Curtis Blais, Mark Sly, Rob Milman, Charles Smith, Frank Nadon: Evolving Landscape of Cybersecurity
Show transcript [en]
[Music]
[Music] uh let's get going um thank you for joining us uh excited to be a part of this today um this is the fishbowl and i don't know why i decided to call it that but uh it was a good idea at the time so we'll just stick with it um i am um lucky enough to have collaborated with all the panelists uh here for the last couple of years and some really interesting endeavors um and i did the math before i introduced them all and i think there's a little over 100 years of it experience on this panel so um yeah if the topics sound old it's not that they're old it's just that the
people who are doing enrolled and i think i'm the only one if you do it in internet years i think it's like 500 internet years of experience isn't it like 4.7 to 1 or something um my name is curtis blaise i'm the shared chief information security officer through alberta's premier technology accelerator side vera if you can just look over my shoulder and see the siberia cup right there yeah that's it uh they cater to the higher learning space k-12s and some other public sector organizations uh i have a little over 30 years experience in i.t um and we were all kind of adjusting around going i'm not sure i'm going to say exactly how long i've been in id
but i'll introduce the rest of the panel um we'll start with uh mark mark leads the cyber security operations governance risk compliance and if that's not enough architecture teams at the university of calgary and mark brings us 20 plus he didn't tell me exactly how many years mark good to have you next uh with over 25 years of experience another one who wouldn't give me the exact number but 25 plus uh in it security rob leads the security charge at southern alberta institute of technology that's safe through the implementation of governance control frameworks policies procedures extensive vulnerability management security awareness and fission programs rob sir rob good to have you thanks curtis i think i just knighted
you i don't know i'm allowed to but i think i just did i do have a sword right here i could pull it out if you want um next uh frank frank brings over 20 years of practice in various disciplines of i.t but now focus primaries primarily on cyber security and risk management as the director of it infrastructure and security at mount royal university in calgary frank good to have you [Music] and last but certainly not least a fellow edmontonian uh with more than 20 years of involvement in the it space much of this in the software development space charles is currently the chief information security officer at mccune university in edmonton uh most of
charles's experience to date has been in the private sector but in the last six years or so he moved into the higher education space and uh i'm sure he's glad he did that charles glad you were able to join us thanks chris all right here's what we're gonna do we got four topics uh like to chat about all of them um and what we'll do is i'll be watching the chats if you have questions about the specifics questions that we're talking about feel free to pop them in there and after each one we'll stop and we'll try and address questions so the four questions are number one protecting advanced education number two academic freedom versus cyber
security friends or foes number three centralized versus decentralized id and then number four security technologies uh so each panelist will have an opportunity to chime in we'll chat about subjects maybe even get a little dialogue going and then answer questions and we'll see how far we get all right let's get started with uh topic number one protecting advanced education in a recent insurance industry report it was noted that most targeted the most targeted security sector for cyber security attacks is the advanced education space because they are information rich they have student records staff records faculty information as well as at times leading edge of research and data of a wide variety of disciplines so the question
uh and we'll start with you rob is well what makes it so challenging to secure an advanced education uh i was thinking a lot about this one and really the the best way to give an analogy of it is it's like running a small city we have we have literally everything we have we have restaurants we have hotel spaces we have thousands of students we have staff here we have like you said research data there's literally everything and anything you can think of and we're also dealing with instructors who are cutting edge and want to do the latest greatest thing right as well as the fact that we teach students here at save anyways how to uh
how to write malware how to write root kits um and so we have to make sure that we're you know keeping it all protected so it's it's a it's an interesting and challenging environment to be in for sure i mean i i spent uh i spent over 20 years consulting the oil and gas industry here in calgary and i told the cio when i came here i said you did not prepare me for higher ed um has definitely been an interesting challenge for me in my career and i love it it's fun it's because things are always changing but it is uh it is tough to secure that's for sure yeah it sounds like the enemy within rob
the way you described it mark is it the same for you what do you how do you think what's what's so difficult about securing events dead sure yeah i can add on to really great comments there from rob so you know when considering i t security there are like huge additional costs of projects and technology implementations and sometimes that's a hard bite in taxpayer funded institutions and just to add to what i was saying you know we are we are you know we do scale to the size of small cities and we have it all like health data on my side you know we have health data just add to the list that rob is talking about that personally
identifiable information and a health level um so identity management is key to that success and and supporting that and universities are really a big data security problem you know like on average like i've talked to some of the the u15 people and and the new 15 is the top 15 universities in canada for terms of size and university of calgary is in there and you know we have about 80 identity types and about 80 000 different accounts that people log into that's human accounts that people log in with and we have over 44 petabytes of storage that that we you know people use and support to do research with on campus and it's just it's crazy when you compare that to oil
and gas companies that that i worked at many years before as well and um but you're kind of finding that advanced education like other industries before it is starting to experience that increase in external scrutiny and we're starting to have external audits and we're starting to have funding projection protection reviews and regulatory scrutiny and it's starting to come around and i think the new expectation that is repeated as these audit failures if there's audit failures at your institutions or identified information security breaches situations that will ultimately lead to the loss of funding if we don't start to fund security in advanced education more and the just just the general funding amount for for security and per device in
institutions is lower and the key is to get that that leadership bind and help people understand the facts of what's actually happening out there in your throttle landscape and we don't scale to just one use case at universities you know we have multiple use cases you know this person wants to run a virus lab over here and this person wants to share health data with the university of toronto over there and then this person wants to you know research rats and what happens if somebody feeds them from pushing a button on an internet and use cases are vast and so yeah thank you yeah absolutely uh you know i think it what gets lost in that
most makes people maybe not even realize is that you know universities of that nature are dealing with uh organizations like nasa and i mean i mean like all kinds of data and so you could see where it'd be a pretty rich target frank same thing for you what do you what do you think what you know what's the biggest challenge obviously rob and marcus have covered a lot of terrain there um i think uh you know one of our challenges obviously is we have a very large dynamic user environment so identity and access management is is very important uh our users are users or our targets like phishing campaigns are very effective when you have tens of
thousands of years you can target um you know where as a university you are an open environment i mean anybody can walk into the campus start dropping usb sticks everywhere and and see where that goes you know research environments a lot of intellectual property that's very important i mean that's probably more relevant to mark's institution they do a lot of cutting-edge research there so that's you know that's our challenge we're very open and we need to be open by design uh but makes you vulnerable at the same time hey i think that rhymed charles same for you what would you say yeah pretty much i would probably expand on on some of the sentiments that
these guys said i think our broad user base is is a constant challenge and it's not that we just have you know 20 to 70 000 users it's those users have all different types of affiliations to our university and they all need some sort of system access right so you have users that are normal staff and faculty you have people who just apply to the university still need some sort of access you know you have undergrad students continuing education in like extension study students who've only signed up for a 100 course still need a user account and some sort of access right and then you have like graduate students at a really big university or
maybe you have visiting researchers that actually need accounts you know we call them research affiliates in mcewen and all of these different roles can overlap too you of course have staff that are also students and students that are casual uh staff in your sport and wellness area right so yeah i i would sort of highlight the identity and access management challenges are huge right because all of these people need some sort of access to your infrastructure and every time you implement a security control you have to think about how it affects all of these different user types very cool yeah i mean uh just the sheer size i can only imagine just adding up how many people were talking about just
the institutions that are represented here it's it's it's really i mean we're talking at the level of you know i just mark mentioned cities so um i was checking the questions i noticed angela you noted something about faculties wanting to do things their own way that's one of our questions actually so if it's okay i'll wait till we get to that and we'll maybe address that then i don't see anything more so why don't we jump to the second second subject uh academic freedom versus cyber security i think we've all seen in the news over the last a few months the idea of academic freedom and freedom of speech is there a similar scenario between the
idea of academic freedom and cyber security are they friends foes mark what do you figure so yeah yeah the ever-growing battle of let me do what i want hold on you need to be secure um but you know educational institutions traditionally thrive on their unique ability to teach and perform and research in a quick and effective manner and it is a key element that kind of drives the funding and the success for the institution that's how they get grants and things like that and at times you know it is perceived as an imposition of information technology security on top of that you know research is sometimes considered unsupportable or detrimental to the research process if you stick it in
there and and there's many cases where unfortunately it's left out and you know i've heard about it at other institutions and experienced it myself too it leaves that research vulnerable and and to compromise and so you know and really where universities were previously less likely to be attacked they are increasingly targets to these new threat actors that you know are finding it um easy easy sometimes easy to get in and trick these people with phishing and taxes things like that and universities are really referred to as whales in in the black hat community larger universities and and you know they're big targets and so the increase in state after interest in our intellectual property um you know and it could be quickly
monetized and and so really what needs to happen here with the relationship i'll tie this back here now really what needs to happen to the relationship is we need to pivot to a relationship from checkbox compliance and shift to risk-based decision-making and and what that's going to do is that's going to help the relationship so that we're not saying you have to do these 10 things and it's like wait maybe you only need to do these things because of your data classification or how you're operating or where you're doing it in the cloud and um so really to finish it off you know we need to recognize that information technology security is not an imposition
on academic freedom but it is an indicator of academic excellence going forward and it's our job as security professionals at institutions and if there's any others who are watching us here we need to bolster that relationship and work with them and my advice is to watch the checkbox compliance and help them understand the risk and help them address their risks with proper controls or processes that's that's interesting markets i heard you say friends obviously and i expected that from a security professional um charles you see it the same way yeah i i do i think i mean one of the things you know it's that balance is the really hard thing to strike between security and
efficiency and exploration and everything that comes with academic freedom right and i think the one thing that's challenging another thing that's challenging for us is that that basically just slows everything down right because it involves so much more uh collaboration and communication and on all of your the work that you're trying to do to secure the institution right one interesting twist to something like academic freedom is that it often means that faculty retain the intellectual property rights to all of their data which means that while we're protecting our institutions data we're not even necessarily protecting our data we own right and that's why consultation becomes so huge in order to get anything done right you know and
then with that comes lots of devices that aren't managed by the university because of course they have the freedom to buy them under their own grants right so it's just every step along the way you have to take a step back and look at how uh how cyber security can be done in a more consultative and risk-based process it's not a perfect science right i heard you say two things like the idea of custodianship of data uh you know in some ways you're the custodian because you you run the infrastructure and your job is to protect all that data that you're custodian of but on the other side and even mark talked about this about about research grants and money
and the researchers and how it all belongs to them um i wonder if you know tying if the research funders themselves sort of got involved and said you know you got to follow good security practices or we're not giving you money to do this kind of research i wonder if that would make a difference um i didn't mean to lead you that way rob but what do you think well i i agree i think you know it's a lot of stuff that charles said even though his other talk to is all about the collaboration that's required um to do things like um simple things like implementing mfa across the institution are are painful sometimes because of just some
of the things that you have to consider when it comes to working with the faculty and the students and everything like that um and it's it's it's definitely a balancing act for sure it's something that that i talk about quite often with our with our management team and a lot of other people too as well as is you know security is really a balancing act um that it has to be right it's about enabling the institution to do what they want to do but do it securely and it's and it's a constant constant struggle that you're always selling and marketing what it is that you want to do and how to secure things and sometimes you have to make concessions
too as well and figure out you know other ways to make sure that things maintain their security because it's just a it's just a constant uh switch back and forth back between you know this and that and who can who wants to access this who wants to access that you know we had a big battle years ago about local admin on desktops right it's like you know those things just just keep coming at you all the time and then it's it's it's accelerated with the adoption of the cloud and everything like that the worst thing happening now too as well i i i while you were talking i'm thinking you know i can i was i was
looking up to see if i could register the name tightrope security because that's what it it sounds like you're walking on a tightrope the whole time frank uh what your experience here what do you think yeah um certainly you know researchers and faculty where you know securities is not always top of mind they really focus on their research and and what they're teaching and uh you know it's up to us it's up to us to have the the discussion to to uh to bring that into context and i'm sure they're very interested in protecting their ip especially if they're researchers um so yeah it's about you know consulting and and and discussing the risk can
come up to that uh um that arrangement that that satisfies both sides it sounds like you know that that give and take a little and and i wonder if we really you know do we get that is it is it come that way um there's a good question actually uh angelo asked about canada's uh bill c-11 so that's a kind of the new privacy bill and when you asked that angela i was wondering if initially if that was the there's a quebec legislation too that's they're saying is similar to gdpr that may affect those who do business uh with quebec so anybody want to jump in around uh privacy and how that may affect cyber
security programs yeah i can jump in i mean privacy legislation is something that we deal with all the time we deal with with the health information act as mark mark mentioned voip here in alberta gdpr for any of our students that are based in the european union so there's a lot of different privacy legislations that are coming california recently enacted one that that is actually a lot more restrictive and i'm expecting to see more and more of that and so it's stuff that we deal with all the time and so this new c11 privacy bill that's coming it's just going to be another one that we just have to consider while we're doing things we spend a lot of time on our team just
talking about privacy and information and you know if we're doing the right thing when it comes to all the stuff that we're trying to protect anybody else okay uh stephen made an interesting comment in there when people when people their information patents are at risk it's an easier conversation you guys find that if they're they're looking at their data and going your data's at risk do they listen to that yeah yeah they they do yeah of course comment on this one yeah no they they do listen and and you know there's there's organizations like i said and things out there that are giving the grant that grant funding for nationally in canada to researchers and things like that and
they they just released in july that that they people have to perform a risk assessment based on the type of information they're working with and so you to your earlier commentaries about like are the you know the national organizations start who are giving the granting funding actually starting to require cyber security and the answer is yes and it's starting and there's five requirements for i said from a cyber security perspective and a lot of it actually says to work with your um your cyber security department at your institution which it which is great because that makes sense because we're responsible and accountable for the confidentiality and integrity and availability for all the data that work
resides on our network and our systems that our researchers work with so you know having them come in and talk to us and having that that oversight and support really helps and really drives that message home to researchers that work with us because we're going to be flexible with you and you know take that risk-based approach like i was talking about earlier very cool anybody else uh jump in on that alrighty i think we got all the questions so let's move to topic number three uh and this was hinted at a little earlier centralized versus decentralized i.t the reality in in many large institutions is that there are multiple id departments with shadow i.t in nearly
every corner we know this is kind of contradictory to good practice in i.t governance which is where central i.t is is where things can be managed and secured in a kind of consistent manner not to mention the cost savings of infrastructure and some of the benefits you get from bringing some of the technology together and being able to support them so the question is how big of an issue is decentralized decentralized i.t and uh as it relates to cyber exposure charles what do you think i i think it's kind of it's it's an interesting question i think it is a big issue and it's it's not always in the way that you typically think about it um
the organization that i'm at the q and we consider ourselves centralized i.t so we don't see a lot of issues uh with shadow i.t and faculties there's a little bit of an i.t presence in the library and comp sci faculty but we work together and it works where i actually see this at cuen is with our non-academic departments like facilities for their building control systems and door lock systems or our campus services where they're they have food vendors and parking all doing different types of payment processing right and you know as mark's alluded to before it's it's difficult getting you know proper funding in it in higher ed and this leads to smaller teams and when these different business
areas are bringing on these new solutions not enough it involvement or what i see happening at my own institution is a lot of vendor managed arrangements for it solutions and so you end up having decentralized i.t not even out from your faculties right or you're having to rope in vendors who are not patching systems um so you know and i admit that probably that decentralization that's happening at mcewen is probably because we don't have a you know mature enough set of standards developed to make sure that those business areas are following suit um but you know it is a challenge for sure because of the size we are and what we're dealing with for resourcing
frank uh similar you have a similar situation yeah yeah obviously us we're very similar to in here at mru a similar size and we did we do have the the same setup we we do have a centralized id uh set up which i think for our size of university is ideal i think you have a bit more control somebody with a question in there does everybody use the same network so you know in our case uh we do so we do control the whole network environment uh there are some uh small i.t pockets uh outside of of central i.t uh similar to charles a library which has a fair amount of technology in there as
some smit players there uh comp sci same type of thing we do need to work with vendors vendors bring in their own environment much like charles also the the iot uh in facility management is becoming uh bigger and bigger so there's external vendors involved so we just got to make sure that things are done to our standard and it doesn't affect the security of our environment but i assume mark will have a very different story than both of us as he's essentially bigger and has a lot more complex environment well mark that he just teed it up for you you didn't do you don't need me yeah set me up for success there frank so
yeah you know you know at the university of calgary are larger and you know a lot of larger universities across canada actually have they're more decentralized than the university of calgary so so our previous vpfs then belgrade was a great leader and she helped centralize i.t at the university of calgary and it really did create a lot of efficiencies but we do still have other id we actually don't call them shadow id anymore the university of probably call them other i.t we see them as partners but you know really like on the campus like like cars and other larger ones across canada we have every imaginable combination of hardware and software that is employed in the university setting right and the
management of that technology is often decentralized including like technology operational and security components and so you know like just imagining the technical and security debt out there because of that because usually in a decentralized scenario not everyone will follow the same framework or governance or have the same it general controls and practices to ensure that they're operating effectively and securely which will also ultimately in my opinion will ultimately lead to higher costs in your educational institution and potentially a breach because if the one parties is not taking cyber security seriously um and they believe that they are secure for some reason and and you know they're going to have some sort of gap without without an
analysis and and they're going to it's going to lead to a breach and really governance is is an answer i'm not going to say the only answer but it is an answer and that top-down leadership driving for the efficiencies of central services another thing that really comes up in decentralized and centralized i.t departments across universities is the attestation of compliance for certain researchers and research faculties that they have to do and and it's challenging to complete when not all parties that you're at your entity are on the same page for the framework and standards that that they're that they're following and the other thing that that happens is everybody kind of touched on it about
having software vendors and people buying software it's really that third-party risk is a reality for all of our organizations right and at a university you know we review hundreds of software acquisitions requests and that's that governance model of driving that into so that you have a proper threat risk assessment a private privacy impact assessment you know those kinds of things and that can limit the supply chain attacks that you inevitably are going to have and everybody is having out there right now unfortunately due to your integrations and you know that those third-party risk assessments and having that centralized governance that's that's key to protecting the confidentiality and turning availability of your data at your institution again
and so in order to deliver a robust environment universities need to enable it security management function that is centralized robust and they need to be flexible and they have to consider the diverse nature of the operations at university and and whether you're centralized or decentralized you know having that that central cyber security function i think is key that governance of how everybody used to operate there i know i it's thanks mark and sorry for interrupting um in a private sector setting i saw this and i saw well not quite private it was kind of private but uh an auditor actually solved the problem of shadow i.t basically by walking in saying listen if you're going to do i.t
and you're going to do i.t i'm bringing all the controls to you and to you and you're both better pass and as soon as that happened it became centralized rob was this your experience anything like that or what's it like at state um ours was very similar to mark's story so we we were completely decentralized in 2018 we had eight schools here at state and we had eight it departments eight help desks and it really became a budgetary problem um it was how are we paying for all these separate common services across the institution and so uh the decision was made in 2018 to centralize um and we're just um we're at what a point now
where we're kind of um settled from that huge change to the organization and it's been it's brought a lot of benefits we're uh you know we obviously have one single help desk now so all staff and all students can come to one place and it's and it's been good that way and it's also allowed us to do things i think a little bit better when it comes to security for sure because we know the whole stack now for the entire institution um spent a lot of time you know my in my previous days running around to different schools and just trying to get my my my controls in there you know because i knew that that we're going to get out of
it or something's going to look at us or something bad was going to happen right i did not want to it's one of the the main things that we always talk about is we want to stay um out of the news right for any bad reasons and that's you know that was that was pretty much the whole job when we were decentralized but now it's it's a little better because now we have like uh like frank mentioned a set of common controls standards um third-party risk assessments that kind of stuff and i think today i think we're pretty good but we still have people pressuring us to do to do shadow i.t um we still called shadow i.t here
for sure um but it's uh but it's the cloud really that that's driving that right it's so easy for a school to just say we want to do something and talk to a vendor and stand up something in the cloud and the next thing you know sate is is out there and we're trying to figure out whether or not they put any controls in place on that on that service or what data that they they've moved out to the cloud or anything like that too so it's always a challenge for sure something you have to you can't let your foot off the gas you have to be constantly striving to make sure that everything is
maintained in a central way yeah i was gonna say um sas has empowered shadow i.t because you mean you know he needs a credit card and you can sign up and and then there's data going and so uh i mean any does anybody want to talk about sas and their experience with us like is there something you're doing to try and minimize that or well i think we're probably all doing like mark said and rob we're doing threat you know whether it's a technology risk assessment or we call it a privacy and security assessment we're doing centralized assessments but staying on top of them is really tough right because once you centralize that function and you have
that central governance you have them coming from all over the place and nobody wants to take the time to to slow down for us to look at the privacy impacts or the security impacts of that sas service right yeah i agree and i think for us we put financial controls in place so it stops at the purchasing department people can't buy stuff but what we see happening is that like you said curtis they use your credit card and buy something right and that that that's something that purchasing doesn't see right now today so it is it is hard to stop completely for sure actually i i've been working with an institution who actually just recently
put in uh controls at the credit card layer where you cannot buy software on a credit card because they were having the same problem right and so and i guess that was my kind of comment you know you charles i mean you when you know about it you can do the assessment it's when you go what you're using what right and you find out after or they need it next week right because you know sessions opening up yeah oh yeah that that's one interesting thing about universities maybe not just universities but everywhere as it's always i need it right now and you know and so that's kind of where you gotta well at least we doing is we tie
it back to data classification which was set by legal and privacy and then when you kind of have that governance model in there where people have to follow certain standards based on the data classification they're working with like we try to have some sort of iso compliance or sock 2 type 2 compliance for all sas providers before before you use them with our level 3 level 4 data which is our like confidential and health information data and you know it does slow people down and it is frustrating at times but it comes back to that resourcing resourcing challenge and um you know how do you how do you get uh like self-attestation on threat risk
assessments it's you know something that should be on a roadmap i think and i'm helping people understand their risk great all right i don't see any more questions specifically about this subject so let's move on to our fourth and uh final hopefully final uh because we have a spare question but hopefully we don't have to go there um security technologies uh it seems like every day a new company shows up in the landscape with a different twist on some sort of cyber security product what one cyber security technology would you say makes the biggest difference in your ability to provide security to your institution something old or something new or something borrowed or something blue i don't know there was a saying
about that uh frank what do you think yeah i'll address both that uh something old and something new uh you know something old maybe something current uh i would say what would affect our or improve our security posture the most right now is uh implementing mfa across the board across all faculty all staff and all students uh it's it's it's a big project but we're kind of on our way i mean obviously with our big use our very large user base uh that's a lot of targets um you know our when we do our our fishing exercise uh every quarter there's an unfortunately large number of people that click on the links so certainly mfa will uh will certainly
improve on minimizing those issues um from more of something new perspective i would look at uh you know the xdr technology the sims or type of technology like technology that kind of like aggregates all kind of like uh the the data from multiple data sources from your environment and then hopefully provide some some automation and some orchestration uh from an incident response perspective uh i did see uh a great presentation from uh fire eye and mandiant just before this regarding xdr um it's quite interesting uh you know i i look at the xdr is fairly new uh i look at the vendors like we uh we have sophos uh edr on our platform and uh they're
upgrading us to so 406 er uh but that only means that uh you know we we we could put uh soho's firewall uh information and uh with theater and so forth email gateway so integration with other technology is it might be limited or are complicated to do um i think uh one of the one of the great slides that i liked in in the previous presentation was is xdr made up it's a made-up term by vendors to sell more products i thought that was funny but i think it's great technology hopefully uh to bring effectiveness in our detection and response and uh well for us uh we have a pretty good sim environment so maybe to
to add the soar capabilities to that to add orchestration and automation uh to what comes out of the sim uh would be uh a pretty good advantage for those of us who are long in the teeth in the security space you know you hear a term like that and you're thinking snake oil you always got you know one eye open a little i mean um i i and then the guys i was in that session a little bit too and the guys did a good job describing you know kind of the description of xdr i i like to think of it as threat intelligence fed security layered solutions like to me that's and with some automation built in
nah it's probably easier to say next year rob what do you think something old something new what would you say the best technology oh man i hope there's no vendors on the call i i heard the other day that there's over 900 different security products out there in vendors right now and um to be honest with you i'm i've had most of them on permanent ignore um when they're contacting me because it is constant i i honestly get you know probably 50 linkedin invitations uh you know a week i get i get hundreds of emails from from cold call vendors and stuff like that with new snake oil um that i that i that i
unfortunately that's what i call it and and what i'm a big believer in is maximizing the use of what you have in place already um i used to you know way back in in my career i worked for a managed security provider and we did we did sim management security united and information and uh we we discovered that most organizations only use about 20 of their sims capabilities when they deploy them they they buy them they spend hundreds of thousands of dollars on them they roll them out and then they just call well well we got to sim so we're good and they don't invest the rest of the time the money that so so when i got
into the industry and started working as a leader in there that's one of the things that i focus on is maximizing the use of the technology that we have in place so we have a sim we have vulnerability management we we have xdr2 as well in place here and my my mandate to my team is is let's just make sure we're using it to the best of its abilities before we look at anything else that's coming down the pipe because there literally is so much but i i do agree with frank that xdr is amazing when you when you tie it to threat intelligence and add a little bit of machine learning in there where it's
doing some automated response and uh it saves us a lot of time and that that's the biggest thing right because um you know with with the you know the 40 000 students that we have you know doing stuff you know there's compromises that happen all the time and to have the xdr out there going and just telling us look i just somebody clicked on a link and got you know an infection and we cleaned it up for you that that's that saves our team time right go and clean it up so it's it's a good thing to have for sure um one of the things that i also want to talk about too is just um the pandemic
changed everything for us we had everything was on premise all of our security technologies all everything we had was on premise and then everybody moved to the cloud and we discovered that we were blind to what was happening and so we moved a lot of our uh our management systems our monitoring systems out to the cloud just to see what was happening out there and that that's improved our stance quite a bit by doing that very cool rob uh you mentioned something that tweaked me whenever i go in and work with an organization and set up a security practice i have a set of axioms and one of the axioms is to radically leverage the
technologies you have because i agree with you in a lot of cases we buy it and we maybe use 20 and we move on to the next one and and and the idea is make a good purchase and and then leverage leverage like really leverage it um charles uh how about you something old something new best technologies well you saved right into what i was going to say i mean i think like we planned it likely exactly exactly in the last year probably the biggest improvement i've seen was maximizing the potential of one of our uh our tools which is microsoft right so we moved from a3 or e3 licensing to a5 or e5 licensing
and that allowed us to utilize the full suite of defender protections and we went all in right so for all our workstations which is huge as rob was saying now that everybody's working from home we actually had visibility and some automated response um to everybody's workstations that are sitting at home rather than on our network right and then we also implemented defender for identity through that suite and that was absolutely critical to detecting and investigating a breach that we had in april we managed to actually the breach actually resulted in our domain controllers being compromised but because of what we saw in defender free identity we were able to stop it before it became a ransomware incident and be
able to track back the path that the intruder took because of course they came in through sort of transient lab vms that are reset every 15 minutes we had absolutely no log data you know from the entry point but we could trace the the activities of them through defender for identity very cool um uh i i agree with you i've spent some time in the edr space i know they've called it next year by the response has come a long way the visibility is unbelievable like i've never had that in my lifetime as a security professional um and and makes huge difference not just within your perimeter right yeah well yeah at the endpoint no matter
where it goes you want to be able to know what's going on uh down even down to the process level or extract the file and drop it in sandbox and see what you know what it did actually do did it really do we think it did so cool uh mark uh something old something new what would be uh you know what's the best security technologies that you're using yeah yeah yeah i always have a lot to say so so like a defender a defense in depth model you know is always the best approach from like your people processing technology perspective and selecting a technology for your institution to get the best bang for your buck it needs to start with proper
security architecture and understanding how your business operates knowing your gaps what's your threat landscape and that's going to drive buy-in from leadership to help you with setting up the right solution so for something old i would say make sure make sure everybody has like at least the next generation firewall you know monitoring your perimeter and what's coming in and out and just to add to something old there make sure you patch patch patch patch patching is key key to something old i think patching is old now because people should just be doing it and then for the something new you know like endpoint is the cause of 70 of breaches says educause in education right and so
a focus on that endpoint detection and response capabilities is key to threat mitigation and just like everybody else is saying a good xdr with multi-source threat intelligence is going to be my pick and you know really we are supporting that borderless campus these days and it needs to go past the edge otherwise otherwise you're blind and when they come back on campus they're in and so definitely a good xdr solution is the way to go excellent i noticed there was a question and i'll throw it out if it's a couple of us answered in there as well but uh asking about data class and have you implemented data classification and anybody want to jump in on that subject
as well a little bit sure yeah yeah yeah so the university of calgary we have uh four levels of data classification and if you go to if you search new calgary policies it'll take you to a website and then just go look at data classification it breaks it down into four levels so public private confidential and restricted and then each of those has a definition of what it is and the privacy legal office has worked hard through a committee called the information and access management committee and what that does is that that drives these standards into the ethics board and how researchers operate and what they can do with the data and how they use it and what standards they need to
adhere to from a technology perspective but also a privacy and point perspective and sometimes the health information act depending on on what the data is and um setting up data classification anywhere is difficult i've tried it at other at other places in private as well and and really you need you need that leadership by and understanding to how are you going to protect your data and sometimes it can actually save money um because you know you spend the money to protect your your higher value assets in your higher value data classification and it really depends on how you do it but you want to you want to work with your data architects and your security
architects on on managing that and make sure that you you employ your partners in your organizations to help you do that specifically privacy and legal who really need to own that standard and to to drive it home to get it past the board or wherever it needs to go to have that ratification there you go there the digital gospel according to mark actually hey i think i could tie that all together so if you have any questions throw them in but let's do that the digital gospel according to mark we have sir rob millman we have francis vatican nadan and king charles i mean it's a royal group of people right here i mean let's look at them
ah yeah that was a tough one to tie together but i i think i got close um are there any questions from any of our viewers uh to any of the panelists feel free to pop it in there and we will i think we have about only about a couple minutes left but we'll uh we'll hang around and see if there's any more questions does that mean we're not going to get to the dreaded last question [Laughter]
and for people who are still around i want to know what the last question would have been we were going to start talking about quantum computing well there's a good question in the uh chat why do you why do you do what you do who wants to jump on that i do it because i love it that's plain and simply the way it is i cyber security is like i don't know it changes every single day there's not i'm not i'm getting very i get bored really easy when i do the same thing every day and i've discovered that early in my career i used to fix printers and patch land cables back early in my id days and and now
working in cyber security is just it's just constant you can you can focus on so many different things it's just a wonderful experience and it just keeps you keep you interested engage all the time yeah it's it's an exciting area things change all the time the it's a game of cat and mouse and uh of course if you're stuck in an incident for the whole weekend then maybe your mood changes but ah it's very exciting field so that's why i'm in there it's a pretty wide range of things you need to do right you need to implement technical controls but you also have to consult with faculty over you know to explain to them why they need security
right so it's definitely an interesting challenge ah joshie turkey i knew he was gonna ask him some i shouldn't have mentioned the question we know we know that uh the chinese came out about three or four months ago saying they have a quantum computer and i think there is concern about cryptology cryptography and all the components around that but uh you know most of our brains melted uh when we started trying to really dig into this subject so i don't know we're none of us are cryptologists so i i think i'm not going to touch that one i don't know if everybody wants to jump on it no i you know the only thing i could say
is that the canadian center for cybersecurity did a really good presentation on quantum save cryptography um it really kind of opened my eyes up to how quickly quantum computing is actually coming at us uh with the new standard that's going to be approved at 2025 and so that it's just something that that if you're working in cyber security you need to start to pay attention to it like i said look up quantum safe cryptography and hopefully you can understand it better than the rest of us i've been able to figure out so far yeah that's it that's a good point robbie they uh trend micro has a good article out there on on quantum and cyber security and how
it's going to change landscape too if you google that you'll find it um but yeah i think it should be on everybody's roadmap uh next five to ten years is gonna be a it's gonna be a reality and you know the nest nist is working on it right now on how to how to you know defeat the challenges of quantum in the challenges it's going to present with breaking cryptography so you know take a look at those sessions that are available on the internet and that's about all they have to have there uh jeff through a good question and and jeff you don't mind i might just take a quick shot at it um he talks about uh
twofey and dave class how do you articulate proper use to non-technical people's stick carrot workshops um i think all of the above uh i was in a session not long ago where um we understand from a sociology perspective that 20 of compliance comes from the antecedent that is you need to do this or you know i need to do this and and 80 of the compliance comes from um the consequence so there's a consequence to the action so it's just like uh you know when you speed right you can speed and and what really stops you from speeding is i really don't want to pay that ticket um but you need to focus on trying to
encourage people but there always has to be a consequence because really that drives uh uh from a sociology perspective compliance uh in a lot of cases i don't know anybody else want to jump in on that yeah sure so you know the sticker the carrot um it's funny at the university of calgary the way we got started getting people into multi-factor authentication or two-factor authentication was with offering them one drive and if they got one drive they got to have mfa and then then the the other way we sold it is how many compromised accounts they have per month and then that started to drive real interest because internal fishing was happening and things like that and it
starts to drive it but um you know how do you articulate proper use to non-tech tech people and workshops um you know i think it just has to be like a decision needs to be made at the top but a lot of the commercial commercial operators out there like facebook like apple like all of that are doing the work for you for two factor and you know a lot of people in in industry and different companies and things like that sometimes they're like whoa well this is too much for our users and it's like well wait i had to do this just last week when i got my new iphone or my new android and
it's like well maybe that culture shift has already happened and it's not that big a deal and it's not as scary as people think you know we have over 80 000 accounts on mfa now including faculty staff student alumni and retirees and and um you know so so it is real and for the for the data classification one i think it's just you have to make it real simple and take a look at how privacy and legal did it at our institution and that might help you just keep it to simple bullets on what it means to them and what they have to do and integrate that into your software acquisition governance that's how you link the two together
because if somebody buys something and it's level three level four data you have to have mfa on it so you know there's no way around that and that that drives the adoption and drives the understanding and and really it's not about scaring anymore it's about invoking people to care about doing this and that you know this is just the way of life now is we want to protect our assets and we want to protect our privacy i can't believe mark you you you used uh one drive as a parent like i mean i would have pushed for chocolate or i mean like something like something but when okay it works anybody else when i jump in on that
yeah i think it's important to put it in terms that everybody understands right one thing we did with mfa adoption we had as we were sort of rolling it out to all staff we actually had fished accounts where because we have self-service for for staff to to manage their direct deposit people's direct deposit was actually changed and paid out to the wrong person because they were compromised right so you put that message in terms for everybody and it makes sense right you know because i think the the question often is well i don't have anything in my university account that i really care about well you know your paycheck is pretty important i i personally was involved in exactly
like that where one was redirected um and those stories i think actually that's a really good thing i didn't think of it um those of us in the security space have to be reasonably good storytellers in a way that to get people's attention right because and they'll remember uh those stories and and maybe they'll see themselves in those circumstances and make it like like mark mentioned uh have them care a little bit like i i mean i'm vested like i'm part of the solution uh and if we tell good stories that way maybe maybe they they want to be a part of that that's one of the advantages of working in higher ed too is that we collaborate
so so for us for our mfa stuff we just stole everything from ufc and mark was happy to share right his team told us all the stories of how what worked what didn't work and and we we copied and stole you know a lot of information we modified it of course to make it look like saints but uh you know i appreciate that you know that's why we were actually working together here on this panel because we we all talk to each other about our problems that we have and issues and how to do things better and then we uh we collaborate and we shop at the same place for t-shirts obviously it's the support group right we get
around let's say hi i'm kurt and i'm a ex-security guy right that's how it works yeah all right any other questions for us from the from those watching i think i know for past our time um if the moderator are we good still or yeah i think it was only 12 15. so well we did get another question yeah is cyber security part of it at your organization quite a few companies have moved it out of the i t reporting structure the city of calgary has combined physical and cyber security into one business unit i refer to the cio yeah yeah for us uh we're we're part of id for sure yeah yeah we report into i.t as well but
what you're talking about there is convergence and it's a it's a movement it's a movement that's happening out there where you kind of have convergence of physical security and i.t security and the edmonton police are actually an example of a converged shop but they still report into the cio so the cio has physical security and cyber security underneath him and cyber security and physical security reporting to the same director office so it's it's an interesting um shift and there's there's a couple of good presentations out there from from gartner on on convergence and it is a real thing but it really needs to make sense for your institution and your organization on how you how you
do that because they are two dairy different things and it depends on where you're at from a maturity perspective and both of them as well and that technology understanding and physical understanding so there's some food for thought for you i report to cio as well but it's interesting point because i was in a talk i think with a quebec university was presenting about how their eye their i.t security had moved around they were outside of it and found it just didn't work because they didn't have the cons consultation they weren't they didn't have security analysts on the teams implementing security by design right and they actually moved back inside it so yeah it's an interesting concept so
uh when i get a chance to recommend this and i would there's a piece i borrow from mark there uh if the organization's mature and has a mature risk enterprise risk property i actually recommend that um and let's tying this to what charles said too we don't want to lessen them because if you pull it out it becomes us to them and that's a problem what we want is but i've seen instances and i've personally been involved in instances where the cio obviously doesn't want to report things up because it looks bad for them so in a really mature organization with risk management enterprise risk management i've recommended where the cso reports administratively to the
cio but functionally to the board and a board committee around risk which means that the cio can't fire the cso in a lot of cases that can happen um uh and and yet the risk committee gets a really good and unbiased view of what's going on from a security function uh and i noticed steve you dropped something in there and i'm gonna disagree with you i don't think i t is a function of finance i think it's a strategic partner that needs to be at the table and when you put it under finance you don't see it as strategic you see it as a cost center that's what it says to us at least to me when i go
into an organization if it's sitting at the table and the cio's there then it's a strategic partner if it's under finance it's seen as a cost center and i that's the way i differentiate it i don't know about you guys what do you think i would tend to agree even especially in an academic institution because i would say that finance doesn't understand what the you know teaching side needs right and that's that's our business right supporting academics and students right angela who would chair the risk committee usually it's a board member a member of your board of governors or a board of directors somebody chairs that committee and then they have a group and you report
directly through that so the board gets visibility on on uh and encumbered visibility to uh the board and this i can cios and cfos all cringe when they hear that uh because they don't want that um but let's wait that's the way it should be i think but but you're right curtis that's the way it works for us and uh you know i talked about i report to the cio but i also do quarterly report to the audit committee to it on the board level too it's just it's just part of the the way it's structured here agreed ken uh you should never report to an internal auditor um ever if you do you know but they are our friends
internal audit is our friends yeah is welcome as long as you are you know a regular human and not a crazy person yes all right any more questions this is awesome oh this is a lot of fun yeah we should make him wear kitty ears when they come in i knew that was floating around up there somewhere i can't use we haven't heard it in here yet so it's it's out there that had something about a hot tub and rubber duckies okay it was all said we're good we've come full circle
any more questions
all right well i i think we've gone well over time but uh thanks for attending uh we hope you enjoyed the session guys it's always a pleasure to chat with you um this is fun we should do it again
Related talks
49:18
36:16
50:09
50:04
58:55
1:29:20