CyberWire-X 8.16.20
Ep 7 | 8.16.20
The ABCs of cybersecurity for the education sector.
Transcript

Dave Bittner: Hello everyone and welcome to CyberWire X, a series of specials designed to highlight important security topics affecting organizations around the world. Today's episode is titled The ABCs of Cybersecurity for the Education Sector. We'll explore the challenges facing school districts when it comes to cybersecurity, and we'll hear from practitioners about how they're tackling serious issues in a time of rapid change and great uncertainty.

Dave Bittner: A program note, each CyberWire X special features two segments. In the first part of the show, we'll hear from an industry expert on the topic at hand and, in the second part, we'll hear from our show sponsor for their point of view. And, speaking of sponsors, a word from our sponsor, Deep Instinct.

Dave Bittner: Deep Instinct is changing cybersecurity by harnessing the power of deep learning, the most advanced form of AI, to prevent threats in zero time. Unlike detection and response-based solutions, which wait for the attack before reacting, Deep Instinct's solution works preemptively. By applying end-to-end deep learning to cybersecurity, files are automatically analyzed prior to execution, keeping customers protected in zero time. The outcome is resilient prevention that provides consistent security day in, day out. Learn more about the benefits of incorporating Deep Instinct into your cybersecurity defense, by visiting deepinstinct.com. That's deepinstinct.com and we thank Deep Instinct for sponsoring our show.

Kevin Ford: Yes, it's certainly interesting. We have a state law that requires every public organization to be on our state network.

Dave Bittner: That's Kevin Ford, Chief Information Security Officer for the state of North Dakota.

Kevin Ford: So, it is a very interesting setup, right? You have large state agencies, as well as very, very small city governments, town governments, county governments, all required to be on the same network and co-mingled there. The security of all of the different organizations is very, very concerning, because we're all sort of co-mingled. So there's a lot of different interesting network architecture and network security practices that we have to engage in, as well as really trying to focus on the end points of different agencies.

Kevin Ford: One of the things we're looking at is cyber hygiene standards for every organization. But, as you know, every organization's different and they have different levels of funding and so, you know, there are K12 organizations out there, where their cybersecurity guy is their IT guy, who's also the football coach and the bus driver and teaches social studies.

Kevin Ford: So, it's one of those things. We also have to be very cognizant that, you know, the budgets and the sizes of these organizations are also very impactful to the cybersecurity posture, not just of their K12 organization but of the whole state.

Dave Bittner: How do you come at a problem like that? How do you break it down into manageable units?

Kevin Ford: It's a very difficult problem and I'm not sure that we have the 100% solution right now, but we are developing outreach. I've been in this position about six months, and one of the key things I've done and one of the things I've asked for my team to accomplish is to really increase our outreach, so that we know who's in the IT coordinator, or cybersecurity position for each K12 organization; we know what their struggles are, we understand where they're coming from, from a budgetary standpoint and from a cybersecurity standpoint.

Kevin Ford: With that in mind, we've done a number of things. We're looking at creating a policy for the state network that goes over basic cyber hygiene stuff and, so, that's very, very basic stuff, things you would expect everyone would have but, you know, we're finding in the K12 sector that, a lot of these things, they either can't afford, or they just never felt to have, or haven't had the time to deploy. So, we're issuing guidance and strategy documents and policy, the administrative side to make them aware, "Hey, this is what's required in the cybersecurity sphere," and then really trying to listen as they come back to us with their problems and try to figure out how to troubleshoot those together.

Kevin Ford: One of the other things that we're doing is starting to provide cybersecurity tool sets for free, and those can be either managed centrally by our security organization or, in some cases, we kind of create a little security operation center within the larger security operation center, so that their IT personnel and their cybersecurity personnel still have the necessary contacts around what they're doing, how their segment is operating and how the different assets within their organization are protected.

Dave Bittner: You know, I would imagine that it must be a priority for you to make sure that you're considered to be a collaborative partner, because I could see this becoming kind of an adversarial thing, you know, that the folks from on high are saying we have to do these things and they're far away and they don't know what our challenges are or our budgets and that sort of thing. So, am I right that a big part of your job is fostering that sense of community?

Kevin Ford: Yes, absolutely and, you know, I won't claim 100% effectiveness at that, right? Sometimes people are upset. You know, here's the state government coming in to our little organization and telling us how to do things and in some cases, they're upset because we're asking them to do things that they may not have resources to do and, in other cases, they're very large organizations that have a ton of resources and think that they know better, and maybe in some cases they do, and there are very real logical issues.

Kevin Ford: Sometimes the cadence at which the state can keep up with requests for white listing, or black listing, so on and so forth, is maybe not as quick as what these organizations would really like and so, you know, there are very, very real and meaningful issues that we're still trying to work out. It's not something that, you know, is perfect right now and I don't want to say we're doing the best job in the world right now; but we are starting to tackle those issues. I think just the identification of those issues is the first step.

Kevin Ford: We've identified, I think, a significant amount of those issues and are starting to have a dialog with not just our K12 organizations, but our counties and our cities as well, to try to get kind of a unified understanding of what we're doing, how we should proceed and what the state strategy is going to be moving forward on this.

Dave Bittner: Can you give us some insight, some examples of some of the things that you're coming at; some of the things that you're trying to approach?

Kevin Ford: Yes. I mean, some of the conflicts are obviously things along the lines of the tools that we are providing the organizations maybe do not match the native environments. For instance, we're on Palo Alto and they may be on Cisco, or something like that. Other issues are, "Hey, you know, we have this kind of really niche software that needs to run and we need to have it white listed. Can you white list it just for us and not the entire state?" or "Can you blacklist this just for us and not the entire state?"

Kevin Ford: It's some interesting issues to try to figure out, as far as our architecture is concerned and as far as the capabilities we're offering are concerned.

Dave Bittner: I suppose you've got your own limitations of the resources that you have at hand as well.

Kevin Ford: We do. I think, fortunately, our leadership is very, very good in this regard. Our governor is considered to be an IT-forward governor. He was a Microsoft executive and Chairman of the Board, or on the Board of Atlassian, so certainly from the tech side and he approaches everything with, I believe, a forward-thinking, technology-oriented solutions approach.

Kevin Ford: With that being the case, we do have a very, very robust cybersecurity organization here in the state of North Dakota, I think probably one of the better organizations that exist in state government. But, yes, I don't know any organization, quite frankly, that, if you asked, said that they had enough support or enough assets to get the job done. So we do find ourselves, you know, prioritizing the work that we're doing and making some sacrifices in some corners and some regards.

Dave Bittner: What about, you know, some of the non-technical things, like user-awareness training and so forth? I mean, is that a part of the types of things that you're promoting?

Kevin Ford: It is. It certainly would be one of the hygiene issues that we bring up in our, our state-wide standards and policies and guidance for the K12 organizations, but it's also a capability that we're looking to provide. I'm trying to be very cognizant of asking K12 organizations to do something and then not providing them any support to do it. So, it is something that we do a very good job of, I believe, in state government, and we're looking to be able to provide those capabilities at low cost or no cost to our K12 organizations as well.

Dave Bittner: How much does automation play a role in the things that you do? I'm thinking of the scale that you run at. Is that an important part of, of maximizing the resources that you have?

Kevin Ford: Yes, automation is tremendously important for us. We have a team of about 30 cybersecurity analysts and professionals within the state, and that's probably the largest cybersecurity team that exists within our state, whether that's in private organizations, or whether that's in the government.

Kevin Ford: So, to put that into context, we have about 250,000 end points on our state network at any given time. Trying to tackle that with a crew of about 30 is very, very tough and so, one of the things we're really, really pushing in the state of North Dakota is the development of automated processes. To that end, we have security orchestration and automation tools that we've put in place that really, really help our analysts kind of get out of the weeds, doing kind of day-to-day grind type work; we can automate the responses for those now. And our analysts focus their time on, I would say, events that are maybe a little more significant, or doing more in-depth investigations into events than they could otherwise.

Kevin Ford: We're really pushing automation, but we're also pushing automation in the people processes as well. We're looking at things like account management, or even our GRC processes, and looking at those and, and trying to map them out, trying to make them more efficient and then bringing our robotic process automation into the picture, so that we can also free up time of other security personnel who maybe are not kind of on the front lines, but also need to perform a very important role as far as preventing and managing cyber risk.

Kevin Ford: We're really embracing automation here. I think it's one of the most important tools and biggest weapons that we have in our arsenal against cyber risk.

Dave Bittner: What sort of advice or tips do you have for folks who may be in a similar position as you? You know, perhaps an organization that might not be as, as far along the path as you are, or may not have the support from high up, the way you do. Any words of wisdom?

Kevin Ford: You know, my number one piece of advice would be to communicate. I think communication is always very, very important in cybersecurity, but I think it's more so in organizations that are decentralized, like maybe the state of North Dakota is, where we have, where have all sorts of different governments and different agencies and particularly the three branches of government also. Communication is key there.

Kevin Ford: But on a more technical level, I would say if you're maturing your organization, look at your workflows; look at the ability of your operational security guys to put into action the lessons that are learned by your risk management teams, whether that's a governance risk or compliance team, or whether that's the system administrators on the ground. You want to be able, as best you can, as a security operation center, to ingest the understanding of the organization and drive down incidents and kind of save your organization time and money by preventing, rather than just responding.

Dave Bittner: Our thanks to Kevin Ford, Chief Information Security Officer for the State of North Dakota, for joining us.

Dave Bittner: Up next, we'll be hearing from Stephen Salinas from Deep Instinct, the sponsor of this show, and Matthew Frederickson from the Council Rock School District. We'll hear from Matthew first.

Matthew Frederickson: The Council Rock School District, we're are located in southeast Pennsylvania. There are 500 school districts in the state and we're sometimes the 11th, sometimes the 12th largest school district. We have roughly 11,000 students and about 1,300 staff. We're in 18 buildings, spread out over 72 square miles and my entire IT department, including myself and my secretary, consists of nine people. We support about 13,000 users on a daily basis and, with Covid-19, not just the users but the users' household networks as well, which has been a challenge for us.

Matthew Frederickson: In most businesses, when you're worried about security threats, you're thinking about threats from the outside getting into your network and you're doing a little bit, you're concerned about that disgruntled employee or perhaps that insider who decides to sell intellectual property. But there are few environments where you're protecting the inside of the network in the same fashion you protect the outside of your network, because half of my population are trying to hack me all the time and we give them computers and put them on the network and say, "Here, do this." They watch YouTube videos and they come in and they try it.

Matthew Frederickson: Now, having said that, I'm okay with that and the reason I'm okay with that is, I'd much rather they try and fail on my network, where they're not going to get arrested and carted off to jail, than if they try that on a college network or a work network. What we do when we find it is we have a little conversation with the student and their parent or guardian and explain to them that that's considered a third degree felony in the state of Pennsylvania and could lead up to seven years in prison. Usually, when I have that conversation with the parents, I don't have any problem with those kids again.

Matthew Frederickson: What really concerns me about endpoint protection is that I can put as much technology in place as I want but we know that, at the end of the day, cybersecurity is 20% technology and 80% people. So, I'm afraid that that person's going to click on that link that they shouldn't, or somehow get to that website that they shouldn't and invite a threat actor into my environment.

Matthew Frederickson: So, recognizing that I don't have the staff to staff a SOC and to constantly be looking at what's going on in my network, I had to find, wherever possible, tools that could not only do that for me, but give me the alerts that I wanted. So we implemented a SIM, but I still didn't have anything that I felt was doing a really good job of real behavioral analytics. I knew that it didn't go far enough. I wanted another product that could watch memory and watch what the users' actions were. And I've said this over and over again, as I started to look, Deep Instinct kind of fell in my lap and did exactly what I needed it to do, in my opinion.

Matthew Frederickson: When we're doing the proof of concept, I installed it in some of my servers that, if it impacted performance the users wouldn't scream too loud and I'd be able to remove it. There was zero impact of performance on the servers. So I'm like, "Alright, let me try that on all of my servers," because that's the kind of guy I am, right? So I deployed it to all my servers, and there was no impact to performance. I'm like, "This is just too good to be true; it's going to bog up my workstations." Did not bog up my workstations. I deployed it everywhere on everything and I've had zero impact to performance on any of the machines.

Stephen Salinas: I think that's really one of the, the main concerns, as Matt mentioned...

Dave Bittner: That's Steve Salinas. He's Head of Product Marketing at Deep Instinct.

Stephen Salinas: ...when you're starting to talk about adding things to your end points or your servers is the performance. Because we're all familiar with the old days of traditional AV solutions, that when they would spin up and they would start scanning your machine you might as well walk away and get a cup of coffee. The machine became basically unusable for how ever long that scan took. So, in the next generation type of solutions and we kind of consider ourselves the third wave of solutions, performance impact is one of our top priorities.

Stephen Salinas: One of the ways that we limit our performance impact is in the way that that deep brain - that's what we call it - our deep learning static analysis and even our behavioral analysis, works on the endpoints. So it is deployed in an agent, but the agent is small, it doesn't consume a lot of space and it just sits there until it needs to do something.

Stephen Salinas: We're not doing constant scanning. I'll talk about it in two ways. When we talk about our static file analysis, this is where the deep learning brain is analyzing files; it's looking as files come onto the machine, or move around the machine. So, at that point when it detects that's occurring, that's when the static analysis occurs and under between 20 and 50 milliseconds it's able to make a decision if the file is malicious or benign, if it's okay to run, or if it should be quarantined. It can do it that quickly, because when we deploy that deep learning brain, it's already been pre-trained, so we're not consuming any of the computer resources to train that model. It's been trained on millions and millions of files and it's highly accurate.

Stephen Salinas: The same thing with the behavioral analysis. It just sits waiting for suspicious actions that give the system the indicators that it might be ransomware or some sort of other malicious activity.

Dave Bittner: Well, let's talk a little bit about the data that you and your team get sent. I mean, you know, we hear a lot of folks complain that you can find yourself with a fire hose of information and it's hard to filter through, with a lot of products that are signaling you that things are going on in the network. Now, how are you able to dial in to make sure that you're seeing the things you need to see but that they're prioritized properly?

Matthew Frederickson: The brain's already trained in the Windows environment; it knows what a lot of the stuff is. I'll give you a couple of examples. Any security tool that you put in your environment, you've got to establish a baseline. So what we did is, we ran for 60 days without it actually stepping in and doing anything, you know, after we got it rolled out in a major way. During the initial proof of concept, we were testing the blocking of the exes from running and all that good stuff. But, when we initially rolled it out across the board, we just wanted it to monitor, let's see what's going on. And once we felt comfortable with it, then we just started turning it on and saying, "Alright, when you find that stuff, let us know."

Matthew Frederickson: The first thing that it found that it reported as potential malware was a little thing called OneDrive from Microsoft and the reason that it did, which is fascinating to me, is did you know that Microsoft will try to install that thing at, like, seven or eight different locations? You want to install it, Microsoft says "No, no, we want it installed." It'll reinstall it and it'll install it all over the place.

Matthew Frederickson: Since I've been running this thing for, like, eight months, that's the only real false positive I've had. Out of the box, I haven't had to train it a lot. We had a couple of custom applications that we had written here in-house and I just had to tell it once that these were custom and boom. It's magic.

Stephen Salinas: I can add a little bit to that if you like.

Dave Bittner: Yes, please.

Stephen Salinas: You hit on a really important part there, Matt. People are looking at security solutions, and I think certainly you want to know how accurate it is in identifying malware. Of course, that's really important and that's what's obviously known as the efficacy, but equally important are those false positives.

Stephen Salinas: Because, if you have a solution that might be really accurate at identifying malware, and let's say it generates 100 notifications or alerts, if 50 of them are also false positives, you're really going to be draining your resources, filtering through false positives all the time. This does happen a lot of times, especially with your next gen solutions that are using not deep learning, but machine learning. Machine learning is more prone to false positives in the way that it's identifying malicious files, compared to deep learning.

Stephen Salinas: What Matt was describing as his experience is very common: very low false positives, you apply a few exclusions for custom applications or things that you're going to be running your environment and you're going to be pretty much good to go. You know, and again like Matt mentioned, the brain has already been trained.

Stephen Salinas: If you try to train a deep learning brain on any machine, it wouldn't be able to do it. It requires a ton of horsepower to do that. We do that in the Cloud using NVIDIA GPUs. It's a big investment that we make, but it enables us to deliver this pre-trained brain that is really high in efficacy and delivers, from our experience, really low false positives. I haven't seen anything like this before in my career.

Dave Bittner: I remember when my oldest child was coming up through school and my wife and I were, you know, pondering what sorts of parental controls to put on our computer and so on and so forth. I remember saying that, you know, "You know, the two of us together might be able to outsmart him, but there's, there's very little chance that we're going to outsmart him and all of his friends," that, you know, the kids tend to crowd source solutions to things. Have you had to deal with any of your clever students trying to run an end run around any systems like this?

Matthew Frederickson: Pretty much every day. Yes, so my philosophy has shifted quite a bit over the last couple of years, and I teach cybersecurity at the local community college, so I'm pretty focused on this stuff. In the last couple of years my philosophy has shifted to not if but completely when. Like, it's going to happen, how bad is it going to hit me and what am I going to need to do to recover? And if you're not saying that to yourself, you're kidding yourself; because it is just a matter of time.

Matthew Frederickson: Because these kids, you know, they come to school for seven and a half hours a day, they go home and they've got ten, 12 hours before they have to do anything, and they've got lots of time to watch YouTube and to try things. And their network at home isn't big enough to test this stuff on, so they're bringing it in and testing it on my network and they do it all the time. Now, I've got a lot of good tools in place to stop it, and it's definitely stopped any of their attempts at infecting the network, but when they try to circumnavigate the network security, or they try to bring in a application on a thumb drive and run it to try to launch a denial of service--

Matthew Frederickson: I'll give you an example. This last year, I had a group of seventh graders who'd watched a YouTube video on how to bring down the school network by launching a denial of service attack program. They were part of the computer club that met right after the end of school day every day. So they're in their little group and they're trying to launch this program. The advisor for the club is monitoring them with our classroom management software and it says in the bottom right hand corner, "You're currently being monitored by Mr McNulty," and they were trying anyway. And he's sitting there just taking one screen shot after another, right? And the stuff that I have in place just stopped it, it just didn't happen, and they were really pissed off that it didn't work.

Matthew Frederickson: I brought in the parents the next day. One kid's father is a CIO of a private company and he's like, "Look, you know, my son's really smart. He would never be so stupid to do this. I can't even believe I'm here. You've got the wrong kid." So when I handed him the screenshots and I said, "Pretty sure this is your son," he's like, "Oh, that's not my son, I don't know who it is. You can do whatever you want to that kid." And he was also unaware about the third degree felony in Pennsylvania, and I showed that to him and he goes, "Well you're not going to turn these kids over to the police, are you?" And I said, "No, that's not our intention," and I said, "Your willingness to work with us really drives that. I've been here 16 years and only once have we had a kid removed in handcuffs." And that's when the parents were in denial. They weren't even remotely interested in anything we had to say, and they didn't think their son had done anything wrong.

Dave Bittner: I suppose a big part of this for you, as educators, is channeling that energy, channeling the gifts that those kids have, towards good directions.

Matthew Frederickson: Yes, trying to redirect that energy into a positive direction instead of a negative direction.

Dave Bittner: Our thanks to Steve Salinas from Deep Instinct and Matthew Frederickson from Council Rock School District for joining us. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland, at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity startups and technologies.

Dave Bittner: Our coordinating producer is Jennifer Eiben, our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.