Finals are almost over, and graduation is around the corner. It never stops surprising me how quickly the semester passes. I keep bracing for the summer heat. Unfortunately, it never seems to leave as quickly as it arrives.

In last month’s newsletter, we talked about blame-free culture, and how critical that is for a culture that values learning and continuous improvement. This month we are going to start examining the six core principles that make up my approach to security:

  • Automation whenever possible
  • Trust users but get telemetry
  • Focus on the risk
  • Compliance ≠ security
  • Security is a Big Data problem
  • Shift left

We’ve talked extensively about automation, because that also happens to be one of this year’s themes. This month we are going to ask ourselves what it means to trust users, but get telemetry.

 

Trust users but get telemetry

Trust but verify has long been an adage in information security. At first glance, this month’s principle is just a restatement of that adage; however, there is a subtle but important difference that is worth exploring. Trust but verify starts with the word “trust”, but in reality assumes a relationship of untrustworthiness—we use it to explain why we lock our car, or install cameras around our house. We say the word “trust”, but there’s really no trust involved.

In contrast, when I say trust users but get telemetry, I mean that we should genuinely start with the assumption that our users can be trusted to make good decisions. The telemetry that we gather isn’t about trying to prove that a user acted in bad faith—it’s about providing a safety net for the actions they take on a day-to-day basis while performing their jobs.

Fundamentally, trusting our users means that we focus on the fact that our users are also our colleagues. This is particularly true for our faculty, who (like us) are knowledge workers. They (like us) depend on their computers to perform their jobs. Many of our faculty have a surprisingly high level of systems and programming knowledge; at a minimum, most of them would be termed “power users”. Of course, we all have experiences with users who make poor choices, or repeatedly ignore expert advice. But for every one of our colleagues for whom that is true, there are three that quietly go about their work with competence, and thus never appear on our radar.

Why bother with this at all? Because in the long term, a positive relationship with our users will pay dividends that far outweigh any extra work created by this effort. What’s the alternative? An adversarial relationship with our users, and all the negative side-effects that come with that. We want users who are willing to work with us on difficult problems, and ask us for advice when they suspect something might be wrong; an adversarial relationship creates mistrust, anxiety, and deception.

So here’s my argument:

  1. A positive working relationship between our users and the security team is incredibly valuable and worth nurturing
  2. This relationship requires a foundation of trust that is built on informed consent and transparency
  3. Our users are capable of making rational and informed decisions about security risks when properly educated treated with respect
It’s often against our nature to be transparent about the tools and techniques we use to monitor our data and devices. There are many good reasons for this; balancing secrecy and transparency is difficult. Next month, we’ll talk more about what it means to be transparent with our users, and how embracing informed consent can help build a culture of trust.

Arrivals & Departures

  • After nine years at the university, Gil Muñoz is leaving for a new position with Harvard Medical School. Gil played a critical role in the development of our security program, initially on the team that built out the university’s first vulnerability management program, and most recently on the Security Operations team helping to manage the SIEM migration. He will be greatly missed!

  • We depend on our student employees to keep our security program running, and it’s always bittersweet when they graduate and move on to new things. We have nine students graduating this month! 🎉 Congratulations to each one of you, and I know that you’ll find great success at whatever comes next:
    • CAP Program: Robert Liu; Diego Valazquez; Dayo Olaosebikan; Joshua Hillis
    • Cloud & Platform Security: Caelum Wallace
    • Identity Security: Aaron Delie
    • IT Accessibility: Lauren Kriendler and Paige Crawford
    • System & Application Security: Sydney Ezimora

Wins & Successes

  • A new consolidated site for platform documentation has launched at docs.security.tamu.edu. This site will host documentation about tools and platforms we provide to other IT teams across campus. Creating and maintaining platform documentation will be an ongoing project for many of our teams. Next up: documentation for endpoint security tools and agents.

  • AWS hosted a CISO Circle event on main campus, jointly sponsored by Texas A&M and the System; It was attended by CISOs and other security professionals from across the System schools and agencies, and several senior AWS technical staff who spoke about cloud security topics.

  • April marks the one year anniversary of providing penetration tests as a service to campus, following industry-standard ROE so that no negative consequences result from the testing process; over the last year, nine tests were completed—providing valuable feedback to customers and identifying some critical security vulnerabilities that had been overlooked.

  • Significant progress has been made with the Cirrus Proxy initiative, with ten System members’ identity providers now connected to the environment plus Blinn College. Testing of the identity providers is underway and five different teams have begun connecting services to the platform to test authentication

Security by the Numbers

📈 Just in the last month:

  • 95.8% of all network connections from internet blocked at firewall 
  • 42.5B cyber attacks and malware blocked
  • 176 petabytes of network data scanned
  • 30k computers monitored; with 5.4B endpoint processes analyzed
  • 111.6M mail messages scanned for spam, phishing, viruses; 66.7M messages blocked at the gateway
  • 2.8M auth events with Duo recorded across 293k active NetIDs
  • 150k devices tracked in the IT asset management system

Major Project Updates

Sign in with a NetID to see this content

 

Wrapping Up & Reminders

It’s always the browser’s fault: security researchers recently revealed a crafty ransomware tactic where uploading files to a website triggers the download of ransomware to your device. The attack relies on the File System Access API to initiate ransomware downloads the moment unsuspecting users upload a file. A deep dive at a USENIX security conference peels back the layers on how these sites embed malicious scripts within ordinary website functionalities, such as online photo editing. This is why we can’t have nice things.

As always, thank you all for your hard work and dedication. I depend on you to share your ideas and suggestions with me, and I encourage you to schedule a meeting with me at any time if you want to talk (it doesn’t have to be about work!).

 

Adam Mikeal

Associate Vice President and Chief Information Security Officer