Influencing Security: A Masterclass in Higher Ed Cyber Defense

(00:00) Huxley Barbee: Welcome everybody to this runZero webcast on cyber security and higher education. Today we have two distinguished guests that will educate us on some of the critical challenges of being a successful CISO at a top research University.

But before I introduce our guests I do want to announce that runZero has recently this week introduced an education licensing program where we provide free licenses for University faculty members. So once approved for the education license, faculty members will have access to the runZero full Enterprise product with some minor limitations for one year. Faculty members will also be able to invite their students into their account for school projects. If you would like more information about this program look out for the recording of this webcast, we will have links for you to register for that license in the show notes. Or if you want you can also reach out to your runZero account rep and they will point you in the right direction.

Alright so with that I shall move on to introducing our panel guests. First we have here is Tracy Dallaire is the inaugural Director of Information Security at McMasters University, and she’s a leader in the cyber information security space, and a digital strategist. She has over 25 years of experience in the public sector, most recently from Mohawk College before McMasters, where she held numerous positions as a Senior Director of Technology integration academic and Senior Director of IT strategy and of cyber security and architecture respectively, and then prior to Mohawk she was working in a number of ministries in Ontario Province, as well as in public sector organizations.

The second guest we have here is Chris Russel, a dedicated cyber security expert with over 20 years of experience in leadership roles within large IT environments, and has instructed cyber security courses for SANS. He’s also been deeply involved in research and education networking serving on the board of GTAnet the RNE network provider in Toronto Ontario and he’s currently the CISO for York University, Canada’s third largest university.

Alright so Tracy let me start with you, suppose I were an experienced CISO in industry or in government, so basically from outside of Academia, what would you say are the top two unique higher ed challenges that I should know about?

(02:49) Tracy Dallaire: Well thanks Huxley, thanks for having us today, exciting announcement. I’m thrilled to hear that. So unique in higher education, if we think about institutions, higher education institutions, as small cities. So people come to the campus to learn, to live, we have people in residences, people come for conferences, they study, they research, the community members come and engage. They may go to the libraries, there’s galleries, there’s sports events, so it’s very unique in that you’re managing the security for a very complex small community, small city, and all the complexities that come with that. With institutional devices, as well as things people carry with them when they enter in, and then they do connect to your network and connect to your environment. So that’s one, and it was very dynamic and complex to be able to protect and keep safe.

The other is the research aspect. Research is intended to be innovative and pushing boundaries, trying new things, exploring new areas. And so when you do that it can introduce levels of risk that maybe we had never thought of previously, and they do that through various partnerships with industry, other countries, other organizations. So that adds another complex layer that you don’t want to stifle in any way, that innovation and prevent it from happening as you’re trying to secure the environment, to run the business of the institution as well.

(04:30) Huxley Barbee: I love that analogy of universities as mini cities right, I mean because you even have law enforcement on campus. But this also means that the types of devices that you have are very different from what you would find in a business right? Which is primarily IT, but you also have a lot of OT devices as well and things like this so I really love that analogy.

So moving on, Chris I know you spent part of your career outside of security helping out the university on the IT side, and I’ve noticed that especially at smaller institutions they don’t necessarily have security teams. So the security, cyber security on the campus and the related environment is actually an IT responsibility. So if I were a higher ed IT leader being asked to take on new security leadership, what would you say to the top two things that would help me to know?

(05:23) Chris Russel: Well, thanks Huxley, it’s uh, it’s true that security has been part of my mandate, well it’s part of my mandate, I’ve done a number of different roles that have mainly been in networking infrastructure and so forth. But I would say that the two big things that I can think of would be, you know, first of all being proactive about identifying risks. I mean I think it’s an IT type of phenomenon as well that may be more so in security that people don’t really pay attention to your function or your or what you’re doing unless there’s some kind of problem right? If the system’s down or whatever and in security it’s if you’re having an attack or something like that. That’s when people notice you. You don’t really want to be in that situation obviously, and you want to be known for enabling the institution to do things and so forth, and protecting it properly. So there is that mindset that you get from IT in a sense that also applies in the security world. But you want to be as proactive as possible and understanding that, finding and identifying those risks to the institution are really a big part of your job. To make sure that you identify them and bring them forward for being effectively dealt with. You know, otherwise there’s going to be this tendency that I’ve run into you know multiple times where there’s an assumption that as the information the security team, or as the IT folks with security in their mandate that they provide the security. And where you know our position may be that you know security is everyone’s responsibility, they everyone has sort of a hand in making sure that things are being done properly from that respect. So but making sure that you’re able to identify those risks and bring them forward, make sure that they’re being dealt with properly and being proactive is a big part of the job so that’s just one thing.

Another is to be seen as an enabler which you know I mentioned is another part of sort of the mindset, and the impression others might have of you and your unit. Which is you don’t want to be coming across as the people that are always saying no, and I don’t mean you should be allowing you know incredibly risky things to happen obviously, but you want to be able to help steer activities and so forth to happen in a way that’s effectively managing the risk and that again means being proactive about providing guidance on how to do the right thing. And you know do your best to make the secure path the easy path and you know that goes for IT functions as well in many ways that you want to make sure that people are sort of incented to go down the supportable path and so forth so this is a form of that perhaps. But yeah so those are the two things I can think of, because basically if you are seen as the obstacle people will find a way to work around you, and that’s a bad thing for the institution if the information security function is seen that way.

(08:48) Huxley Barbee: Hm yeah, I’ve heard from many other CISO’s this idea – forward-looking CISO’s I should say – that this idea that we are not the ‘department of no’, because if we’re the ‘department of no’ then all of a sudden, you know, the organization’s not any better. Because you’re putting down these restrictions, but people are just going to circumvent the rules or regulations that you’ve implemented. So, very interesting how that comes into play as an academic CISO as well, and probably more important given how federated many of these universities are where, you know, different departments basically have a lot of independence for what they can do.

Alright so Tracy you spent time at other institutions and have been a regular attendee at a tech conference like Chris for years. Are the things that you and Chris highlighting right now, so far, just limited to the large research institutions or will they also apply to community colleges or junior colleges as well?

(10:00) Tracy Dallaire: Yeah thank you that’s a great question, and my perspective is we’re all operating in a really similar environment but it’s a new normal now. Technology even pre-COVID was rapidly evolving, it is and it continues to rapidly, rapidly evolve. Also we have the post-COVID impacts that have changed how we work, how we learn, how we engage in organizations, where, you know, where we are, and who we are is our computing environment. It could be on a campus, off a campus, in a coffee shop, somewhere. And the global environment around us has rapidly changed. so higher education I don’t think was quite the same level of a target as it is today, and it could be our research, it could be just the data, the sheer data we hold and have because of the advancement and the need for artificial intelligence engines to have data.

So I would say that you know a couple of critical things whether you’re in a college or a university, a research intent or not research intent is ‘know your environment’. And that’s going to be constantly evolving because as I said earlier, we’re small cities, we’re doing innovation. Devices come on the environment, they come off the environment, there’s IoT, IIoT, sensing devices, process controllers, and every student or person comes on they come on with multiple devices. Sometimes three devices, five devices of various kinds. Or things that connect, smart, you know, gaming systems. If you’re in residence and your student year gamer you’ll have another device. So I think it’s constantly knowing what’s on your environment, and having tools like runZero that can help constantly scan your environment. Know it’s there and then have an approach to protect it. It’s not a one-size-fits all as well, the approach we like to take is really focus on defense in depth, have layers of safeguards that consider the different demographic of devices so the things that are they’re all connected in some way and communicating, and pinging off your network. Some are ones that we own as an institution and so we may have the ability to safeguard in a certain way others we don’t, they’re BYOD, they’re bring your own device. Or they’ve emerged onto campus or just been turned on, and then they’re turned off. So it’s having a layers of safeguards to be able to get visibility in on detect and if you can in an automated way prevent the activity, and for us it’s been really vital to be scanning regularly to know what’s there know, if there’s open ports, open vulnerabilities, older systems and then have a playbook. Have playbooks to be able to apply safeguards as quickly as you possibly can to the different demographics within your environment

(12:56) Huxley Barbee: Yeah, I would say like you know this sort of diaspora of devices was happening even before with hybrid learning, online learning, but like due to the pandemic, it’s just like it went into overdrive. And yeah, you know, both of you are still expected to go and protect all those devices no matter where they are.

Yeah, alright, so let’s turn to another issue here Chris, it’s about privacy, right, which I think is something that’s far more challenging in academia than in industry right? So for companies I feel like these days the issue of privacy, and handling privacy has been sort of operationalized. There’s a standard operating procedure right?

Every week I get another email from some company that I have a relationship with where they’ve updated the terms of service, they update their privacy agreement, and even like the handling of breaches has become SOP in many ways, right. So there’s a breach they figure out like which of their customers are affected they draft up an email apologizing for it, and then here’s a coupon code for one year of LifeLock. You know it’s all sort of wrapped up in a bow and all taken care of and it’s all very standard operating procedure. But I feel like in higher ed it’s privacy just on a completely different level right? Because it’s not just customers and employees but it’s also students and faculty and staff and parents and alumni, and visitors. And all of them have varying needs for data access and expectation of data privacy. So how does that affect your ability to secure the campus?

(14:38) Chris Russel: Yeah it’s a really good question because it does get at the heart of some of the complexities that we’re talking about within, you know, the university being a small city and so forth. And as you point out, all the various different types of people in the community, and those that you need to to serve and with unique requirements and expectations of privacy and security controls, and so forth. And so, you know, acknowledging it’s a complex problem, you know, we do actually have a privacy office that we work with closely on a number of these things. You know, there’s a notion that privacy is, there’s a lot of privacy related things that overlap security, but privacy and security are not the same. And a lot of the privacy related activities are really compliance driven. And so compliance is good but it’s not the same as security also.

But regardless going back to just the different the nature of all the different requirements and so forth, that’s the challenge, is to manage that, and you can have situations where not only do you have many different sort of scenarios to deal with but you have overlapping, and you know people that are both students and employees for example. And they have, you know, so it’s the same person, and you still have to deal with, you know, how you secure their environment appropriately and maintain their privacy expectations which might be different for you know the content that they deal with as an employee versus the content they deal with as a student. And that can become very tricky, you know, you know what if they lose their job and but they’re but they’re still a student you know we still have to maintain all the expectations along there so anyway we have a lot of different complexities in it but you know part of it is just understanding you know the map of all those different scenarios. And where, because you do have to work it out, and some of this is a some of this is related to identity management systems which is a whole different, you know, aspect of security controls and so forth, which you know it relates to how you can help deal with the problem.

But there’s just…understanding the landscape is part of the challenge, and you need to have the right, you know, methods and tools to map that out and understand where those different scenarios are coming into play. And, you know, to the best you can, try to appropriately design your controls and things like how you segmenting your network even and so forth to make sure that the you know those use cases are playing out in the appropriate areas, and that you have the the right things in place to to control the privacy requirements as well as the security risk.

So you know it is a complex problem, and as you pointed out you know we have you know distributed IT, as well as researchers that do their own thing and so forth. And this, just huge range of different requirements from, you know, payment card, PCI DSS types of regulations, and Health Data regulations and so forth. And it’s very important to make sure that you have a good picture of where those things come into play and that you’ve designed it, and that’s a fair bit of activity and any tools you can use to try and make that easier on yourself is, that’s going to be a huge benefit.

(18:37) Huxley Barbee: So keying off of one thing you said about understanding the landscape. Tracy this reminds me of a conversation that we had when we first met. So you were talking about how all the laptops went offline due to the pandemic, and that was a challenge but you said there was another bigger challenge that was looming, which is, all of those laptops that went off campus were now returning as the students were coming back to campus. So I’m curious to know, how did that pan out with everybody coming back online all of a sudden?

(19:10) Tracy Dallaire: Yeah now I remember that conversation, and it’s also when you come back to campus too there’s devices everybody have to rapidly go off campus search hard drives there’s other equipment that got plugged back in or turned back on as people are coming back. So even though during the time we were all off campus during COVID we set up and evolved into a stable secure environment. Now all of a sudden it’s a game changer. People are moving around. So what the kind of approach we’re trying to take is shifting that from thinking about it’s an on-campus, off-campus world. It is the person and wrapping the technology around the person, and because we’re hybrid, and that flexible work, learning environment I don’t see ever, I think that is our new normal. I don’t ever see us, the pendulum swinging right back where we’re, either on campus or off campus.

So it’s thinking about the person with the devices wrapped around them. Or it could be the building with the devices pinging in and off. And taking a security perspective that no matter where you are you treat the person as though they could be on campus, and have the suite of safeguards around them, and be able to know what they have and be able to protect them no different than if they’re on campus or suddenly off campus or traveling. And that’s really complex and challenging because we’ve put in safeguards in the past for instance that would block people’s access if they were out of the country, and in possible travel. But they could be, this is very possible now, it’s not impossible, it is quite possible, and so some of the scenarios that we would have had safeguards have rules and policies in our firewalls or in our active directory in the past made sense in that environment but they don’t necessarily make sense today.

So it’s being able to adjust that and change that so that wherever people are, and they’re using whether they’re using VPN, or they’re already pinging into the environment, that you have a flexible architecture for your security that wraps the safeguards around the individual. So you think about putting the student in the center and think about all the scenarios that they could be doing. Or a faculty member who’s now on sabbatical in another country, and they’re going to be continuing to do their research work. They might be doing a little bit of vacation but they’re also attending conferences or speaking and we have to treat them as though they were on campus. Because they could be connecting into hardware and equipment that’s operating research technology, and moving massive amounts of data back and forth.

So for me the way I’m trying to look at it is it’s the new normal now, and we need to evolve as security experts our security architectural approach to this kind of dynamic. And get away from the dialogue of on-campus, off-campus. It is the compute environment wrapped around the individual wherever they are.

(22:17) Huxley Barbee: And Chris when York University came back to life did you have a similar experience to Tracy, and how important was asset inventory in meeting that challenge?

(22:28) Chris Russel: So yeah I can hear what Tracy is saying. It’s very similar. I mean we have very much the same challenges, and so forth, to deal with that and I can totally echo a lot of that as I’m sure many people in higher ed could. It’s just the reality that we have to deal with, but you know in terms of asset inventory and so forth, and that being helpful I mean this is fundamental right. All those security frameworks have asset inventory, you have to know what it is that you’re protecting to protect it, and you know, it’s CIS controls 1 and 2 right, it’s the types of things that there’s already often some seed of within IT, like the CMBD that they might have. But from a security perspective it has to go way beyond that, because we know those things aren’t really kept up to date as much as they need to be. And there’s many things that are out of scope, and plus you add to that the fact that we have just, you know, our environments that are not all managed. Like there’s a ton of unmanaged devices typically on our networks and so forth. Some of them you know tens of thousands of student devices not to mention, you know, researchers and faculty members and guests and so forth. So despite, all of that’s outside of your CMDB, and you need to be able to, and even if it is, it may not be up to date so you kind of need to have your own security perspective on the asset inventory that sort of reflects the reality of you know up to the minute. And not necessarily trusting that things are going to be manually updated and so forth or as they might as you might want them to be, but it’s safe.

You know the attackers are looking for those forgotten parts of your network or systems that you thought were decommissioned but weren’t, and you know for whatever reason they’re still running and who knows what. So to have those tools is essential as the security people. It’s really a different thing than IT asset management. It’s really, it’s looking at the reality of the situation, and so that’s where you know that’s a big part of the focus you have to have, that, you know, picture of reality in order to make sure you’re playing the right controls and treatments to it.

(24:59) Huxley Barbee: Yeah I think one of the key things you just said was ‘it’s the things that are forgotten that are not known to you or the security team that the adversary is looking for and to exploit’. That is absolutely key there, I think.

(25:12) Chris Russel: And we’ve got to get, we have to get to that first right. We have to get it before they do.

(25:18) Huxley Barbee: Yeah know your network better than the adversary, 100%. So Tracy, turning to you here, when you were looking at different asset inventory solutions for McMaster why were EDR and vuln scanners not a good fit for as an inventory? I mean obviously they’re great for endpoint protection, they’re great for hunting down vulnerabilities and the environment, but what was it about asset discovery that was lacking from those tools?

(25:41) Tracy Dallaire: Yeah, thank you for that. EDRs and vulnerabilities, you know they’re very fit for purpose, they’re not that sophisticated tool to be doing, figuring out what’s in your environment. They’re really looking for the behaviors and abnormal behaviors, and threat activity, and the signatures and that. So it’s really looking at making sure you have a suite of tools and be really clear on what their purpose is, and not trying to use a tool really not fit for that purpose, and kind of fludge it into or make it be that, because you know you’re not really setting yourself up for success for that. So it’s really understanding that, and then getting best of breed products that are gonna be that specific function that you need or the certain tool or wrench that you need in the toolkit. Knowing when to use it, and making sure they can work together really well and you know that’s what I really appreciated also with all of the products out in the environment, there’s more and more efforts to work together, to be able to take data and information for one and bring it into the other. So rationalize then making sure you have the right tools in your toolkit. The team knows what to pull on to use for what purpose and as much as possible, get as much visibility, know what’s in your environment and just protect the heck out of it and be able to pull on the right tools and the toolkit at the right time. We’ve also been trying to enable as many people who are IT professionals across the institution to use those tools. So we have others using runZero, which is great because they’re constantly scanning their part of the environment, and then if they see something concerning then we go in with another tool potentially, and do deeper vulnerability scans. And we may see that they don’t have our XDR or EDR solution on it, we get that on there. So those are the kind of ways that on a day-to-day basis we’re using this suite of tools.

(27:47) Huxley Barbee: Thank you. Alright, so Chris, Tracy, let’s go into some key takeaways here. So looking ahead over the next two years, what do you think a higher ed CISO needs to have in their security program to be successful. So, whoever wants to start first.

(28:09) Chris Russel: Well I can start with some of it. We mentioned, alright, I mentioned something about the CIS controls and so forth, and some of it is you need to have, you know, grounding your program in standard frameworks. Like a lot of these, I think the bar for security in higher ed in particular, for everybody, but also particularly in higher ed, in the public sector because we tend to lag sometimes in that regard is being raised.

So we need to deal with that reality and that means really dialing up how much we’re able to follow some of the standard frameworks and make sure that we’re making sure that the appropriate parts of our network, and our devices, and endpoints, and users are all being appropriately protected. And, you know, again that starts with understanding what they are, and who they are, and where they are, and making sure that we can protect them properly.

So it’s a, you know, that’s part of it is it’s just to really get a reality check on some of the some of our asset inventories as mentioned and getting into that. I’ll let Tracy go next.

(29:37) Tracy Dallaire: That’s great, thanks Chris. And building on top of what you’re saying and those things are all so important is I think three bits of advice or takeaways, is: right sizing your tools, knowing what your need of tools are, and you’re getting the most out of them. So that you have the right tools, right sized for your institution, your environment, your team, getting the most out of those, relying on third parties where you need to.

Second is continually learning about how threat actors are doing what they’re doing. So any opportunity you can whether it’s at another conference or in another dialogue. Hearing from others, the kind of the postmortems or the after analysis of threat activity, and constantly paying attention to how threat actors are doing what they’re doing. Their modus operandi, so that you can adjust your prevention detection, prediction response and resilience because they’re evolving. It’s not a one standard way.

And the last is: consider constantly new emerging areas like artificial intelligence. When we heard a lot about that recently at a conference in higher ed and understanding the IoT/OT smart city, smart campus environment. So some of those, constantly staying abreast of the emerging technologies, evolving technologies, and what, how could one potentially exploit that. And so what do we need to do as security professionals to protect that, and get out ahead of it.

(31:08) Huxley Barbee: Right, thank you very much. So let’s go over to Noelle for any questions from the audience.

(31:17) Noelle Hardie: Alright, I see one that’s for Tracy: What are some edu conferences that you recommend attending?

(31:25) Tracy Dallaire: That’s a great, great question. So a couple edu, if you’re in Canada, can hike the Canadian higher education IT conference that happens every year around June. Now that’s not just for broad, broad, everybody, it’s targeted to the higher ed community in Ontario. We have a version of that called OHEIT, the Ontario higher education summit. There’s Educause that occurs, that’s in North America. It’s hosted in the U.S. That’s a really great event. Then there’s a couple others that aren’t necessarily just higher ed, but there isn’t always a higher ed presence, there’s Evanta CISO Summit Group and it’s a community of Chief Information Security Officers or head of function that cut across industries. Higher ed has a big presence at that. They get together a couple of times a year, that’s a great group. And was the last one? Oh and then Gartner puts on a whole number of different conferences throughout the year. Broad ones and then ones specifically targeted at different disciplines within technology, and again there’s often a really good higher ed presence. There’s many, many, I wish I could go to them all because there’s so many, and it’s being able to balance throughout the year.

(32:45) Noelle Hardie: Excellent, thank you. Next question is for Chris. Chris as you developed your experience and expertise over the years, what was the most surprising thing you learned about the role of a CISO?

(32:56) Chris Russel: That’s a really interesting question. I have to think about that, but it’s I think, one is I guess expectations about information security being different than IT, and particularly for, I guess, the security leadership and so forth. So, for example, if you’re the CIO and you’re talking to someone, and they have an issue with their Windows machine, nobody expects the CIO – or at least in my experience – nobody expects the CIO to troubleshoot why their Windows machine is acting up, right? They expect that you have people for that.

In the security world I don’t quite have the same conversations. As CISO I talk to people and they’re like ‘so how exactly does this threat actor get into, you know, use this vulnerability to get into my system?’, and so you’re kind of expected to know, and be the subject matter expert of every little thing, honestly, you know. For me I find that you know it’s kind of fun, I like thinking at those multiple layers, so it’s okay, but it is interesting, it is. I do find expectations are a bit different. Sometimes I feel like I have a bit more in common with people like those in the office of the University Council, who often are, you know, they’re the closest thing I can think of to others that are expected to sort of be strategic advisors as well, as be, you know, a detailed subject matter expert. So anyway, that’s just something that comes to mind.

(34:35) Noelle Hardie: That’s interesting! Thank you for that. And then we’ve got a question here for both of you. What is the most fulfilling thing about working at your respective universities?

(34:46) Tracy Dallaire: Yeah, I really reflect on this, is that making that difference for that student, or that research, or Community member, or that faculty member, to get them back up and running. And I look at it as harm reduction, because there is harm that happens directly to impact, say some students, international students, coming in from other countries, they’re very vulnerable. They’re here in this country to learn, their families are far away. Through my time thus far in higher ed, I’ve had times where we’ve gotten them back to a good safe space when something has happened that has caused harm for them. And being able to make that difference, and get them feeling comfortable again, reduce or get them back operating again, learning again, getting courses sorted out, those kinds of things, working with others at the institution. That’s incredibly rewarding and incredibly fulfilling to know that you’re making that direct difference for that person in what can be a quite scary and traumatic experience that they’ve had.

(36:00) Chris Russel: Yeah and I guess for me, I think it’s also very similar in the sense that there’s a lot about the people. And hopefully people who work in an institution where, you know. But I found in higher ed that it’s actually very common that, you know, there’s good people wherever you look, and all who sort of are sharing in the mission of what a university or college is about. Which is a lot about doing the best we can for the future and preparing, you know, basically contributing to humanity by that educational mission and research mission. So just being a part of that and sharing sort of that spirit with those around you is a good feeling, and that’s one of the reasons that I’m still in this particular industry.

(37:05) Huxley Barbee: And you know, I want to thank both of you for, you know, dedicating your careers to the educational mission. It does help the world at large, the work that you do for sure.

Alright so if anybody in the audience wants to connect with Tracy and Chris after this look out for the recording we will have links in the show notes or the description that you can use to connect with them offline.

If you are looking to have the same type of full asset inventory that’s helping Chris and Tracy in their jobs, of course, the product is runZero. runZero is the fastest and easiest way to get to a full asset inventory and rather can discover all types of devices: IT, IoT, OT and no matter where they are, in the cloud on-premise or remote. And there is a free trial and there’ll be a link to that in the show notes or description as well.

Also I want to remind everybody that runzero recently introduced an educational license where we’re providing full and free licenses to faculty members. But most importantly I want to thank Tracy and Chris for their insights on what it takes to be a successful CISO. I’m sure anybody who is coming into a security team in academia will learn a lot from this particular conversation so thank you so much both of you for taking the time. Thank you.