The Security Operations Team in Information Systems and Technology (IS&T) plays a key role on campus, taking measures to keep the Institute’s network, MITnet, secure. The team also delivers tools, infrastructure, services and consulting that help the MIT community do its work securely. Here’s a profile of what the team is up to in today’s increasingly complex, online, data-driven world.
The State of Information Security Today
Given the inherent openness of universities, an IT organization within the educational space doesn’t have access to the same network controls available to corporations or home networks. For example, MIT does not have a border firewall on MITnet, so the network is accessible to the entire Internet.
There is also a growing trend toward encrypting Internet traffic using SSL, a protocol for securely transmitting data over HTTP. This means that Internet traffic is largely invisible. How can we secure ourselves when we don’t know who the bad guys are? To understand whether the traffic on MITnet comes from a good or bad host, the Security Operations Team uses tools that provide metadata and heuristics on IP addresses, to find deviations from the expected norm.
Engaging the Community to Make Information Secure
To align with the vision of John Charles, Vice President of IS&T, Security Operations is looking to develop a platform of security applications. These applications, combined with the team’s consulting services, will allow the Institute’s departments, labs and centers (DLCs) to address their unique security needs.
“My experience with information security is that it’s viewed as the preventer of getting things done,” said Security Operations Team Lead Harry Hoffman at the Spring IT Partners Conference this year. “As a result, people find ingenious ways to avoid dealing with it.”
Hoffman offers close engagement with teams at the Institute dealing with security issues. “As a provider of consulting services, you go through an iterative process, listening to what it is a team is trying to do, then building appropriate security mechanisms around how data is handled and exchanged. It’s important to understand what they are trying to accomplish and get to an agreed-upon outcome. Not just to protect the data, but doing it in ways that allow the team to do its work.”
Hoffman adds, “We also want to document the steps taken to protect data, so that we don’t find ourselves in a state of chaos down the road, unable to quickly come back from an attack or state of vulnerability. Documentation can be revisited as needs change, and it’s important to review those changes together.”
A Wide Net of Services
Security Operations offers a range of services to the community:
The team provides forensics for compromised systems. Hoffman notes that these efforts can be potentially costly for a DLC, as well as time consuming. The team can also help determine if a third-party forensics team would be beneficial.
Risk identification can help DLCs that have small budgets for IT services. The goal is to ensure that systems are secure and built with redundancy in mind, reducing the risk of lost research time when DLCs reach the end of an IT services contract.
Hoffman believes in sharing knowledge. The team offers outreach, awareness and training, including the SANS courses, “Securing the Human,” to encourage people to think about security and the data they curate. The Security SIG, a new special-interest group at MIT, aims to bring people from the Institute together to share information on IT security issues, perspectives on security based on the environments they work in, and other resources.
Participation in the annual National Cyber Security Awareness Month (NCSAM) is a way to draw attention to security issues, often engaging people through games, quizzes or other methods.
Compliance with regulations around data security can be complicated; how and when to respond to a data breach is not always clear, even though a quick response is needed. Security Operations can assist DLCs create processes, including a “lessons learned” phase to share with the community so that these events don’t reoccur.
Security Operations also sends timely reports and alerts to the community as attacks are happening on MITnet, so that IT administrators can quickly respond and take proactive measures. By the same token, if you notice any suspicious network activity in your area, forward it along to firstname.lastname@example.org.
The team reviews and supports desktop tools, such as PGP for encryption, Identity Finder for data inventory, and Sophos for malware detection and prevention. These are provided at no charge through the IS&T Software Grid.
Security Operations triages abuse and vulnerability reports from external and internal sources. As MITnet is attacked from across the Internet, the team analyzes the reports it receives to form a picture of the state of the network. But these reports are not enough. Additional tools are needed to catch patterns of attack as well as to analyze whether sensitive data was touched.
Included in the arsenal are:
- TippingPoint, a tool that uses signature-based detection for attacks
- StealthWatch, used for obtaining metadata on net flow
- RSA Security Analytics, for collecting data on connections and malicious activity
- Prolexic, a tool from Akamai that acts as a buffer between MIT and distributed denial of service (DDoS) attacks, some of which have taken MITnet down in the past
- Nessus, a vulnerability assessment tool.
IS&T has also purchased Splunk, a system for analyzing log files. Key indicators in traffic patterns can show third parties attacking web servers using SQL injection, for example. Security Operations shares this information with the community, enabling DLCs to thwart attacks by protecting their own servers. This is what happened during the Heartbleed incident in April.
Ultimately, the goal is to provide the community with the tools and services needed to protect applications and systems containing sensitive data — whether by scanning for vulnerabilities, tracking patterns, finding anomalies, or conducting regular security checkups.
Making the Connection
You can join the Security SIG by signing up online.
For questions or concerns about information security at MIT, send mail to email@example.com. To speak to a team member in person, call 617-324-3368 or stop by W92.