Extending security tools to the at home workforce during the pandemic.
Rick Howard: [00:00:04] Hello, everyone, Rick Howard here, and welcome to CyberWire-X, a series of specials designed to highlight important security topics affecting organizations around the world. As you are all quite aware, the pandemic has flipped our entire world on its head. And that is even more true for the network defenders of the world. How do you secure what was mostly a work-from-the-office employee base into an almost completely work-from-home employee base overnight? In this episode of CyberWire-X, we explore how some of us are dealing with that monumental shift. The first part of the show features a lively conversation I had with Bob Turner, the CISO for the University of Wisconsin at Madison. In part two, we'll hear from Mounir Hahad, the head of Threat Labs, and Mike Spanbauer, a security evangelist, both from Juniper, the sponsor of today's episode. Stay with us.
Dave Bittner: [00:01:00] And now a word from our sponsor, Juniper Networks. In the new normal, IT organizations are scrambling to keep remote users connected and productive while trying to strike a balance between business continuity, security, and privacy. All this while maintaining user productivity and a business-grade experience. Their end users are trying to juggle the intersection of their work and personal lives – conference calls, e-learning, entertainment, and a spouse or partner trying to conduct business at the same time. In a sense, this use of the home network resembles a shared office space, and the new distributed enterprise. For many reasons, endpoint protection and a simple VPN back to headquarters may not be enough. Every day these elements are under attack. Your customers need a connected security strategy to maintain both continuity and security. Learn how Juniper Connected Security can help safeguard your users, applications, and infrastructure against advanced threats by extending security to all points of connection. By visiting juniper.net/enterpriseathome. That's juniper.net/enterpriseathome. And we thank Juniper Networks for sponsoring our show.
Rick Howard: [00:02:21] Let's begin the discussion with an old friend of mine from the Badger State, Bob Turner. He is the CISO of the University of Wisconsin at Madison.
Bob Turner: [00:02:29] Thank you for having me here, Rick. Good to talk to you again.
Rick Howard: [00:02:32] Can you give us just a sense of how big the University of Wisconsin in Madison is in terms of employees and contractors?
Bob Turner: [00:02:39] Yeah, so, kind of the rough figures that I like to work with is we have about 2,300 staff, and that includes academic staff, research staff, and administrative staff, as well as the people that take care of facilities and all of those other great things. And we usually have somewhere in the 40,000 range of students. So this year, in the fall, we had 44,515 students. But we also have a great community of emeritus staff that come back and freely return to the university, opportunities to learn. We have affiliates. We also have retired staff that drop in from time to time to assist. So, I'd like to go with about 80,000 users total. Prior to this, we had a very small amount of online courses. We had staff that were remote, but it wasn't a huge percentage. It was probably maybe fifteen to twenty, about, at the very most. And a lot of the things we were doing was on campus. We had 3,700 courses that we were delivering on campus.
Rick Howard: [00:03:53] So, for those remote teleworkers, was the security stack they were using similar to what people were getting back in the office, or was there some other kind of configuration you had them in, or can you explain that to us?
Bob Turner: [00:04:06] Yeah, sure. So, yeah, obviously, if you're in the office and you're joining the campus wireless or directly connected, you had the stack that was on your machine, as well as the benefits of being inside the wire. When you're remote teleworking, there are applications you can reach directly, but for most people doing system administration work and working with our sensitive and restricted data sets, you would be coming in via a – we use the GlobalProtect VPN. And that gives us the ability not only to have a nice little tunnel wrapped around, encryption around the tunnel, but also gives us the opportunity to see what is going on between your endpoint and the network.
Rick Howard: [00:04:55] So what's the big change then as you moved everybody off campus for teaching and administration? Did everybody get a VPN to work, or how did you manage that?
Bob Turner: [00:05:05] Well, so, various stages. So, we have the people that are more comfortable with using VPN and getting in and out. And then we had those who had used it maybe once or twice, or maybe the last time they used it, it was a previous version, previous vendor. And then we had the people that never really used the VPN because everything they can get to, they can get to from the Internet, and it's just simply authenticating and going to the data itself. But remember, those are not system administrators – those are the actual users,
Rick Howard: [00:05:36] That's including the students, too?
Bob Turner: [00:05:38] Absolutely. Including the students. So, what I like to do is kind of divide into classes of user. So, there is the professor in the classroom and the students in the classroom, both accessing Canvas, which is our learning management system. So the students have the ability to access the courses, read the material, to do their lessons, turn in their homework. The faculty have another set of privileges above that for managing the coursework, inserting documentation in there for the students to review, or links. And then a little bit of classroom administration behind where the students are working. And then, of course, on the inside is the, you know, superuser access for system administrators, data managers, the research staff that are pulling data sets to do research off of student performance research, et cetera.
Rick Howard: [00:06:35] I would expect, too, that you'd have special arrangements for the grades program and evaluating the students in some manner. Is that also something you need to worry about?
Bob Turner: [00:06:45] Yeah, we did have to do that. And, you know, one of the things that we had to do is we had to implement a tool for administering exams online, because a lot of the courses, you know, where it may have been a, turn in an essay and you'll get it as soon as the professor and their teaching assistant get through grading them – we had to go to a different model for many of the classes, and that required us to get a special software package that helped us to administer those kind of exams.
Rick Howard: [00:07:15] I was reading about this a couple weeks ago, that just when you turn electronic essays in, the chances that there could be people, you know, copying those things from other sources. And so was that what you had to worry about? You had to have something in place to check that kind of thing?
Bob Turner: [00:07:32] Well, so we use – there's an application called Turnitin, which is very popular in higher ed, and that takes care of the plagiarism checks, you know, to make sure that you're citing references properly. What we had to get was the actual software that helped manage the exams in those areas. So, if your final was just a paper that you turned in and then the instructor had to hand grade it, that was one thing. But if it was, you know, say, a fifty-question essay that was a paper that you turned in – rather than convert that into another object inside of the learning management system, some of them actually went to this new tool and just loaded everything into there so they could just take care of the exam and be done with it.
Rick Howard: [00:08:16] I could see where that would be a very daunting task, especially for some of the older employees who have not really gone online with their teaching materials. And now you're being forced to train the professors on how to learn how to do all this stuff. What kind of challenges that you face with that kind of thing?
Bob Turner: [00:08:33] Well, I would not have wanted to do this without our academic technologies department within the division of IT. They are professionals in the business. They understand the technology. They understand the pedagogy. And they are very familiar with the needs of the academy. And that's a real valuable tool. And I can't imagine maybe a smaller, less-resourced university trying to do the things that we had to do. So, again, 3,700 courses were not online before spring break. Before the end of spring break, we had a greater percentage of those, and then after spring break was over, we were ready to go.
Rick Howard: [00:09:15] That's an amazing achievement, so my hat is off to you to get all that done. What were the learning – what lessons learned did you come back with after all that was over?
Bob Turner: [00:09:27] So we were talking about the academic technologies folks and the support that they provided, just obviously a top-notch group of people doing that. And I think that some of the challenges they helped us get over – they understood the coursework as it was set up. They made it very easy to bridge between what was in the learning management system, what goes on in the classroom in a normal setting versus what happens online. We have a tool that we have, you know, joined with our learning management system that would allow the professor to basically sit in his library at home, or his office at home, or even on the patio in the sunshine, and deliver the lecture he would normally deliver in person.
Rick Howard: [00:10:15] You could take that lecture that that professor recorded and run it again if you need to, and then maybe have him on the side in case any questions come up – is that right?
Bob Turner: [00:10:23] That's exactly it. So, we are already prepared, and this fall was going to be the debut of our first fully online degree at the University of Wisconsin, Madison. And it's a course inside of what we call the School of Human Ecology. It was basically designed that that degree program itself would pull from the basic sciences, the humanities credits, and all those kind of things would be delivered online. So we've been working at this a little while. And the other thing we did was really, really smart is, as an organization, we actually went through a pandemic tabletop last fall.
Rick Howard: [00:11:01] Wow, that is fortuitous. What did that exercise entail?
Bob Turner: [00:11:06] I don't know what kind of foresight went into it, but we wanted to do an emergency operation center tabletop and we just happened to pick pandemic.
Rick Howard: [00:11:14] Here's the obvious question to that: when you guys went through that drill a year ago, how many of the things that you said you should do at the end of the exercise are the things that you're doing now? Was it totally worth it, or did you say, oh, we have to kind of start from scratch again?
Bob Turner: [00:11:30] Well, so, not only did we drag 3,700 courses from classroom to online, but we went – within the division of information technology, except for one small unit, our print shop – we were all remote within that week.
Rick Howard: [00:11:46] Wow.
Bob Turner: [00:11:47] And this is also involved – remember, there's an awful lot of logistics that goes behind 44,515 students living on campus.
Rick Howard: [00:11:57] Yeah.
Bob Turner: [00:11:58] You know, we had to move them, and they were – some of them were departed for spring break already, you know, you get out of class a couple days early, and then they get an email saying, don't come back.
Rick Howard: [00:12:09] Yeah.
Bob Turner: [00:12:09] But then we also have a large population of students that are here because they had to be here, because they're coming from an area that might have at that time been a level-three area.
Rick Howard: [00:12:21] Oh, so you – the university put up pandemic housing for certain students that met some criteria? Is that right?
Bob Turner: [00:12:28] Absolutely.
Rick Howard: [00:12:30] And you guys had figured that out because you went through the drill already or that set had to figure out on the fly?
Bob Turner: [00:12:36] Well, I think we figured out a lot of that on the fly, because I don't think in the drill we said, you know, nobody's gonna be able to be here. But we've gone through those scenarios before. So, the previous year, we were they the recipients of the polar vortex, and we had a week or so of temperature that met the grade. So, in Wisconsin, the rule is if the sustained windchill is minus thirty-five...
Rick Howard: [00:13:01] Oh my God, minus thirty-five? I don't even want to contemplate how cold that is. (Laughs).
Bob Turner: [00:13:06] (Laughs) Well, we kind of exceeded that, overachievers that we are – it was minus fifty, I think, for a day or two of that.
Rick Howard: [00:13:13] Oh! Yikes.
Bob Turner: [00:13:14] So, we had already gone through this. We knew how to shelter in place. We knew how to worry about food delivery to 44,000 hungry students. You know, we had already gone through this. And so the pandemic seemed like probably the next logical thing that we would plan for.
Rick Howard: [00:13:31] So, we're not through this thing yet, got months to go. What's the next thing on the hit parade for you guys to consider? What do you – what's the first thing on the horizon that you have to tackle as we continue with this problem?
Bob Turner: [00:13:45] Well, I will tell you that it is the uncertain financial future.
Rick Howard: [00:13:48] Yeah.
Bob Turner: [00:13:48] That is probably the largest thing looming in sight. We have a number of initiatives that were teed up and we were waiting for the next fiscal year's funding to really start kicking off. But, you know, when you've lost revenue, when you don't have the athletics revenue coming in, you don't have the housing revenue, you don't have the meal revenue, and you have the uncertainty of the future. How many students are going to be coming back next year? You know, those are the things that we have to be considerate of right now. And, of course, you know, we've had – with all the economic downturn that's happened, we're facing obvious revenue shortages from the public funding side of our business.
Rick Howard: [00:14:35] I hadn't considered that, where students may consider that, you know, maybe I should not do class or continue my education next year until I get my feet back underneath me. That's where we're going with this?
Bob Turner: [00:14:46] Yeah, probably – well, this is kind of the potential good news, potential bad news stories – is we have proven that we can deliver online. So, if decisions are made in the future that, you know, we're gonna try to do more online just to make sure that we're doing what we need to do to prevent, you know, the second spike or the third spike of the COVID virus, that we're not, you know, everybody join on the day after Labor Day and start classes, to everybody just go ahead and stay home this term. So, there's going to be, you know, uncertainty in that.
Rick Howard: [00:15:30] Well, I think the silver lining that you mentioned there also is that – from how you've described it, and you tell me if I'm wrong – that if students stay away from classes next year, it's not because we weren't technically ready or the security wasn't ready. You guys have showed that you're you can get all that done. If they don't come back now, it's for other reasons.
Bob Turner: [00:15:49] Well, and those reasons are valid.
Rick Howard: [00:15:51] Yep.
Bob Turner: [00:15:52] You know, I have between my staff and students, I have about sixty people that I have to be very much concerned about, as a CISO.
Rick Howard: [00:15:58] Yeah.
Bob Turner: [00:15:59] So, you know, how are they doing? How are they really lasting in this period of extended work-at-home, where not only are we seeing work remote, we're saying work remote and stay holed up in your house so you don't go out in the community and become one of the victims?
Rick Howard: [00:16:16] Yeah, we've noticed that, too, that, you know, people are working hard and – but you know, tensions are high, lots of things going on. So, keeping everybody moving in the same direction – that's a thing you have to worry about even more so during this pandemic.
Bob Turner: [00:16:29] Yeah. Well, we've got an exceptional group of people working for us. We have a great leadership team, as well as in the schools, colleges, and divisions of the university. And, you know, kudos to our emergency operations center and the UW Police Department that sponsors that part of the operation. They are spot on. They have the leadership's – they had the leadership's attention way back when, and they still have it. They have a lot of enthusiastic people that are, you know, just working a lot of hours to make sure that we understand what "the next" is and understand how we're going to address "the next" when it happens.
Rick Howard: [00:17:16] So, we're getting close to the end here. Is there a question I should have asked you that you would have liked to discuss or shed some light on?
Bob Turner: [00:17:23] Yeah, I think part of the things that concern me and maybe the unasked question kind of all along is, how do we define the new normal? And I don't know if we can look to the past and say normal's going to look exactly like it did.
Rick Howard: [00:17:50] Part two of this pandemic discussion. I'm joined by Mounir Hahad, the head of Threat Labs, and Mike Spanbauer, a security evangelist. Both of them are from Juniper.
Mounir Hahad: [00:18:01] I think from our experience here at Juniper Networks, we've been handling it extremely well, as a matter of fact. We had very little to absolutely no issues whatsoever kind of shifting towards a population of close to a hundred percent. You know, I wouldn't say a hundred percent of remote workers – we still have some essential workers that are in-office. But the vast majority of workers have shifted towards working from home. That has been fairly uneventful. It seems like the plans we had in place for ramping up capacity was very well-studied, and we were able to shift within that first twenty-four hours into the entire population moving into this remote work. We've had some ups and downs with communications – like, you know, some of the SaaS applications that usually people to use, like, you know, Microsoft Teams or Zoom. Some of these applications had some ups and downs, but they were quickly ironed out and everybody's up and running.
Rick Howard: [00:19:10] So, Mounir, can you give me a sense of what the flip was? What was the percentage of remote workers before the pandemic compared to what it is now?
Mounir Hahad: [00:19:19] So for Juniper in particular, I suspect that the remote workers were probably around twenty to twenty-five percent, including our sales force. And now it's up north of ninety-five percent, I'm pretty sure. So it's fairly typical to a lot of IT organizations, but not that typical when you're talking about other organizations. Believe it or not, I actually worked for a company that had absolutely zero remote work. The stance of the company at the time was, we want you to be fully engaged while you're in the office and we want you to be off work when you're off the office. And it's a high-tech company. It was in semiconductor electronic design automation. And, you know, I suspect that in the current times they must have shifted the strategy towards allowing remote work.
Rick Howard: [00:20:11] That is some old-school thinking there, OK, I appreciate that. I was going to say that most of the tech community probably didn't have a hard time shifting over, you know. But the folks that use tech but are not technology companies are the ones struggling with this. Mike, I know your job is significantly changed since the pandemic. What are your customers saying when you're out talking to them about how they're handling this new stress?
Mike Spanbauer: [00:20:36] I think that there's a number of things that are top of mind for folks both on the operations side and on the business side as it pertains to security and their remote workforce. The attack surface has expanded radically. The tools available and visibility into the workstations, which, you know, was simpler when everybody was in the office, has expanded. And it really depends on the sector. To the point Mounir made about whether or not they had the skills, the processes, and sort of, you know, tools in hand prior to accommodate the need and the enablement of the workforce that is largely remote now and still remain effective at their roles and supporting the company and the business initiative. So, folks have struggled, you know, throughout the spectrum with various elements of it. But I think, largely, in a lot of conversations I've had reveal that the threats themselves and kind of what the exposure is to the clearly heightened needs and, well, frankly, actors prey on opportunity. That's what drives the threat industry. And those are really the top-of-mind topics, conversations and the worries, I guess, that are kind of keeping them up at night, in air quotes.
Rick Howard: [00:21:54] Well, that would be my concern as a security practitioner, is the gap. That, as we transition from an in-office workforce to a home office workforce – Mike, the question for you – for your internal team, did you all have to do anything special or different than you thought when you transitioned to an almost completely at-home work force? Or did you just lay down what everybody else had before the pandemic, and that worked fine?
Mike Spanbauer: [00:22:21] So, for us here at Juniper Networks, I think that we already had quite a few capabilities, tools, and the ability to see inside and monitor across all of the workforce. So, largely, it was a capacity point rather than necessarily a technical enabler. And Mounir alluded to, we had really robust capabilities and processes already to support that shift in the workforce. And really, the struggles are more around, how do you manage your kids at the same time (Laughter)...
Rick Howard: [00:22:55] (Laughter)
Mike Spanbauer: [00:22:55] ...While at home versus the technology. But we accommodate the technical need and threat visibility and capabilities within the operations infrastructure fairly well, I believe.
Rick Howard: [00:23:05] So, I think that for a big security company like Juniper, that I can see that that would be less of a headache for you all. But Mike, when you're out there talking to your customers, you know, the non-techie customers who have just, you know, retail stores and things, and they use tech, you know, with older employees, that are not used to this kind of thing, I imagine teaching them how to use a VPN or whatever it is that gets them into the security stack is quite difficult. What are some of your customers saying about how they approach that?
Mike Spanbauer: [00:23:35] I think that, you know, the general perspective is that there's actually been a great deal of training. Most of them are eyes-wide-open relative to security awareness training, because, you know, the root of this begins with knowing how they might get compromised and what behaviors personal – these are human, for the user, behaviors at the keyboard lead to potential exposure and risk. And those are kind of the conversations that, you know, I'm gentle to remind them of, but also that, you know, oftentimes they have fairly well-thought-out programs in place, that maybe the training is not delivered as often as they'd like to. But as far as, you know, the average users, they've been able to enable and empower. Though, the real challenge becomes one of, when you just dropped a client for a moment, what about the exposed window of potential, you know, infection or downloads that may occur? And that's sort of where the education and energies have been spent.
Mike Spanbauer: [00:24:33] But on the other side, there's also, you know, the power users are the organizations that are kind of forward to embracing this and still ensuring a very high degree of business continuity. For example, the financial space with the mandatory work from home – but clearly, the markets haven't stopped. And we've had specific scenarios of customers that are using some of our smaller next-gen firewalls to both provide service assurance and security capabilities to still afford them the power of transacting at a high rate of speed securely. And that has enabled them to work as fluidly from home as oftentimes they would have in the office, yet in a different modality or sort of paradigm. So, there's both ends of the spectrum, and I think customers sort of fall within. But largely, they're aware, and certainly capable of moving forward, if not as fast as they once did.
Mike Spanbauer: [00:25:32] We've also, for our installed base, offered subscriptions to a number of the advanced security software licenses, for those that may not be currently using those to ensure that they are protected more broadly and more capably. That the number of variants and campaigns that are being mounted are, you know, two x, two-and-a-half x what they were prior to the current healthcare scenario globally, and likely will remain on a fairly aggressive schedule. So we want to ensure that our customers are supported in this time of global crisis and challenges and to provide them with the best we're able to offer so that they can in turn best both support the current business, but also position themselves for an accelerated recovery once things do begin to relax, which, again, fingers crossed, won't be too far off. But again, more broadly, recognizing that business still does continue, but they need to ensure that they're protected at every step of the way. And that's something we do particularly well, you know, as a very large cybersecurity company that sort of represents a large portion of the globe.
Rick Howard: [00:26:51] So, we're a number of weeks into this pandemic, and like you alluded to, Mike, that we are some ways out before we're through with it. We haven't solved all the problems that the pandemic has caused. What's next on the hit list? What are you guys thinking about in terms of the Threat Lab? What do you what's the next thing that you're trying to track down?
Mike Spanbauer: [00:27:11] One of the things that we're proud of, but also is particularly key to our customer strategy in enabling the market to move forward, is that, you know, in these periods of transition and new architectural deployments, to have a path from where you are to where you're going, which can be months or potentially years in some cases. And we have both capabilities and specific technologies to provide a path to transition, to basically redeploy what you have as well as – and that's not exclusively Juniper kit either – but also we can support and help with other vendors' products in that transition state so that customers have a graceful path to move from where they are to the next architecture, to the next thing. And that's a core principle for both connected security and enabling a threat-aware network for our customers globally.
Rick Howard: [00:28:06] If how these security leaders handle the crisis is an indicator of how the entire network defender community handled it, I think we all did pretty well. Of course, there were some hiccups, but for the most part, we all buckled down and did what we had to do. There's still a lot of work to do for sure, but that is to be expected. What is clear is that some of the things we thought were so hard to do before the pandemic became a thing we just did because of the pandemic. And that is a silver lining for this entire mess.
Rick Howard: [00:28:38] Our thanks to Bob Turner from the University of Wisconsin at Madison for Part One of the show, and Mounir Hahad and Mike Spanbauer, both from Juniper, our show's sponsors, for the second part.
Rick Howard: [00:28:49] CyberWire-X is a production of the CyberWire, and it's proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity startups and technologies. Our coordinating producer is Jennifer Eiben. Our sound engineer is Elliott Peltzman. Our contributing editor is Bennett Moe. Our executive editor is Peter Kilpe. And I'm Rick Howard. Thanks for listening.