CyberWire Daily - The ABCs of cybersecurity for the education sector. [CyberWire-X]
Episode Date: August 16, 2020Teachers, students, admin, parents: The education sector has possibly the most diverse user base, each requiring its own user privileges, access requirements, and behavioral trends. Yet besides this, ...there are a number of unique challenges to securing an educational environment, including ensuring broad attack surface protection, minimal false positives, and maintaining a cost-effective security posture. Join us in as we chat with Kevin Ford, Chief Information Security Officer for the state of North Dakota, about these challenges for securing statewide educational institutions and their networks. Later, we will be joined by Steve Salinas, Head of Product Marketing at Deep Instinct and Matthew Fredrickson, Director of IT at Council Rock School District, in what should be a steep learning curve on protecting educational environments. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. topics affecting organizations around the world. Today's episode is titled The ABCs of Cybersecurity for the Education Sector.
We'll explore the challenges facing school districts when it comes to cybersecurity,
and we'll hear from practitioners about how they're tackling serious issues in a time
of rapid change and great uncertainty.
A program note, each CyberWire X special features two segments.
In the first part of the show, we'll hear from an industry expert on the topic at hand.
And in the second part, we'll hear from our show sponsor for their point of view.
And speaking of sponsors, a word from our sponsor, Deep Instinct.
Deep Instinct is changing cybersecurity by harnessing the power of deep learning,
the most advanced form of AI, to prevent threats in zero time.
Unlike detection and response-based solutions, which wait for the attack before reacting,
Deep Instinct's solution works preemptively.
By applying end-to-end deep learning to cybersecurity,
files are automatically analyzed prior to execution,
keeping customers protected
in zero time. The outcome is resilient prevention that provides consistent security day in, day out.
Learn more about the benefits of incorporating Deep Instinct into your cybersecurity defense
by visiting deepinstinct.com. That's deepinstinct.com. And we thank Deep Instinct for sponsoring our show.
Yeah, it's certainly interesting. We have a state law that requires every public organization to be
on our state network. That's Kevin Ford, Chief Information Security Officer for the state of North Dakota.
And so it is a very interesting setup, right? You have large state agencies, as well as very,
very small city governments, town governments, county governments, all required to be on the same network and co-mingled there. So, you know,
the security of all the different organizations is very, very concerning because we're all
sort of co-mingled. So there's a lot of different interesting network architecture and network
security practices that we have to engage in, as well as really trying to focus on the endpoints
of different agencies. And so one of the things we're looking at is cyber hygiene standards for
every organization. But as you know, every organization is different and they have different
levels of funding. And so there are K-12 organizations out there where their cybersecurity
guy is their IT guy, who's also the football coach and the bus driver and teaches social studies.
So it's one of those things we also have to be very cognizant that, you know, the budgets and
the sizes of these organizations are also very impactful to the cybersecurity posture, not just of their K-12 organization, but of the whole state.
So how do you come at a problem like that? How do you break it down into manageable units?
Yeah, so it's a very difficult problem. And I'm not sure that we have the 100% solution right now,
but we are developing outreach. And so I've been in this position about
six months. And one of the key things I've done and one of the things I've asked for my team to
accomplish is to really increase our outreach so that we know who's in the IT coordinator or
cybersecurity position for each K-12 organization.
We know what their struggles are.
We understand where they're coming from, from a budgetary standpoint and from a cybersecurity
standpoint.
So with that in mind, we've done a number of things.
We're looking at creating a policy for the state network that goes over basic just kind of cyber hygiene stuff.
And so that's very, very basic stuff, things you would expect everyone would have. But we're
finding in the K-12 sector that a lot of these things they either can't afford or they just
never thought to have or haven't had the time to deploy. So we're issuing guidance and strategy documents and policy,
the administrative side, to make them aware, hey, this is what's required in the cybersecurity
sphere. And then really trying to listen as they come back to us with their problems and try to
figure out how to troubleshoot those together. And so one of the other things that we're doing is starting to provide cybersecurity tool sets for free, and those can be either managed centrally by our security organization or, in some cases, we kind of create a little security operations center within the larger security operations center so that their IT personnel and their cybersecurity personnel
still have the necessary context around what they're doing, how their segment is operating,
and how the different assets within their organization are protected.
Yeah, I would imagine that it must be a priority for you to make sure that you're considered to be a collaborative partner rather
than, because I could see some, this becoming kind of an adversarial thing, you know, that
the folks from on high are saying we have to do these things and they're far away and they don't
know what our challenges are, our budgets and that sort of thing. So I would, am I right that a big part of your job is fostering that sense of,
well, community? Yeah, absolutely. And I won't claim 100% effectiveness at that, right?
Sometimes people are upset. Here's the state government coming into our little organization
and telling us how to do things. And in some cases,
they're upset because we're asking them to do things that they may not have resources to do.
And in other cases, they're very large organizations that have a ton of resources
and think that they know better. And maybe in some cases they do. And there are very real logical issues.
Sometimes the cadence at which the state can keep up with requests for whitelisting or blacklisting, so on and so forth, is maybe not as quick as what these organizations would
really like.
There are very, very real and meaningful issues that we're still trying to work out.
It's not something that is perfect right now, and I don't want to say we're doing the best job in the world right now, but we are starting to tackle those issues.
And I think just the identification of those issues is the first step.
So we've identified, I think, a significant amount of those issues and are starting to have a dialogue with not just our K-12 organizations, but our counties and our cities as well to try to get kind of a unified understanding of what we're doing, how we should proceed, and what the state strategy is going to be moving forward on this.
Can you give us some insights, some examples of some of the things that you're coming at, some of the things that you're trying to approach?
Yeah, so I mean some of the conflicts are obviously things along the lines of the tools that we are providing, the organizations maybe do not match the native environments.
For instance, we're on Palo Alto and they may be on Cisco or something like that.
Other issues are, hey, we have this kind of really niche software that needs to run and we need to have it whitelisted.
Can you whitelist it just for us and not the entire state?
Or can you blacklist this just for us or not the entire state?
So it's some interesting issues to try to figure out as far as our architecture is concerned and as far as the capabilities we're offering are concerned. And I suppose, I mean,
you've got your own limitations of the resources that you have at hand as well.
We do. I think fortunately our leadership is very, very good in this regard.
Our governor is considered to be a IT forward governor.
He was a Microsoft executive and chairman of the board or on the board of Atlassian. So certainly from the tech side, and he approaches everything with, I believe, a forward-thinking, technology-oriented solutions approach.
forward-thinking, technology-oriented solutions approach.
With that being the case, we do have a very, very robust cybersecurity organization here in the state of North Dakota.
I think probably one of the better organizations that exist in state government. I don't know any organization, quite frankly, that says, if you ask their CISO, that they had enough support or enough assets to get the job done.
So we do find ourselves prioritizing the work that we're doing and making some sacrifices in some corners in some regards.
What about some of the non-technical things like user awareness training and so forth?
I mean, is that a part of the types of things that you're promoting?
It is.
It certainly would be one of the hygiene issues that we bring up in our statewide standards and policies and guidance for the K-12 organizations.
But it's also a capability that we're looking to
provide. I'm trying to be very cognizant of asking K-12 organizations to do something and then not
providing them any support to do it. So it is something that we do a very good job of, I believe,
in state government, and we're looking to be able to provide those
capabilities at low cost or no cost to our K-12 organizations as well. How much does automation
play a role in the things that you do? I'm thinking of the scale that you run at. Is that
an important part of maximizing the resources that you have?
Yeah, automation is tremendously important for us.
We have a team of about 30 cybersecurity analysts and professionals within the state.
And that's probably the largest cybersecurity team that exists within our state, whether that's in private organizations or whether
that's in the government. So to put that, I guess, into context, we have about 250,000 endpoints on
our state network at any given time. So trying to tackle that with a crew of about 30 is very,
very tough. And so one of the things we're really, really pushing
in the state of North Dakota is the development of automated processes. And so to that end,
we have security orchestration and automation tools that we've put in place that really,
really help our analysts kind of get out of the weeds doing kind of day-to-day grind type work, we can
automate the responses for those now. And now our analysts focus their time on, I would say,
events that are maybe a little more significant or doing more in-depth investigations into events
than they could otherwise. So that area, we're really pushing automation,
but we're also pushing automation
in the people processes as well.
We're looking at things like account management
or even our GRC processes
and looking at those and trying to map them out,
trying to make them more efficient
and then bringing a robotic process automation into the picture so that we can also free up time of other security
personnel who maybe are not kind of on the front lines, but also need to perform a very important
role as far as preventing and managing cyber risk. So we're really embracing automation here. I think it's
one of the most important tools and biggest weapons that we have in our arsenal against cyber risk.
What sort of advice do you have or tips do you have for folks who may be in a similar position
as you? Perhaps an organization that might not be as far along the path as you are or may not have
support from high up the way you do. Any words of wisdom? Yeah. My number one piece of advice
would be to communicate. I think communication is always very, very important in cybersecurity,
but I think it's more so in organizations that are decentralized, like
maybe the state of North Dakota is, right, where we have all sorts of different governments and
different agencies and particularly the three branches of government also. Communication is
key there. But on a, I guess, a more technical level, I would say if you're maturing your organization, look at your workflows, look at the ability, I guess, of your operational security guys to put into action the lessons that are learned by your risk management teams, whether that's a governance risk or compliance team or whether that's system administrators on the ground, right? You want to be able, as best you can, as a security
operations center to ingest the understanding of the organization and drive down incidents and kind
of save your organization time and money by preventing rather than just responding.
Our thanks to Kevin Ford, Chief Information Security Officer for the state of North Dakota,
for joining us.
Up next, we'll be hearing from Steve Salinas from Deep Instinct, the sponsor of this show,
and Matthew Fredrickson from the Council Rock School District.
We'll hear from Matthew first.
The Council Rock School District, we're located in southeast Pennsylvania.
There are 500 school districts in the state,
and we are sometimes the 11th, sometimes the 12th largest school district.
We have roughly 11,000 students and about 1,300 staff.
We're in 18 buildings spread out over 72 square miles.
And my entire IT department, including myself and my secretary, consists of nine people.
We support about 13,000 users on a daily basis.
And with the COVID-19, not just the users, but the users' household networks as well,
which has been a challenge for
us. My biggest problem is that there are few environments like a school district where you,
in most businesses, when you're worried about security threats, you're thinking about threats
from the outside getting into your network. And you're doing a little bit, you're concerned about
that disgruntled employee or perhaps that insider who decides to sell intellectual property.
But there are fewer environments where you're protecting the inside of the network in the
same fashion you protect the outside of your network.
Because half of my population are trying to hack me all the time.
And we give them computers and put them on the network and say, here, do this.
They watch YouTube videos
and they come in and they try it. Now, having said that, I'm okay with that. And the reason I'm okay
with that is I'd much rather they try and fail on my network where they're not going to get arrested
and carted off to jail than if they try that on their college network or a work network.
What we do when we find it is we have a little
conversation with the student and their parent or guardian and explain to them
that that's considered a third-degree felony in the state of Pennsylvania and
could lead up to seven years in prison. Usually when I have that conversation
with the parents I don't have any trouble with those kids again. So what
really concerns me about endpoint protection is that I can put as much technology in place as I want, but we know that at the end of the day, cybersecurity is 20% technology and 80% people.
So I'm afraid that that person is going to click on that link that they shouldn't or somehow get to that website that they shouldn't and invite a threat actor into my environment.
and invite a threat actor into my environment.
So recognizing that I don't have the staff to staff a SOC and to constantly be looking at what's going on in my network,
I had to find, wherever possible, tools that could not only do that for me
but give me the alerts that I wanted.
So we implemented a SIEM, but I still didn't have anything
that I felt was doing a really good job of real behavioral analytics.
I knew that it didn't go far enough.
I wanted another product that could watch memory and watch what the user's actions were.
And I've said this over and over again.
As I started to look, Deep Instinct kind of fell in my lap and did exactly what I needed it to do, in my opinion.
So when we were doing the pre-food concept, I installed it on some of my servers that if it impacted performance, the users wouldn't scream too loud and I'd be able to remove it.
There was zero impact to the performance on the servers.
So I'm like, all right, let me try it on all my servers because that's the kind of guy I am, right? So I deployed it to all my servers and there was no impact to performance. I'm like,
this is just too good to be true. It's going to bog up my workstations. It did not bog up my
workstations. I deployed it everywhere on everything and I've had zero impact to performance on any of
the machines. I think that's really one of the main concerns,
as Matt mentioned. That's Steve Salinas. He's head of product marketing at Deep Instinct.
When you're starting to talk about adding things to your endpoints, your servers,
is the performance. Because we're all familiar with the old days of traditional AV solutions
that when they would spin up and they would start scanning your machine, you might as well walk away and get a cup of coffee.
The machine became basically unusable for however long that scan took.
So in the next generation type of solutions,
and we kind of consider ourselves like the third wave of solutions,
and I can talk more about that in a minute,
performance impact is one of our top priorities.
So one of the ways that we limit our performance impact
is in the way that that deep brain, what we call it, that's our deep learning static analysis,
and even our behavioral analysis, how it works on the endpoints. So it is deployed in an agent,
but the agent is small. It doesn't consume a lot of space. And it just sits there until it needs
to do something. So we're not doing constant scanning.
We're looking for, I'll talk about it in two ways.
So when we talk about our static file analysis, this is where the deep learning brain is analyzing
files.
It's looking as files come onto the machine or move around the machine.
So at that point, when it detects that that's occurring,
that's when the static analysis occurs. And under between 20 and 50 milliseconds,
it's able to make a decision if the file is malicious or benign, if it's okay to run or
if it should be quarantined. And it can do it that quickly because we're not, when we deploy
that deep learning brain, it's already been pre-trained. So we're not consuming any of the
computer resources to train that model.
It's been trained, and we can talk more about that later if you want,
but it's been trained on millions and millions of files.
It's highly accurate.
The same thing with the behavioral analysis.
It just sits waiting.
It sits in waiting for suspicious actions that give the system the indicators
that it might be ransomware or some sort of other
sort of malicious activity. Well, let's talk a little bit about the data that you and your team
get sent. I mean, I think, you know, we hear a lot of folks complain that you can find yourself
with a firehose of information and it hard to to filter through with a lot of uh
you know products that that are signaling you that think that are things are going on in the network
how are you able to dial in to make sure that you're seeing the things you need to see but
that they're prioritized properly so they've got um and i'm just going to refer to it as a
the brain and i'm sure steve can use whatever, correct me with whatever the technical jargon is if I'm misspeaking.
But so the brain's already trained in a Windows environment.
It knows what a lot of the stuff is.
I'll give you a couple examples.
So any security tool that you put in your environment, you've got to establish a baseline.
So what we did is we ran for 60 days without it actually stepping in and doing anything.
You know, after we got it rolled out in a major way.
I mean, during the initial proof of concept, we were testing the blocking of the XEs from running and all that good stuff.
But when we initially rolled it out across the board, we just wanted to monitor.
Let's see what's going on.
And once we felt comfortable with it, then we just started turning it on and saying, all right, when you find bad stuff, let us
know. The first thing that it found that it reported as potential malware was a little
thing called OneDrive from Microsoft. And the reason that it did, which is fascinating
to me, is did you know that Microsoft will try to install that thing
at like seven or eight different locations?
You want to install it?
Microsoft says, no, no, we want it installed.
It'll reinstall it.
And it'll install it all over the place.
So that was the, since I've been running this thing
for like eight months,
that's the only real false positive I've had.
Out of the box, I haven't had to train it a lot.
We had a couple of custom applications that we had written here in-house. And I just had. Out of the box, I haven't had to train it a lot. We had a couple of custom applications
that we had written here in-house, and I just had to tell it once that these were custom, and boom,
it's magic. I can add a little bit to that if you like. Yeah, please. I think it's, and you hit on
a really important part there, Matt, and people that are looking at security solutions, I think
certainly you want to know how accurate it is in identifying malware.
Of course, that's a really important, you know, and that's what's obviously known as the efficacy.
But equally important are those false positives.
Because if you have a solution that might be really accurate in identifying malware, and let's say it generates 100 notifications or alerts,
if 50 of them are also false positives,
I mean, you're really going to be draining your resources,
filtering through false positives all the time.
And this does happen a lot of times,
especially with your next-gen solutions
that are using not deep learning, but machine learning.
Machine learning is more prone to false positives
in the way that it's identifying malicious files compared to deep learning.
So what Matt was describing is his experience is very common,
very low false positives.
You apply a few exclusions for custom applications
or things that you're going to be running in your environment,
and you're going to be pretty much good to go.
And again, as Matt mentioned, the brain has already been trained.
I'll just real quick again, just to reinforce, if you try to train a deep learning brain
on any machine, it wouldn't be able to do it.
It requires a ton of horsepower to do that.
We do that in the cloud using NVIDIA GPUs.
It's a big investment that we make,
but it enables us to deliver this pre-trained brain that has a really high efficacy and delivers,
I mean, and from our experience, really low false positives. I haven't seen anything like this
before in my career. Yeah, I have to ask you, Matt. Well, I remember when my oldest child was
coming up through school and my wife and I were pondering what sorts of parental controls to put on our computer and so on and so forth.
I remember us saying that the two of us together might be able to outsmart him, but there's very little chance that we're going to outsmart him and all of his friends.
That the kids tend to crowdsource solutions to things.
him and all of his friends that, you know, the kids tend to crowdsource solutions to things.
Have you had to deal with any of your clever students trying to run an end run around any systems like this? Pretty much every day.
Yeah, so my philosophy shifted quite a bit over the last couple of years. And I teach cybersecurity
at the local community college. So I'm pretty focused on this
stuff. In the last couple of years, my philosophy has shifted to not if, but completely when.
Like it's going to happen. How bad is it going to hit me? And what am I going to need to do to
recover? And if you're not saying that to yourself, you're kidding yourself. Because it is just a
matter of time. Because these kids, they come to school for seven and a half hours a day they go home and they've got 10 12 hours before they have to do
anything and they got lots of time to watch youtube and to try things and their network at
home isn't big enough to test this stuff on so they're bringing it in and testing it on my network
and they do it all the time now i've got a lot of good tools in place to stop it
and it's definitely stopped any of their attempts at you know infecting the network And they do it all the time. Now, I've got a lot of good tools in place to stop it.
And it's definitely stopped any of their attempts at infecting the network.
But when they try to circumnavigate the network security,
or they try to bring in an application on a thumb drive and run it to try to launch a denial of service,
I'll give you an example.
This last year, I had a group of seventh graders,
seventh graders, who watched a YouTube video
on how to bring down the school
network by launching a denial of service attack program. So they were part of the computer club
that met right after the end of school day every day. So they're in their little group and they're
trying to launch this program. The advisor for the club is monitoring them with our classroom
management software. And it says in the bottom right-hand corner, you're currently being monitored by Mr. McNulty. And they were trying anyway. And he's
sitting there just taking one screenshot after another, right? And the stuff that I have in
place just stopped it. It just didn't happen. And they were really pissed off that it didn't work.
But I brought in the parents the next day. And the one guy's, you know, one kid's father is a CIO of a private company.
He's like, look, you know, my son's really smart.
He would never be so stupid to do this.
I, you know, I can't even believe I'm here.
You've got the wrong kid.
So I handed him the screenshots, and I said, pretty sure this is your son.
And he's like, oh, that's not my son.
I don't know who it is.
You can do whatever you want to that kid.
And he was also unaware about the third degree felony in Pennsylvania.
And I showed that to him.
He goes, well, you're not going to turn these kids over to the police, are you?
And I said, no, that's not our intention.
And I said, your willingness to work with us really drives that.
I've been here 16 years and only once have we had a kid removed in handcuffs.
And that's when the parents were very, they were in denial.
They weren't even remotely interested in anything we had to say.
And they didn't think their son had done anything wrong.
Yeah.
I mean, I suppose a big part of this for you as educators is channeling that energy,
channeling those, you know, the gifts that those kids have towards good directions.
Yeah, trying to redirect that energy into a positive direction
instead of a negative direction.
Our thanks to Steve Salinas from Deep Instinct
and Matthew Fredrickson from Council Rock School District for joining us.
CyberWireX is a production of the CyberWire
and is proudly produced in Maryland at
the startup studios of DataTribe, where they're co-building the next generation of cybersecurity
startups and technologies. Our coordinating producer is Jennifer Iben, our executive editor
is Peter Kilby, and I'm Dave Bittner. Thanks for listening.