CyberWire Daily - Extending security tools to the at home workforce during the pandemic. [Research Saturday]
Episode Date: May 31, 2020In this episode of CyberWire-X, Rick Howard, the CyberWire’s Chief Analyst, interviews security thought leaders on the strategy and tactics to extend the security controls we’ve typically used to ...protect our handful of remote employees in the past to today, during the pandemic, that requires us to deploy flexible but equivalent controls at scale to everybody in the organization. Joining us is Bob Turner, CISO of the University of Wisconsin at Madison. Later in the program, we will hear from Mounir Hahad, the head of Threat Labs, and Mike Spanbauer, a security evangelist, at Juniper Networks, the sponsor of the show. Thanks to our sponsor, Juniper Networks. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K. topics affecting organizations around the world. As you are all quite aware, the pandemic has
flipped our entire world on its head. And that is even more true for the network defenders of the
world. How do you secure what was mostly a work from the office employee base into an almost
completely work from home employee base overnight? In this episode of Cyber Wire X, we explore how
some of us are dealing with that monumental shift.
The first part of the show features a lively conversation I had with Bob Turner, the CISO for the University of Wisconsin at Madison.
In part two, we'll hear from Mounir Hahan, the head of Threat Labs, and Mike Spanbauer, a security evangelist, both from Juniper, the sponsor of today's episode.
So stay with us.
from Juniper, the sponsor of today's episode. So stay with us.
And now a word from our sponsor, Juniper Networks. In the new normal, IT organizations are scrambling to keep remote users connected and productive while trying to strike a balance between business
continuity, security, and privacy. All this while maintaining user
productivity and a business-grade experience. Their end users are trying to juggle the intersection
of their work and personal lives, conference calls, e-learning, entertainment, and a spouse
or partner trying to conduct business at the same time. In a sense, this use of the home network
resembles a shared office space and the new distributed enterprise.
For many reasons, endpoint protection and a simple VPN back to headquarters may not be enough.
Every day, these elements are under attack.
Your customers need a connected security strategy to maintain both continuity and security.
Learn how Juniper Connected Security can help safeguard your users, applications,
and infrastructure against advanced threats by extending security to all points of connection
by visiting juniper.net slash enterprise at home. That's juniper.net slash enterprise at home.
And we thank Juniper Networks for sponsoring our show.
Let's begin the discussion with an old friend of mine from the Badger State, Bob Turner.
He is the CISO of the University of Wisconsin at Madison.
Thank you for having me here, Rick. Good to talk to you again.
Can you give us just a sense of how big the University of Wisconsin at Madison is in terms of employees and contractors?
Yeah.
So kind of the rough figures that I like to work with is we have about 2,300 staff.
That includes academic staff, research staff, and administrative staff, as well as the people that take care of facilities and all of those other great things.
And we usually have somewhere in the 40,000 range of students. So this year, in the fall, we had 44,515 students. But we also have a great community of emeritus staff that come back and freely return to the university, opportunities to learn.
We have affiliates. We also have retired staff that drop in from time to time to assist.
So I'd like to go with about 80,000 users total. Prior to this, we had a very small amount of
online courses. We had staff that were remote, but it wasn't a huge percentage.
It was probably maybe 15 to 20 at the very most.
And a lot of the things we were doing was on campus.
We had 3,700 courses that we were delivering on campus.
delivering on campus. So for those remote teleworkers, was the security stack they were using similar to what people were getting back in the office, or was there some other kind of
configuration you had them in, or can you explain that to us? Yeah, sure. So yeah, obviously if
you're in the office and you're joining via campus wireless or directly connected, you had the stack that was on your machine as well as the benefits of being inside the wire.
When you're remote teleworking, there are applications you can reach directly.
administration work and working with our sensitive and restricted data sets, you would be coming in via what we use to global protect VPN. And that gives us the ability not only to have a nice
little tunnel wrapped around, encryption around the tunnel, but also gives us the opportunity to
see what is going on between your endpoint and the network. So what's the big change then as you moved everybody off campus for teaching and administration?
Did everybody get a VPN to work, or how did you manage that?
Well, so various stages.
So we have the people that were comfortable with using VPN and getting in and out.
And then we had those who had used it maybe once or twice, or maybe the last time they used it, it was a previous version, previous vendor.
And then we have the people that never really used the VPN
because everything they can get to, they can get to from the Internet.
And it's just simply authenticating and going to the data itself.
But remember, those are not system administrators.
Those are the actual users.
So that's including the students too?
Absolutely, including the students.
So what I like to do is kind of divide into classes of users.
So there is the professor in the classroom and the students in the classroom,
both accessing Canvas, which is our learning management system.
So the students have the ability to access the courses, read the material, do their lessons, turn in their homework. The faculty have another set
of privileges above that for managing the coursework, inserting documentation in there
for the students to review or links.
And then a little bit of classroom administration behind where the students are working. And then, of course, on the inside is the super user access for system administrators, data managers, the research staff that are pulling data sets to do research off of student performance research, et cetera.
to do research off of, you know, student performance research, et cetera.
I would expect, too, that you have special arrangements for the grades program and evaluating the students in some manner.
Is that also something you needed to worry about?
Yeah, we did have to do that.
And, you know, one of the things that we had to do is we had to implement a tool for
administering exams online because a lot of the courses, you know, where it may have
been a turn in an essay and you'll get it as soon as the professor and their teaching assistant get
through grading them. We had to go to a different model for many of the classes and that required
us to get a special software package that helped us to administer those kind of exams.
that helped us to administer those kind of exams.
I was reading about this a couple weeks ago,
that just when you turn electronic essays in,
the chances that there could be people copying those things from other sources.
And so is that what you had to worry about?
You had to have something in place to check that kind of thing? Well, so we use, there's an application called Turn It In,
which is very popular in higher ed, and that takes care of the plagiarism checks, you know,
to make sure that you're citing references properly. What we had to get was the actual
software that helped manage the exams in those areas. So if your final was just a paper that
you turned in, and then the instructor had to hand grade it, that was one thing. So if your final was just a paper that you turned in and then the instructor had to
hand grade it, that was one thing. But if it was, you know, say a 50 question essay that was a paper
that you turned in, rather than convert that into another object inside of the learning management
system, some of them actually went to this new tool and just loaded everything into there so
they could just take care of the exam and be done with it. I can see where that'd be a very daunting task, especially for some of the
older employees who have not really gone online with their teaching materials. And now you're
being forced to train the professors on how to learn how to do all this stuff. What kind of
challenges did you face with that kind of thing? Well, I would not have wanted to do this without
our academic technologies department within the division of IT. They are professionals in the
business. They understand the technology. They understand the pedagogy. And they are very
familiar with the needs of the academy. And that's a real valuable tool. And I can't imagine maybe a
smaller, less resourced university trying to do the things that we had to do. So again, 3,700
courses were not online before spring break. Before the end of spring break, we had a greater
percentage of those. And then after spring break was over, we were ready to go. That's an amazing achievement.
So my hat is off to you to get all that done. What were the learning, what lessons learned
that you come back with after all that was over? So we were talking about the academic technologies
folks and the support that they provided. Just obviously a top-notch group of people doing that.
And I think that some of the challenges they helped us get over,
they understood the coursework as it was set up.
They made it very easy to bridge between what was in the learning management system,
what goes on in the classroom in a normal setting versus what happens online.
a classroom in a normal setting versus what happens online. We have a tool that we have,
you know, joined with our learning management system that would allow the professor to basically sit in his library at home or his office at home or even on the patio in the sunshine and deliver
the lecture he would normally deliver in person. You could take that lecture that that professor recorded and run it again if you need to,
and then maybe have him on the side in case any questions come on.
Is that right?
That's exactly it.
So we are already prepared, and this fall was going to be the debut of our first fully online degree
at the University of Wisconsin-Madison.
And it's a course inside of what we call the School of Human Ecology.
It was basically designed that that degree program itself would pull from the basic sciences,
the humanities credits, and all those kind of things would be delivered online.
So we've been working at this a little while.
And the other thing we did was really, really smart is as an
organization, we actually went through a pandemic tabletop last fall. Wow. That is fortuitous.
What did that exercise entail? I don't know what kind of foresight went into it, but we wanted to
do an emergency operations center tabletop and we just happened to pick pandemic. Here's the
obvious question to that, right? When you guys went through that drill a year ago, how many of the things that you said
you should do at the end of the exercise are the things that you're doing now, right? Was it
totally worth it, or did you say, oh, we have to kind of start from scratch again? Well, so not
only did we drag 3,700 courses from classroom to online, but we went within the Division of Information Technology, except for one small unit, our print shop, we were all remote within that week.
Wow.
And this is also involved, remember, there's an awful lot of logistics that goes behind 44,515 students living on campus.
Yeah.
You know, we had to move them, and some of them were departed for spring break already,
you know, get out of class a couple days early, and then they get an email saying don't come back.
Yeah.
But then we also have a large population of students that are here because they had to be here
because they're
coming from an area that might have at that time been a level three area.
Oh, so you as a university put up pandemic housing for certain students that met some
criteria. Is that right? Yeah, absolutely. And you guys had figured that out because you went
through the drill already or that's something you had to figure out on the fly?
Well, I think we figured out a lot of that on the fly because I don't think in the drill we said, you know, nobody's going to be able to be here.
But we've gone through those scenarios before.
So the previous year, we were the recipients of the polar vortex, and we had a week or so of temperature that met the grade. So in Wisconsin, the rule is if the sustained wind chill is minus 35.
Oh, my God.
Minus 35?
I don't even want to contemplate how cold that is.
Well, we kind of exceeded that, overachievers that we are.
It was minus 50, I think, for a day or two of that event.
So we had already kind of gone through this. We knew
how to shelter in place. We knew how to worry about food delivery to 44,000 hungry students.
You know, we had already gone through this. And so the pandemic seemed like probably the next
logical thing that we would plan for. So we're not through this thing yet. We've got months to go.
What's the next thing on the hit parade for you guys to consider?
What's the first thing on the horizon that you have to tackle as we continue with this problem?
Well, I will tell you that it is the uncertain financial future.
Yeah.
That is probably the largest thing looming in sight. We have a number of initiatives that were teed up and we
were waiting for the next fiscal year's funding to, you know, really start kicking off. But,
you know, when you've lost revenue, when you don't have the, you know, athletics revenue coming in,
you don't have the housing revenue, you don't have the meal revenue, and you have, you know,
the uncertainty of the future.
How many students are going to be coming back next year? You know, those are the things that
we have to be considerate of right now. And of course, you know, we've had,
with all the economic downturn that's happened, we're facing obvious revenue shortages from,
you know, the public funding side of our business. I hadn't considered that.
Where students may consider that, you know, maybe I should not do class or, you know,
continue my education next year until I get my feet back underneath me.
Is that, that's where you're going with this, huh?
Yeah, probably.
Well, so one of the, this is kind of the potential good news, potential bad news stories is we
have proven that we can deliver online.
So if decisions are made in the future that we're going to try to do more online just to make sure that we're doing what we need to do to prevent the second spike or the third spike of the COVID virus,
the COVID virus, that we're not, you know, everybody join on, you know, the day after Labor Day and start classes to everybody just go ahead and stay home this term.
You know, so there's going to be, you know, uncertainty in that.
Well, I think the silver lining that you mentioned there also is that from how you've described
it, and you tell me if
i'm wrong that if students stay away from classes next year it's not because we weren't technically
ready or the security wasn't ready you guys have showed that you're you can get all that done if
they don't come back now it's for other reasons well and and those reasons are valid um you know
i have uh i have uh between my staff and, I have about 60 people that I have to be
very much concerned about as a CISO. Yeah. How are they doing? How are they really lasting in
this period of extended work at home where not only are we saying work remote, we're saying
work remote and stay whole up in your house so you don't go out in the community and become one of
the victims. Yeah, we've noticed that too, that, you know, people are working hard and, but, you
know, tensions are high, you know, lots of things going on. So yeah, keeping everybody moving in the
same direction, that's a thing you have to worry about even more so during this pandemic. Yeah.
Well, we've got an exceptional group of people working for us. We have a great leadership team and do it as well as in the
schools, colleges, and divisions of the university.
And kudos to our Emergency Operations Center
and the UW Police Department
that sponsors that part of the operation.
They are spot on.
They have the leaderships,
they had the leadership's attention way back when
and they still have it.
They have a lot of enthusiastic people
that are just working a lot of hours
to make sure that we understand what the next is
and understand how we're going to address the next
when it happens.
So we're getting close to the end here.
Is there a question I should have asked you that you would have liked to discuss or shed
some light on?
Yeah, I think part of the things that concern me and maybe the unasked question kind of
all along is how do we define the new normal?
how do we define the new normal?
And I don't know if we can look to the past and say normal is going to look exactly like it did.
For part two of this pandemic discussion, I'm joined by Moun Hahad, the head of ThreatLabs, and
Mike Spanbauer, a security evangelist. Both of them are from Juniper.
I think from our experience here at Juniper Networks, we've been handling it extremely
well. As a matter of fact, we had very little to absolutely no issues whatsoever, kind of
shifting towards a population of close to 100%.
You know, I wouldn't say 100% of remote workers.
We still have some essential workers that are in office.
But the vast majority of workers have shifted towards working from home.
That has been fairly uneventful.
It seems like the plans we had in place for ramping up capacity was very well
studied and we were able to shift within the first 24 hours into the entire population moving into
this remote work. We've had some ups and downs with communications, like some of the SaaS applications that usually people
use, like Microsoft Teams or Zoom.
Some of these applications had some ups and downs, but they were quickly ironed out and
everybody's up and running.
So Anir, can you give me a sense of what the flip was?
What was the percentage of remote workers before the pandemic compared to what it is now?
So, for Juniper in particular, I suspect that the remote workers were probably around 20% to 25%, including our sales force.
And now it's north of 95%, I'm pretty sure.
north of 95%, I'm pretty sure.
So it's fairly typical to a lot of IT organizations,
but not that typical when you're talking about other organizations.
Believe it or not, I actually worked for a company that had absolutely zero remote work.
The stance of the company at the time was,
we want you to be fully engaged while you're in the office,
and we want you to be off work when you're off the office.
And it's a high-tech company.
It was in a semiconductor electronic design automation.
And I suspect that in the current times, they must have shifted the strategy towards allowing remote work.
That is some old-school thinking there.
Okay, I appreciate that.
I was going to say that most of the tech community probably didn't have a hard time shifting over, you know, but the folks that use tech are not technology companies. They're the ones struggling with this. Mike, I know your job has significantly changed since the pandemic. What are your customers saying when you're out talking to them about how they are handling this new stress?
I think that there's a number of things that are top of mind for folks both on the operations side and on the business side as it pertains to security and their remote workforce.
The attack surface has expanded radically.
The tools available and visibility into the workstations, which was simpler when everybody was in the
office has expanded. And it really depends on the sector to the point Manir made about whether or
not they had the skills, processes, and tools in hand prior to accommodate the need and the
enablement of the workforce that is largely remote now and still remain effective
at their roles and supporting the company and the business initiatives. So, folks have struggled
throughout the spectrum with various elements of it, but I think largely, a lot of conversations
I've had reveal that the threats themselves and kind of what the exposure is to the clearly
heightened needs and, well, frankly, actors prey on opportunity, right? That's what drives the
threat industry. And those are really the top of mind, you know, topics, conversations, and,
you know, the worries, I guess, that are kind of keeping them up at night in air quotes.
Well, that would be my concern as a security practitioner, right,
is the gap that as we transition from an in-office workforce to a home office workforce.
Mike, the question for you for your internal team,
did you all have to do anything special or different than you thought
when you transitioned to an almost completely at-home workforce?
Or did you just lay down what everybody else had before the pandemic and that worked fine?
So for us here at EduDepriNetworks, I think that we already had quite a few
capabilities, tools, and the ability to see inside and monitor across all of the
sort of workforce. So it largely know, largely it was a capacity point
rather than necessarily a technical enabler.
And as Munir alluded to, right,
we had really robust capabilities and processes already
to support that shift in the workforce.
And really, you know, the struggles are more around
how do you manage your kids at the same time
while at home versus the technology.
But we accommodated the technical need and sort of threat visibility and capabilities within the operations infrastructure fairly well, I believe.
So I think that for a big security company like Juniper, that I could see that that would be less of a headache for you all, but Mike, when you're out there talking to your customers, you know, the non-techie
customers who have just, you know, retail stores and things, and they use tech, you know, with
older employees that are not used to this kind of thing, imagine teaching them how to use, you know,
a VPN or whatever it is that gets them into the security stack is quite difficult. What are some
of your customers saying about how they approach that? I think that the general perspective is that there's actually been a great deal of training.
Most of them are eyes wide open relative to security awareness training because the root
of this begins with knowing how they might get compromised and what behaviors, personal,
these are human for the user, behaviors of the keyboard, lead to potential exposure and risk.
And those are kind of the conversations that I'm gentle to remind them of,
but also that oftentimes they have fairly well thought out programs in place,
though maybe the training's not delivered as often as they'd like to.
But as far as the average users, they've been able to enable and empower, though the real challenge becomes one of when you just drop that client for a moment, what about the exposed window of potential infection or downloads that may occur, right?
And that's sort of where the education and energies have been spent. But on the other side, right, there's also the power users
or the organizations that are kind of forward
to embracing this and still ensuring
a very high degree of business continuity.
For example, the financial space with the mandatory
and work from home, but clearly the markets haven't stopped.
And we've specific scenarios of customers that are using some of our smaller induction
firewalls to both provide service assurance and security capabilities to still afford
them the power of transacting at a high rate of speed securely.
And that has enabled them to work as fluidly from home as oftentimes they would have in
the office, yet in a different modality or sort of paradigm. So there's both ends of the spectrum and I think
customers sort of fall within, but largely they're aware and certainly capable of moving forward,
if not as fast as they once did. We've also, for our installed base, offered subscriptions to a number
of the advanced security software licenses
for those that may not be currently using those
to ensure that they're protected more broadly
and more capably, that the number of variants
and campaigns that have been mounted are 2x, 2.5x what they were
prior to the current healthcare scenario globally and likely will remain on a fairly aggressive
schedule. So we want to ensure that our customers are supported in this time of global crisis and
challenges and to provide them with the best we're able to offer
so that they can, in turn, best both support their current business, but also position themselves for
an accelerated recovery once things do begin to relax, which, again, fingers crossed,
won't be too far off. But again, more broadly, recognizing that business still does continue,
but they need to ensure that they're protected at every step of the way. And that's something
we do particularly well as a very large, as a cybersecurity company that sort of represents
a large portion of the globe. So we're a number of weeks into this pandemic, and like you alluded to, Mike, that we are some ways out before we are through with it.
We haven't solved all the problems that the pandemic has caused.
What's next on the hit list?
What are you guys thinking about in terms of the Threat Lab?
What's the next thing that you're trying to track down?
One of the things that we're proud of, but also is particularly key to our customer strategy in enabling the market to move forward, is that in these periods of transition and new architectural deployments to have a path from where you are to where you're going, which can be months or potentially years in some cases. And we have both capabilities and specific technologies to provide a path of transition.
So basically redeploy what you have as well as, and that's not exclusively Juniper kit either,
but also we can support and help with other vendors products in that transition state so
that customers have a graceful path to move from where they are to the next architecture, to the next thing.
And that's a core principle for both connected security and enabling a threat-aware network for our customers globally.
If how these security leaders handle the crisis is an indicator of how the entire network defender community handled it,
I think we all did pretty well.
Of course, there were some hiccups, but for the most part, we all buckled down and did what we had to do. There's still a
lot of work to do, for sure, but that is to be expected. What is clear is that some of the things
we thought were so hard to do before the pandemic became a thing we just did because of the pandemic,
and that is a silver lining to this entire mess.
that is a silver lining to this entire mess.
Our thanks to Bob Turner from the University of Wisconsin at Madison for part one of the show, and Monir Hahad and Mike Spanbauer, both from Juniper, our show's sponsors for
the second part.
CyberWireX is a production of the CyberWire and is proudly produced in Maryland at the
startup studios of DataT Data Tribe, where they're
co-building the next generation of cybersecurity startups and technologies. Our coordinating
producer is Jennifer Eidman. Our sound engineer is Elliot Peltzman. Our contributing editor is
Bennett Moe. Our executive editor is Peter Kilpie. And I'm Rick Howard. Thanks for listening.