Finals are around the corner, and before you know it, we’ll be on Winter Break!

It’s often noted that security is a big data problem. And it’s certainly true that our tools generate a lot of data — by my rough estimate, we generate tens of terabytes per day across various platforms like our SIEM, EDR, CASB, firewalls, etc. It wouldn’t surprise me if the actual number is much higher. The big problem we face is that often all this data is separated into disconnected silos, and our data is most useful when it is connected.

Security tools have been using data analytics and machine learning to make operational decisions in security for many years. But we’ve seen some really dramatic and rapid advancements in machine learning models in the last 12 months, and we should expect to see this trend continue over the next few years. In order for us to take advantage of the vast amounts of security-related data generated by our users and our network, we have to start moving towards getting all of the telemetry we collect into a single location, and then learning how to apply modern data science methods against it. This is different from how we have operated in the past, but I am confident that we will adapt to find some creative solutions.

So where do we start? We already have! We’ve been working towards this goal for some time with projects like the Elastic migration and the Axonius platform. We know that we will likely never get down to a single data source (regardless of what our vendors may tell us ;-). But each step we make towards lowering the number of independent, separate systems improves our ability to correlate events and security information — and then rapidly act on it.

When we are considering our products or platforms, the question that we ask ourselves is: “What can we do with the data this tool generates? How does this tool help reduce the number of data silos that exist within security?” This question helps frame our decisions about nearly every aspect of security, and is something that should be considered at every level.

• We hosted a Generative AI workshop taught by Elastic here on campus; people from across the University attended, and especially throughout Technology Services. In total, 50 people attended, including members from Security, A&E, EAS, ITEO, OAL, and more.
  
  
• On November 20th, we enabled Risk-Based Authentication in the Duo platform in order to mitigate active attacks against campus members. Attackers were using “push bombing” to trick campus members into approving a fraudulent authentication attempt — this is also referred to as MFA fatigue.
  
  
  • Duo now prompts for a Verified Push when anomalous activity is detected on the account (entry of a random code known only to the real user)
    
    
  • Attackers were unable to continue using this attack vector. In the first seven days, 20 account takeover attempts were prevented
    
    
• There was no significant uptick in support needs from this change, and the impact of the change to users has been minimal. Bottom line — better security, minimal impact to the user. 🎉

📈 Just in the last month:

• 457.8M malicious websites blocked; 99% of all network connections from internet blocked at firewall 
• 55B cyber attacks and malware blocked
• 199 petabytes of network data scanned
• 60k computers monitored; with 4.6B endpoint processes analyzed
• 171.1M mail messages scanned for spam, phishing, viruses; 115.4M messages blocked at gateway
• 4,395 public data shares detected and investigated
• 3.1M Duo auth events recorded across 269k active NetIDs 
• 179k devices tracked in the IT asset management system

With the end of the semester comes the great exodus of students. December always brings a surge in cyber attacks, so stay vigilant! I encourage you to share your thoughts and suggestions with me at any time, and you are always welcome to schedule a meeting with me.

Adam Mikeal

Associate Vice President and Chief Information Security Officer