In his fourth year as Emory's Chief Information Security Officer, Brad Sanford combines an action-oriented approach toward achieving business objectives with a determined advocacy of information security principles and ideals. His focus includes IT risk management and Information Security policy, awareness, and architecture.
Central to securing information integrity at a decentralized university such as Emory is reliable and efficient adherence to regulatory standards and a proactive approach to protecting our network from increasingly sophisticated attacks from all over the globe. In FY11, OIT Information Security continued to monitor attempted intrusions, analyze the threat levels posed by various attacks and improve upon our growing suite of security knowledge and diagnostic systems. Three significant projects were:
Emory rolled out a Security Event Management System by bringing together security, operational and compliance stake holders to select and deploy the Q1 Labs QRadar product. This product enables OIT to meet various monitoring and auditing compliance requirements, as well as greatly advance our operational security capabilities by aggregating, correlating, and reporting logged events from hundreds of separate systems and applications. The system processes hundreds of millions of events per day originating from security systems, networking infrastructure, directory services, web servers, and much more.
The alerts coming from the system have already allowed us to rapidly identify dozens of compromised user accounts, multiple attempts to send spam using Emory servers, and many computers infected with malware. Previously these events would have taken much longer to detect, or may have gone completely undetected.
Intrusion prevention is the process of automatically detecting malicious network activity and stopping it. This technology is an important part of Emory's information security program, and we have made several key improvements during the last year.
In March, we began to block traffic to and from a list of more than 800,000 known bad hosts. As a result, we now block more than 400,000 packets per day that would otherwise have presented a security risk.
We continued to fine-tune the set of rules that powers our intrusion prevention system. We chose a large number of candidate rules, and configured them to log matching traffic while still letting it through. By monitoring the logs, we learned which rules are effective enough to use to block. The new generation Tipping Point IPSs used to implement these were purchased and installed this fiscal year. These units are capable of processing approximately ten times as much traffic, which has provided enough capacity to monitor all traffic in and out of the University network. With the older IPSs we were not able to monitor the traffic through Emory's 10G Internet2/SOX link.
Taking advantage of our knowledge of emerging threats, we wrote many custom rules. These rules help protect the Emory community from attacks so new that vendor provided rules cannot detect them.
A determined attacker can sometimes bypass intrusion prevention by trying different attacks until one is not blocked. To avoid that situation, we now block all communication with hosts that have triggered several individual blocks in a short time.
After successfully implementing the requisite infrastructure components for Emory's PGP Whole Disk Encryption solution in FY10, OIT helped facilitate the deployment of whole disk encryption to over 850 laptops in FY11. Laptops containing sensitive information represent a tremendous risk to the institution whenever they become lost or stolen, but by encrypting the hard drives on these devices Emory has dramatically reduced the risk associated with such events, as we can be assured that any sensitive data present on these devices remains safely locked away even when the device itself is lost or stolen.
For more advanced users, the PGP Whole Disk Encryption solution can also be utilized to encrypt external hard drives, removable flash drives, or individual files or directories containing sensitive data. Files encrypted in this manner can be safely transferred to external parties via email, CD/DVD, or other distribution mechanisms without fear that the data might fall into the wrong hands.
Network security will always be paramount to our IT enterprise at Emory and the OIT Information Security team remains vigilant in providing an appropriate security posture and continually researching the latest advances in protecting the integrity of our data and that of our customers, both internal and external.
Brad Sanford
Chief Information Security Officer, OIT Information Security
"The introduction of full disk encryption at Emory has allowed us to secure our electronic assets and bring us peace of mind that if a personal computer is stolen, our sensitive data is safe."
Richard Fischer,
Manager, UTS Deskside Support