In the corporate world, the task of monitoring, managing and securing 60,000 endpoints is typically handled by a large team of security professionals, and backed by substantial investments in technology and services. For James Perry, CISO for the University of South Carolina (USC), the reality is somewhat different: “Like the majority of my peers in education, we have to protect our environment using a significantly more modest set of resources than our counterparts in commercial sectors.”
Some might assume that academia represents a less attractive target for would-be hackers and, therefore, doesn’t require the same levels of defense. However, this is a fallacy. With hundreds of millions of dollars of sponsored research and endowments totaling almost two-thirds of a billion dollars, USC harbors rich spoils for criminals. In 2017 alone, the University’s students and staff were hit by an astounding 100 million phishing attempts – and that’s not the only attack vector being leveraged by threat actors.
Aided by Tom Webb, deputy CISO and director of information security operations for USC, Perry has assembled a portfolio of industry-leading security solutions to protect the assets under his control. To withstand the onslaught of email-based attacks, USC relies on FireEye Email Security, used in conjunction with FireEye Endpoint Security and FireEye Network Security.
What sets USC apart is a unique strategy that further elevates the effectiveness of the USC defenses. Perry commented, “We’ve architected an infrastructure where we extract and tie together information from all of our tools to create custom intelligence. We assemble data from individual sources and leverage it in a way that benefits our entire security stack.”
Incident data, events and logfiles from throughout the USC
infrastructure are collected and formatted – using Python and Bash
scripts – to create highly customized indicators of compromise (IOC).
The normalized IOCs are held in an in-house incident tracking system
that utilizes an open-source theHive repository to provide
the USC security team with SQL-like access to the information.
IOC data is passed to the University’s FireEye
Central Management Series threat intelligence hub and then
disseminated to the USC security information and event management
(SIEM) system. This equips in-house analysts with the information
needed to execute an informed triage on incoming events to determine
where resources should be focused.
Intelligence from the USC IOCs is also fed back into many of the
tools and solutions that originally created the events. “We’re able to
further enhance the effectiveness of our entire security suite by
arming each component with very specific information that we
discovered through the forensic analysis of our IOC data-streams –
such as URLs or IP addresses that have been proven to be malicious,”
Webb explained. “This ability to rapidly preempt further attacks from
the same source or a threat with a similar footprint enables us to
really take advantage of the team’s full expertise and maximize our bandwidth.”
Perry, a long-time proponent of FireEye solutions, places a
significant emphasis on collecting metrics to monitor and optimize the
effectiveness of his team’s defense of the University’s extended
infrastructure. He noted, “Month-on-month, we’re able to measure our
ability to protect the USC environment, including the detection and
remediation of any threats that might break through. The iterative
nature of how we’re using intelligence gives us the ability to
continually optimize our security measures.”