Jisc Security Operations Centre – key risks and incidents in Higher EducationSimon Cooper – Security Operations Manager

Agenda

1. Intro

2. Jisc Security Operations Centre

3. SOC activities

4. Threats

5. Posture survey results

6. Additional activities

Uniac IT Risk Management Briefing - CONFIDENTIAL2

What does Jisc do

• Deliver the national research and education network

• Negotiate sector-wide deals

• Access to digital subscriptions

• Digital services e.g. eduroam

• Advice and guidance

• 170 Higher Education institutions

• 300+ Further Education institutions

• Research councils and high-end facilities

• Connectivity to schools through local authorities

Uniac IT Risk Management Briefing - CONFIDENTIAL3

What does the Security Operations Centre do?

• First established as a Computer Security Incident Response Team (CSIRT) 26 years ago

• Coordination of incident response for institutions connected to Janet.

• Gather intelligence on potential security issues

• First port of call for when a customer may be experiencing a security issue.

• Service is covered as part of membership.

• A team with a variety and range of specialist skills and experience.

• Operate 8am until midnight.

Uniac IT Risk Management Briefing - CONFIDENTIAL 4

What is our primary mission?

• Minimise Risk

• Prevent Incidents

• Contain Cyber Damage

Uniac IT Risk Management Briefing - CONFIDENTIAL 5

Overview of services

• Incident Response (Computer Security Incident Response Team – CSIRT)

• Advice and Guidance on Target Hardening

• Digital Forensics

• IP Traffic Analysis

• Malware Analysis

• DDoS Mitigation

• DNS Resolver service

• Threat Intelligence Collection and Dissemination

Uniac IT Risk Management Briefing - CONFIDENTIAL 6

Security Operations Centre

• We strive to be the first point of contact when an incident occurs and can often be aware of similar situations occurring elsewhere and how to deal with it effectively.

• Central point of contact on the network for communication between LEA, external security agencies, ISPs and sites

• We will always protect your anonymity

• Where appropriate we can attend site location to assist

• Trusted and long-established security contact points within Janet connected organisations

• Tell us what You need! Do you want us work for you on an investigation or would you like us to lead it? It's up to you.

Uniac IT Risk Management Briefing - CONFIDENTIAL7

Incident Response – Janet CSIRT

Security Operations Centre

• Utilising and disseminating Advice & Guidance from the Community.

• Drawing on the skills and experience of staff at Jisc to provide solutions.

• Following a recent Security Incident, both the Pen Test Team and CSIRT attended a Site in order to collect evidence to investigate a potential breach.

• Pen Test Team conducted an assessment and produced report in order to highlight and remediate current vulnerabilities whilst CSIRT simultaneously conducted Digital Forensics Investigation.

Uniac IT Risk Management Briefing - CONFIDENTIAL8

Advice and guidance on target hardening

Security Operations Centre

• We have a digital forensics capability

• We have conducted several on site evidence collection and analysis in the last twelve months.

• Can accept disks or disk images via various methods.

• Part o

• Whilst we are continuing to enhance our capability this field, we acknowledge that we need to formulate our Service Level Agreements so that we are able to provide timescales to complete work.

Uniac IT Risk Management Briefing - CONFIDENTIAL 9

Digital forensics

Security Operations Centre

• Protection of DDoS attack threat

• An attack is usually in effective mitigation within 5 minutes.

• Enhanced DDoS services

• DDoS is a crime under Section 3 Computer Misuse Act.

• Each attack is an offence and you are the victim.

• Yet out of over 1000 DDoS attacks on members in the last twelve months, only aware of 5 that were reported to police.

• DDoS is a big problem and is getting worse. Largest Attack 176.4 Gbps Attack.

• If central government are not aware of the scale then they have nothing to base required funding on.

Uniac IT Risk Management Briefing - CONFIDENTIAL10

Denial of Service mitigation

Security Operations Centre

• IP traffic analysis and baselines can be utilised to try and isolate likely date of initial compromise.

• Utilised to determine if other organisations affected.

• By identifying likely date and time of infiltration a starting point for forensic analysis can be inferred.

• Constantly being analysed to assist in identifying security issues.

• Malware service for members to utilise

• Samples can be emailed directly to the analysis suite and a report generated and submitted directly back to the requester.

• This is not intended examine anything containing personally identifiable information.

Uniac IT Risk Management Briefing - CONFIDENTIAL11

Traffic and Malware analysis

Security Operations Centre

• The Janet Network Resolver Service is free for our members to use and provides an additional layer of protection.

• Resolver service - RPZ, no need to maintain own blacklists. We continually update it based on our own threat intel and that from partners and law enforcement.

• Threat feeds from MISP are utilised in blocking known malicious sites.

• This also helps to highlight other offences. We are noting instances where alerts for DDoS Stressor sites are being accessed are received as a precursor to a DDoS attack. This assists in identifying potential offenders.

Uniac IT Risk Management Briefing - CONFIDENTIAL 12

DNS Resolver Service

Stats – security incidents

Uniac IT Risk Management Briefing - CONFIDENTIAL 13

Security Operations Centre

• Phishing

• Malware/Ransomware and blackmail

• Vulnerabilities

• Denial of Service

Uniac IT Risk Management Briefing - CONFIDENTIAL 14

Threats

Phishing incidents

Uniac IT Risk Management Briefing - CONFIDENTIAL 15

Malware/ransomware

Uniac IT Risk Management Briefing - CONFIDENTIAL 16

Vulnerabilities

Uniac IT Risk Management Briefing - CONFIDENTIAL17

Stats – denial of service attacks

Uniac IT Risk Management Briefing - CONFIDENTIAL 18

Posture Survey

• View of the security landscape

• 122 completed the survey

• Some highlights:

- 91% of respondents confirmed Cyber Security is on the risk register

Uniac IT Risk Management Briefing - CONFIDENTIAL 19

3rd Annual Survey

Posture Survey

Uniac IT Risk Management Briefing - CONFIDENTIAL 20

HE66% have strategic cyber

security lead

FE38% have strategic cyber

security lead28% 35% 38%

56%60%

66%

2017 2018 2019FE HE

% over timeStrategic cyber security lead

Posture Survey

Uniac IT Risk Management Briefing - CONFIDENTIAL 21

% of HE organisations achieved certification

21%

8% 4%14%

3% 5%

44%

17%11%

Cyber Essentials Cyber Essentials Plus ISO270012017 2018 2019

Better protection, reducing risk

• Assent management

• Logging – enabling greater logging, often not switched on by default

• Patch management

• Follow best practice

• Seek advice and guidance

• Act quickly on alerts and notifications

• Incident response training and preparation

• Pen-testing

Uniac IT Risk Management Briefing - CONFIDENTIAL 22

Further cyber security activities• Financial x-ray – security

• Simulated phishing

• Vulnerability assessment

• Managed services

• Web filtering and monitoring

• Incident reporting – DDoS – other security issues – NCSC pilot underway for reporting of all incidents

• BS 31111 audit and assessment

• ISO27001

• Cyber essentials

• Cyber essentials +

Uniac IT Risk Management Briefing - CONFIDENTIAL 23

Thank you!

• Jisc

• Janet CSIRT

• Email: irt@csirt.ja.net

• Tel: 0300 999 2340

• Full Posture Survey report

jisc.ac.uk/reports/cyber-security-posture-survey-results-2019

Uniac IT Risk Management Briefing - CONFIDENTIAL 24

Simon Cooper