How we address targeted attacks in progress

It’s a vital and necessary precaution to protect the university’s network from mobile devices that we neither own nor manage.
By: | Issue: January, 2016
December 14, 2015

Like many of my peers in higher education IT, we at Barry University support an open, collaborative learning environment. And that means embracing campuswide mobility and a bring-your-own-device policy. To minimize the risks associated with mobility and BYOD, we now use an Advanced Persistent Threat (APT) defense. It’s a vital and necessary precautionary measure to protect the university’s network from mobile devices that we neither own nor manage.

Students come to Barry University here in Miami for quality academics and the Catholic tradition of integrating learning with reflection and social justice. The university is co-ed and offers liberal arts, nursing, health sciences, teacher education and business programs. In addition to our main Miami campus, we have 20 locations across Florida, Saint Croix and in The Bahamas, where I manage security as well.

Like most universities, students, faculty and staff connect their personal mobile devices to the campus network for learning, business and fun. Our students expect BYOD connectivity, and the university staff has gone mobile by issuing laptops to employees. In a nutshell, the mobility wave is in full swing and we embrace it everywhere.

But we all know that while the convenience and productivity benefits are unassailable, mobility has the potential to increase our security risk. People travel back and forth to campus using devices with different levels of protection and are exposed to exploits and threats. When students and staff return to the network, connect and authenticate, these threats and exploits bypass our perimeter security and can go completely undetected inside the network. Since we don’t own or manage the devices, we don’t know if they are infected with malware or vulnerable to exploits.

We have a strong perimeter defense that protects the university, including firewalls, intrusion detection, sandboxing systems and endpoint protection. However, they don’t cover us fully when it comes to mobility. Devices come and go regularly and there’s a huge amount of risk associated with that.

The university’s network can never be 100-percent protected. Industry experts tell us that no matter what we do, infected hosts will get into our network. So it comes down to minimizing our risk as much as possible.

We know what actions can raise our risk level. But what we really needed was real-time visibility into targeted attacks that get inside our network. This critical visibility would quickly keep cyber attacks from spreading and mitigate loss, thereby reducing our risk level. While we have some of the world’s best security solutions in place at Barry University, I heard about the Vectra Networks Automated Threat Management system through the South Florida infosec community.

I learned that this Automated Threat Management system combines data science, machine learning and behavioral analysis to automatically detect cyber attacks while they’re happening in real time. It also claimed to instantly score and prioritize detected threats based on certainty and risk to our critical assets.

This all sounded great to me. But despite these claims, my immediate reaction was that I don’t want another security gadget. Most are monumentally complex and require us to sift through mountains of event logs and alerts without knowing which ones pose a serious threat and which ones may lead to false positives. They also require additional headcount and sizable resources to operate. We simply don’t have the time or budget to do that.

But because of the looming security risks associated with mobility, I agreed to a proof-of-concept test. I was curious to see if it could analyze our internal and Internet traffic to identify attackers who might be trying to spy, spread and steal inside the university’s network.

I’m not easily impressed, but the initial results were stunning. It detected an active threat that was about to exfiltrate data and we needed to mitigate right away. I didn’t think it was possible to have this level of visibility into attacks as they were actually happening. But there we were, being attacked by a phishing campaign.

The bold claims that Automated Threat Management could monitor network traffic to detect cyber attacks in real time were true – I saw it happen. So did my security operations team, which promptly mitigated the attack before damage was done. Without it, the malware would clearly have spread, and we would have ended up in a very difficult place.

Like me, our security team is pretty skeptical, but that’s no longer the case. The Automated Threat Management system is very easy to operate. There are no filters to configure, and no signatures or reputation lists to update. We don’t get mired in an endless barrage of event logs and alerts. You don’t even need a user manual. That makes it fundamentally different from other security systems I’ve seen.

By leveraging data science, machine learning and behavioral analysis, Automated Threat Management gets smarter the longer it runs and becomes more able to identify naturally-forming communities as well as sophisticated cyber-attack techniques.

With Automated Threat Management monitoring and detecting targeted cyber attacks in our network, I can tell the University president, the board and regulators that while it’s impossible to stop everything, we have significantly reduced our risk.

And in some unexpected ways, the Automated Threat Management system continues to deliver value. For example, it identified some misconfigured printers that created vulnerabilities and left the network susceptible to attack. As a result, those vulnerabilities were swiftly eliminated.

Hernan Londono is associate chief information officer at Barry University.