: what they do, how they do it and what their targets are. We use that information to help protect our customers.

In higher education, one of the things I do is help people understand what we mean by advanced attacks. These are the more significant types of breaches. The key to understanding advanced attacks is they’re not about a what. Oftentimes, people will look for malware, for example. But that’s just a tool that an attacker uses. When you start to boil down what an advanced attack is, it’s executed by skilled professionals. These are people whose day-to-day job is to carry out attacks against organizations and obtain specific types of data, usually to monetize it. The other important thing to understand with these attackers is that they are persistent. If you kick them out, they will return.

In 46% of breaches, the attackers don’t even use malware. They tend to get administrative credentials, and then they can log in and act like a normal user inside your environment. So if you’re dealing with an advanced attacker, you’re not just looking for evidence of malware on computers; you’re looking for other evidence of lateral movement and activity.

“One of our key initiatives was developing the Cyber Risk Governance Committee, which includes a cyber-risk executive from each of our 10 campuses. The committee gets together once per quarter to talk about risk issues.”

There has been a lot of interest from the government about continued attacks against higher education research. The National Institute of Standards and Technology, among others, are looking to do a lot more collaboration with institutions to help them understand what their risks are and how they can jointly protect themselves.

Universities will continue to be in the crosshairs. As attacks continue to escalate, we need more coordination—not just across the universities, but also across the university-to-private sector. You have to know which departments and which types of research might be actively targeted. And you even want to get down to the faculty level, doing more awareness training with individuals who might be at a higher risk than they were five years ago.

Monte Ratzlaff: Following a cyberattack at UCLA Health in 2015, we had to take a look at how we could be more resilient. From that, there were five objectives identified, which we call Cyber Risk Pillars:

1. governance
2. risk management
3. modernizing technology
4. hardening systems
5. culture change

We’ve developed programs to support each pillar. One of our key initiatives was developing the Cyber Risk Governance Committee, which includes a cyber-risk executive from each of our 10 campuses. The committee gets together once per quarter to talk about risk issues—but not necessarily just technical issues, because at the end of the day, cyber risk is a business issue.

We’ve also done other things around risk management such as modernizing technology, multifactor authentication, anti-phishing, and particularly the Threat Detection and Identification (TDI) program. One of the key objectives from a systemwide perspective is being consistent and coordinated. The key component of the TDI program is the FireEye platform that’s been deployed across UC. The program is not just about technology; it’s about looking at threat intelligence and privacy.

At UC, we value privacy. There’s the information security component that protects infrastructure. Then, there’s the aspect of information privacy for individuals, including student records, patient records and so on. Security has to cover that as well.

Where are we now? We have monthly governance calls with all of our locations and stakeholders, and those calls include FireEye. We talk about what we’re seeing across the system, improvements we’re looking at making, some road maps for looking ahead. We also do monthly and quarterly reporting of events we’re seeing. We continue to try to improve and make the TDI program as robust as it needs to be to address the cyber risk facing University of California.

To watch this web seminar in its entirety, please visit UBmag.me/ws121019