More With Less: How USC Leverages Intelligence to Continually Improve Its Defenses

In the corporate world, the task of monitoring, managing and securing 60,000 endpoints is typically handled by a large team of security professionals, and backed by substantial investments in technology and services. For James Perry, CISO for the University of South Carolina (USC), the reality is somewhat different: “Like the majority of my peers in education, we have to protect our environment using a significantly more modest set of resources than our counterparts in commercial sectors.”

Some might assume that academia represents a less attractive target for would-be hackers and, therefore, doesn’t require the same levels of defense. However, this is a fallacy. With hundreds of millions of dollars of sponsored research and endowments totaling almost two-thirds of a billion dollars, USC harbors rich spoils for criminals. In 2017 alone, the University’s students and staff were hit by an astounding 100 million phishing attempts – and that’s not the only attack vector being leveraged by threat actors.

Aided by Tom Webb, deputy CISO and director of information security operations for USC, Perry has assembled a portfolio of industry-leading security solutions to protect the assets under his control. To withstand the onslaught of email-based attacks, USC relies on FireEye Email Security, used in conjunction with FireEye Endpoint Security and FireEye Network Security.

What sets USC apart is a unique strategy that further elevates the effectiveness of the USC defenses. Perry commented, “We’ve architected an infrastructure where we extract and tie together information from all of our tools to create custom intelligence. We assemble data from individual sources and leverage it in a way that benefits our entire security stack.”

Incident data, events and logfiles from throughout the USC infrastructure are collected and formatted – using Python and Bash scripts – to create highly customized indicators of compromise (IOC). The normalized IOCs are held in an in-house incident tracking system that utilizes an open-source theHive repository to provide the USC security team with SQL-like access to the information.

IOC data is passed to the University’s FireEye Central Management Series threat intelligence hub and then disseminated to the USC security information and event management (SIEM) system. This equips in-house analysts with the information needed to execute an informed triage on incoming events to determine where resources should be focused.

Intelligence from the USC IOCs is also fed back into many of the tools and solutions that originally created the events. “We’re able to further enhance the effectiveness of our entire security suite by arming each component with very specific information that we discovered through the forensic analysis of our IOC data-streams – such as URLs or IP addresses that have been proven to be malicious,” Webb explained. “This ability to rapidly preempt further attacks from the same source or a threat with a similar footprint enables us to really take advantage of the team’s full expertise and maximize our bandwidth.”

Perry, a long-time proponent of FireEye solutions, places a significant emphasis on collecting metrics to monitor and optimize the effectiveness of his team’s defense of the University’s extended infrastructure. He noted, “Month-on-month, we’re able to measure our ability to protect the USC environment, including the detection and remediation of any threats that might break through. The iterative nature of how we’re using intelligence gives us the ability to continually optimize our security measures.”