So I talk about how information security works here like as an enterprise so not research more of like operational type stuff I looked at some of the past presentations was a little different so I hope it doesn't disappoint and I promise I'll keep the Star Trek references to a minimum. So before I get into like what we do I figured I'd give you a little background of how organized. C. guys are pride being blocked a bit basically. We're part of a Y.T. which should be on at the Office of Information Technology here attack over a little bit separate We don't quite fit in because I T. is mostly a service organization of some mostly optional services but we actually propagate institutional policy so the C.I.S.O. is head of our department he actually reports the CIA But then the rest of the I.T. is kind of over here so we're part of. But a little bit off the side too. We're separated into three different departments which this one is definitely blocked for some of you but we've got operations so that's the department that kind of handles ongoing operations Incident Response vulnerability management security operations center so like if you send in a message asking to see if it was fishing that's the people who respond to that. So a lot of the customer facing stuff of organization operational type things we've got engineering team that's the team I'm on we're responsible for like building implementing researching and designing security systems basically I.D.S. type stuff. We also support research so we provide data sets to our security researchers on campus. So we're also the escalation path from operations for Incident Response So if there's something that the operations team can't handle or need special. It's resources we can pull from the engineering team to help with that. And then this one which I think is blocked for some of the government's risk and compliance that's where we write policies procedures standards make sure that we are complying with all the regulations the various regulations we have to comply with as an institute one that you guys are probably familiar with is the FARS because that's been coming down for some time now having to comply with a lot of that. And that's really changing how we operate as well as we're more of like a like a body of individual research labs right now and what the far is kind of forcing us to do is kind of standardize on solution security solutions across the board which is why you've been seeing a lot of initiatives from us over last year. And then so also compliance. But see right now we're about twenty full time positions which might be bigger than you expect or smaller depends on what area you're from. And then abouts eight to twelve student employees at any given moment we stuff are secure operations center mostly with students we actually just hired our first two full time people for the stock they started one started this week and the other started about a month ago I think and so where we started as a student run stock because part of our mission is also to further education and making sure our our information security focus students are the best one the ways to do that is to make sure that they all have the experience they need when they graduate specially since the way the job market is going is entry level jobs even require experience in the field so providing our students with that is important. Right so back to the Star Trek references so. What do we do as an institute is you know research academics and innovation and Knowsley missing there is being the most secure Institute ever that's not one of our main. He has as and such a right so he like Starfleet their primary exam mission is exploration not to defend against the Borg so we have to defend against the Borg in order to save you know do all the exploration but it's just it's a consequence of what we're actually trying to do so that times gets in the way of being the most secure Institute ever because that's not our main goal we just have to make sure that we are secure so that we can do all the other things we do so that's something to keep in mind that you might be you know wondering why we haven't implemented some technology because it will solve all of our security problems and there might be some sort of political or. Business reason why we can't do that. So a lot of what we do is really judging risk and reward risk and benefit basically to decide whether or not something is worth doing in order to make sure that our business purposes are successful. So you don't miss anything. One of the things specifically related to this we always ask interview question. That if a researcher needs to run a bot net on our network and they'll receive a ten million dollars grant to do so like what would you say and the answers are very surprising and broad to it from like we can't do that since policy there's definitely no way you can do that where it's the right answer that we're looking for is well if it's ten million dollars There's probably way we can do this and lower the risk to the rest of the institute and that way we can be successful as an institute earn that ten million dollars grant but then do it a way that doesn't compromise the rest of our business. So basically what we do all boils down to confidentiality integrity availability which I'm sure you've all seen million times before being in the security field basically it all boils down to making sure that the data that we have that needs to be confidential stays confidential only people who have access to it or need to have access to it should have access to it have access integrities making sure it doesn't get changed and availability is making sure that it is changed or it is available when it's necessary and so that's really what our jobs come down to is making sure that that's our data you know is the CIA's data. And so some of our adversaries in that regard are that nation state actors who are after our government sponsored research got criminal organizations who are after money and then we've got insiders or individual thread actors who have their own agendas that we're trying to defend against I think this is actually my last article referenced so sorry. So I went with the Borg over the Romulans because when you look at us compared to nation state like in reality nation states have way more resources than we do so you know it's the border is more parallel there because you know it's this massive body that has ultimate resources and you're trying to fend against it and it's very difficult so you know the friendly are really more along the lines of what we're mostly focused on because that's that's what we can actually do something about right there after money so what we do is we raise the economic cost in Orisha hack us so that you know our systems are less appealing to the adversary than some other person systems and so we're always trying to stay ahead so that it costs more like in resources to hack you than others. So it's easier to attack than to found say I mean if you. Heard this all time it's like the most common talk at Def Con and Blackout is the woes the state of security. But I mean it's because there's so many there's so many ways to compromise our systems especially in higher ed were so distributed you know we don't have one mail server that we can put all of the specific I.D.'s rules in front of that protect mail servers and there's all but a whole bunch of them many of the departments and colleges all have their own and we don't even know about all of them that's another part is we're so open and with what we do that it's hard to even keep him in Tory of what's running which you know if you've seen this critical controls you know knowing your environment is basically you know one into there which most important and even that's hard for us to do because everyone has the ability to apply get their own research grant by their own systems set them up install them everything and it's just very difficult from the other side to make sure that all of that is happening in a secure way. So basically like I said we're trying to raise the economic cost so we can become a less appealing target So basically. I have an example of this. You probably remember if you work here you probably remember back in fall twenty fourteen we had direct deposit fraud events where a lot of people's paychecks were rerouted instead of being deposited into your bank account they went to someone else's. So most businesses because I mean our actual losses are very minimal in this I mean we were able to get most the transactions or verse I think we lost a total of like fifty thousand dollars or something close yet fifty thousand dollars as an institute which is basically you know nothing in the grand scheme of Georgia Tech's budget and most businesses would just write that off like it happened we fixed it we've you know we've put in medications in place so it doesn't happen again and then they would just move on with it. So we were different here because of our philosophy we decided to pursue this because you know the losses are minimal but as an organisation and a good you know internet citizen we just you can't let these things just keep happening otherwise there's no risk to the adversary you know if they're going to you know they're in their country they hack us still our money it's easy to do they get away with it we don't do anything about it we don't press charges they're safe and they just keep doing it just becomes more and more of a thing so we were in a unique position actually to actually pursue this because we had leadership that believed in this we had we knew about them on credentials that they were using to do the direct deposit fraud so we had insight into what they were doing and then we also have a really good a preexisting really good relationship with the F.B.I. because of other things so we basically asked them if this is something we wanted to pursue could you pursue it and we worked out an arrangement and basically what we did was we allowed the crime ring to continue using our V.P.N. we created a special V.P.N. arrange for them that allowed them to do what they are trying to do but we had foals inside and what they were doing with full tap in front of their V.P.N. So basically we were monitoring them making sure that every time they were successful with a school we were letting that school know so they could reverse the charges ahead of time. Basically making sure that they were doing what they were doing but they were just unsuccessful and making sure that they were aware that we were monitoring them and so this end up actually. Ended up with extradition so we the F.B.I. went over and grabbed them from overseas worked out an extradition agreement with they were in Malaysia and brought them back they're currently in Fulton County Jail I think waiting trial so I mention this because it's one of the things that. As a security industry this is the kind of thing we need to be focusing on is making sure that it's less cost effective to do this and so one of the noticeable impacts of this was because we had good insight into their business organization because they were business they had different departments different had different responsibilities across the departments there is a group dedicated to training the other people about how to fish they were there's a group dedicated to once you've got the direct deposit information how to get the money back into their country to them they were very like set up as an actual business and because we had good insight into their communications we were actually able to see that after we extradited the people that were responsible for fishing in the direct deposit part of it they actually switched tactics for a while because they lost their skills so they started wailing instead for. Like wire transfer fraud. So it's we you know hurt them enough that they had to switch tactics for a little while so the more you do that the less appealing it is and the more successful we are as an industry. So. How I mean I guess I just said told you but how do you how did you think that started that whole incident fishing obviously So basically how that entire incident happened was fishing so as a as a security organization we went through post incident response try to figure out what to do to make this better to prevent this from happening in the future and one of those things is fishing taking care of the fishing problem which we were actually already working on before this but basically you know why brute force password when you can just ask someone it's really easy fishing is really easy to to. Exploit. So basically what we are doing up to that point was we were doing in person training which we found to be almost entirely ineffective. We know that because we were doing fishing exercises as well we would fish beforehand fish after the in person trading and see basically zero difference in response rates. So we think that fishing simulations are actually the best way to train people against the fishing problem. We have done repeated exercises we do we've done enough repeated exercises with individual apartments that two years ago we got approval from the president to actually fish the entire gift campus once a semester so that's why you see our fishing simulations every semester. We start with about a twenty percent average response rate for a population that hasn't had fishing simulations performed on them so I mean it's twenty percent people and then after repeated simulations we found that we can get it down to about five percent. OK So we have about forty thousand active users on campus and so we can get it down to five percent that gets us to two thousand so that's still a lot right. So basically you know you can get it down to that much. And we still have to do something else right because every phishing attack even. Poorly written ones will result in about one hundred or couple hundred users it's putting their credentials and giving their credentials away. Which is why we started down the road if you factor off which again if you work here you know all about because we force you all to get two factor authentication. Before we move on to that. Fun fact the quickest response time for. Sending out the phishing exercise to someone clicking and entering these names passwords eight hundred seconds it's that was impressive. But. There is also like in the first ten minutes of the exercise there are. About five hundred users had entered their credentials so it's a it's a it's a big thing. So two factor authentication. Two factors in case you don't know something you have know something you have something you are so we went with something you have or so that do go to factor off app you have your phone you have the app you can put in the token or the portion of creation part of it so this is sort of another layer right it's not you can defeat it I mean it's not a perfect solution I mean someone you know a nation state they would just you know set up a server that would log into and then push the user notification because you can log into the or log in page and push back a second factor from their user thinks they're logging in so you go approved and now you've got a cookie that has to factor so it's totally defeated all right but that doesn't mean it's completely useless because we're again we're raising our at the economic cost. By. It's. A great question no we specifically don't believe in doing anything punitive over it because we're never going to get that number lower than not so the best we can do is monitor the people who are repeat offenders and maybe give them some extra targeted training but we specifically don't ever tell anyone besides our team who those people are we don't want there to be anything punitive because it's a it's a it's a learning exercise right and we specifically don't want to you know reflect poorly. Shirt I mean definitely but if you start punishing people for this you know you can start getting really really bad publicity really bad relationship with the community and we're trying to make sure that we have a really good trusting relationship with our users so we feel like we can meet our goals by training people by doing the same relations without having to results and he's think punitive that you know would drive bad blood between us and so especially since it's not a hundred percent perfect affective you know it's just it's something we can do to get the numbers down to manageable level so that with other protections in place you know where we're good. But we get that a lot like pretty much every time I do the exercise someone will ask like who fell for it in my department wanting to know so they can do their individual training with them or or something like that and we always basically push back and say you know we won't do anything like that if there's going to be targeted training will we'll handle it we just don't want to be any sort of punitive. So. Basically this was all to make sure that it's on top of the fishing training we also have this this protects our systems not that it's not perfect but it raises the economic costs to the point where we're not experiencing direct deposit from. Anymore even with some other US she has to to sions that are experiencing it we're not being targeted by this you may have noticed that fishing has gone down a little bit tip we did have a rather large fishing attract tack last week but it was last week two weeks ago but that was the first one we've experienced in quite some time so these measures actually do help and I didn't include it but we keep track of how many compromised accounts we have over time and there was a significant drop I should have included the graph the chart after we implemented to factor off for faculty and staff it dropped tremendously and then once we did students it dropped to basically nothing so now that pretty much everyone has to factor in we January we had zero accounts that were processed as compromised in February we had like four or five because of the fishing it that we had we found some scum price counts through that but overall I mean it's greatly affected that. And so now we just we have to continue evolving into what we're doing so that we stay that step ahead. So another problem completely off the topic you guys have any questions about fishing or to factor before we move on it. Right. The health yet. It looks like it to me too. They are. Yeah so we're trying to we when that happens we usually reach out to whoever sent it and then kind of give them some training for the other end about how not to be fishy so we have we have things available that will help them with that like we have we contract with Bentley to have the be dot dot dot edu bit links so if you ever go to bit Li and do link shortening it'll actually if it's a got checked out edu domain it'll shorten it to be got checked out edu if it's a non got checked ID demand like that one was the get fitness or health or whatever it was we can create those so that it says beat I got sick idea and then like get fit and so those are the kinds of things that we communicate with the people who send out or the departments that we send out those types of. Emails that look fishy we get them really quickly because we've trained everyone so well to send them into phishing it got tech and then we we have the students respond to them if they're fishing or if they aren't fishing so we figured out really quickly and we always try to push it to post it to the fish bowl and if you've if you haven't seen the fish bowl it's fish ball got checked out edu It's a place where we post all of these so if there's a phishing attack and it is fishing will post it with red banner saying this is fishing don't click on it let us know if you have if it's something safe but looks fishy like that one we would post it there and say this is actually safe and then if there is a way to tell that it was safe we'll put that to you same with the you know if it is fishing will say how you could have figured out it was fishing basically what it comes down to is training to communications people to let them know that not only are we trying to make sure our users are staying safe but we need to as an institute make sure that we're communicating in ways that aren't fishy but yes it's a great observation it's a. Plus. So. For us. So I don't I don't think we whitelist any of these. Pieces far as I know we don't they get through because there's a slide later on that shows that one of the things we're working on this year is are our e-mail security so right now our e-mail secure our evil filters don't work very well so we I'm pretty sure I mean as least last time I talked the mail team which like last week their stance was not to whitelist mass mailers because most of them don't get flagged for spam anyways. So if that's wrong I'll address that with them but you know we're not we're not white listing these types of things especially like not the one this week we that wasn't white listed it just made it through. So I mean you're right though I mean that is not retroactive it's proactive in the future to make sure that next time they know not to do that that help at all it's OK. Yeah it's something we need to address if that's happening especially since. They did they don't think so. But I think so let me know. Yeah so that goes back to the you know usability versus security argument so I mean we when we went through the whole exercise of deciding we need to do it we weighed these kinds of things it's going to put a little bit of strain on our users to make sure that you know we're getting we're stepping up our game security wise across organization but we need to make sure that it happens in a way that is still usable So there's a bunch of things we put into place to help with that so we. Law you do generate a cookie that lasts for seven days that you should only really have to do once every seven days per machine also if you close your browser that changes to it so that should help that you know once per week instead of you know every time you log in there also there's multiple ways of getting help the do app is specifically good one the reason the main reasons we chose it was because it has push notification but not only does have that you can call so you can call your phone if you don't have internet connection but still a phone service and if you don't have either phone service or you know Internet connection you can still generate the codes on the device it also lets you you know print out backup codes so there's a whole bunch of ways to make sure that you're never stuck out of the system because I was one of the things that we definitely didn't want to do was implement a system that would basically mean that legitimate users can't get into their accounts so I mean if you're having issues like that there's a whole bunch of ways around it and like if anything like that doesn't work either We've also implemented this web of trust idea where you can name people that you trust that can help you let you back in two years count so like if you lose your phone you just have no way to get it you've lost your code something like that happens long name someone you trust or actually I mean students can get help from any employee so any employee can help a student and please can help other employees so there's always someone even if like the technology support centers close that can help you get back into your account they just have to verify. Your bus card or something like that and they can generate a bypass code for you that lets you log in for I think twenty four hours with that code itself and that that gives you enough time twenty four hours to get everything straightened out and if not you can always get a new one so that. You know there's a well for a while there was a post on read about it every week or so and you just try to try to make sure that all these different ways that we've made available to make sure doesn't have a receptive communicate better. If anything else on that topic before. OK. So the next problem that we face I decided to choose this one because it's something that has researchers you guys are uniquely. In a position to fix or help with. And so we have a lot of systems and a lot of them produce alerts right so we've got millions of alerts per day and the problem for us is not getting new systems for new alerts which is like what most vendors are trying to do for us is we've got this great system that has these alerts that are totally actionable and all you need is our device a lot of times you know that's basically just piling more alerts on to the pile right so it's we just have now instead of a million we have a million in one thousand alerts. So you also probably know what false positives are. A lot of them are false positives just because of base rate fallacy where the majority of the majority of traffic that we experience on campus is benign so small portion is malicious but then you have you know percentages of accuracy for all these different signatures and rules and so if the majority of your traffic has been nothing like a one percent false positive rate over your majority of traffic is going to end up being a lot more alerts than a lot more false positive alerts then the you know tiny percentage of or the one hundred percent of that malicious traffic even if the signature is perfect and perfect and always file fires on malicious traffic you're going to have more false positives and true positives so developing system. Is that that can help with that problem there is you know specifically something that if you're looking to start a product. Keep in mind the base rate fallacy in the fact that we're over loaded with alerts that we can't do everything with all the alerts we're getting so the the goal for us is really to figure out ways to tie those alerts together to create multiple levels of alerts that this is something you act on not the individual types of things. And then so finally I was just going to talk about some of our new initiatives for the year like I mentioned e-mail security you know we're in a pretty bad state with the security only because of business reasons right so we have e-mail for life which means that you know if you are associated Georgia Tech almost in any way you get an e-mail account you keep that forever. As P.F.D. Committee mark which are you know main e-mail security protocols they kind of break that you can't really do them if you're basically letting anyone send as a Georgia Tech e-mail address and we've never provided authenticated S.M.T.P. as a service either so you know up until I think last year Google was letting you basically say send as this address and then you could just spew fit and that's how most people out there e-mail set up for a Georgia Tech is you know I've got it on G. mail and I type in you know I send as I got ticked at you and then you send is that and then S.P.F. became a de Mark we can't implement it because if we implemented that then you wouldn't be able to do that and that's something we've provided to you know researchers faculty staff students for over a decade probably closer to two decades. So some of the things in order to get to that point were we are implementing S.P.F. DK million mark which is something we definitely need to do. We have to overcome a lot of political type of problems where we want to keep We want email for life to continue being a thing because it was it was implemented for a very important reason is to keep people socially Georgia Tech you publish a paper and you put your Georgia Tech e-mail address on there which is what you know the Institute wants you to do and you leave and you can't receive email to their to that email address anymore that's a huge problem for you so we as an institute want to keep that email address so that in the future you can still respond to emails that come to you from and so you can it also it's good for us as an industry because that keeps you associate with Georgia Tech your papers still so she would Georgia Tech it's a good thing. All around. And so we have to come up with a way that that can change that so that we can still do that as the business purpose but do it in a way that lets us implement all these e-mail security protocols that you know will help a lot with fishing and spoofing and. Because basically right now the way it's set up is anyone can send as Georgia Tech e-mails a Georgia Tech so that's a big problem because in reality there's a certain amount of places that should be able to send Georgia Tech e-mail and one of the one of the things you have to do is let you send George check e-mail from G. Mail which is you know instead of having it spoof then you basically can set up S.M.T.P. so that you're authenticating to our e-mail servers and then the message comes from us instead of from G. Mail now it's not spoofed and then we can implement all these security features and the other thing we're doing is implementing new hygiene and advanced now or filters. The product we chose was fire eyes. Danced e-mail threat protection platform it also integrates with all of our other. Appliances that we have and time our for the network which is really good at detecting Mauer either by exploding it or looking for a callbacks like the communications back to a command and control we found it to be very good at that and it integrates with that also integrates with the end point protection product we are at the endpoint detection response product that we chose was fire I H X which you've probably heard a little bit about from your I.T. people about deploying that and that's the new End Point agent we've chosen. So we're in the process of implementing it right now we've only got it running over a couple test. But we've had good success so far and so you should be seeing some communication about that from us within the next like a month or two about rolling it out. Across campus. So for End Point security I just kind of got into a little bit there's really two three categories of this type of software there's any point protection which is your traditional and time our like we have been using very we use McAfee a long time ago and then right now it's S.E.P. which is basically the built in Windows one. Where you have an hundred percent discernment which products are going for as far as E.P. is concerned right now the two top contenders are fire I which the H. X. and point tool that we chose for the actual the second category also has that built in but whether or not we turn on is still based on testing that we have to do to make sure that it really meets our needs and doesn't cause any problems. And so the cop contenders are fire and the built in Windows for Windows and the built in that one for Macs. And then the second category point protection response is really the post compromise part of it so let's say you have an hour on your laptop you know and it's you've got sensitive data on there and we have to do some investigation based on this to see like what was stolen if anything was stolen because of contracts or anything like that that's the tool that lets us do that it also does some advanced detection as well so things that normal and time our products don't like little monitor to see like if a power shell script done something weird it has ways of you know the term and what weird is. I mean. In general and time our products aren't that great. So I mean we. I mean so the built in MAC once called experts again just a signature based it's actually a blacklist instead of you know a signature based A.V.. It works fine I mean it's far as. I'm not sure specifics but yeah it's a blacklist and they publish updates to it you know pretty frequently but not as frequently as other vendors but you know that it's like the still a bit not as big of a target as you know Windows which is changing but you know Windows is still the primary you know. I mean in general they're not very good the main reason we have them is really mostly for compliance reasons and it's the reason we haven't chosen between a C.P. and other built in ones and fire is because you know it's you know it's really it doesn't really matter to us a whole lot which one we go with it's really to us it's up to the I.T. people to which one they're more comfortable with because in our and our minds they're all basically bad so. Let's just use the one that's you know bad but still you know usable if that makes any sense. And then finally the last one is a mentor a manager which helps with that problem let us talk about earlier about we don't know what's out there we've gone with Qualis for that because we've had croissant campus for forever as far as vulnerabilities vulnerability management vulnerability assessment given we scanned the whole campus every IP once a month to figure out what's vulnerable categorize vulnerabilities that kind of thing. The they also have an endpoint agent that is way better than the actual network scanners because it runs on the machine instead of doing black box testing it just pulls package information and it's really lightweight because all it's doing is saying what's installed what versions and then it sends out back to quality and the Qualls can determine what's vulnerable to it or what it's a little too based on installation you know version numbers. So it's really cool that's not something we're going to be requiring everywhere at all it's mostly for like servers or some of the more sensitive areas. And so I don't know if you know but there's like an I.T. governance body now that's starting up there's actually an endpoint security or an endpoint. Committee of that governance body that's making all these determinations and decisions and so there's. An email address that if you have any feedback that things that you'd like to see are tested and point dasht feedback I think I'll pull up afterwards make sure I think it's End Point dash feedback I got checked out you can send concerns or recommendations there. And the other thing that you may have heard about is the next generation firewalls up until this fall we had Cisco essays they're just stateful firewalls so you can say this port this IP address that's what gets opened. Their next gen but really what that means is their application firewall so they can inspect traffic at a much higher. Level and the Cisco A S A's could so instead of saying we're going to open port eighty for the web H.T.T.P. you can say we're running a web server on this machine so open up the web server reports and then no matter what port you know your web server is running on. It'll work and then not only that but because it knows what that application is it can also apply more specific vulnerabilities signatures to it so if it sees that you know the firewall should be open for a web server but then you're attacking the web server like it can stop that so there's there's multiple levels there that will help and so we're in the midst of deploying them we actually have the appliances all deployed so if we've switched them out so they're in in line right now and then what's left is like Phase two and Phase three is actually turning on a lot of those features so that we can get the full benefits out of them. And then finally your piece security which is you know People Soft banner we're going to try to overhaul a lot of what we've done with security as far as that's concerned. One ball point I have on there is web application firewalls which is separate from the Palo Alto firewalls which I just talked about but long same lines they're more geared towards web applications they can you know basically do more advanced type detection and blocking for specific vulnerabilities determined very prudent to you know banner People Soft. And that is you know that's all ahead so any. Any questions. So specifically for your P.C.. So yes because we we're on the server side of it so we can do is. So you right so so so you go to Banner and it's an encrypted session where people soft tech works it's an encrypted session but it terminates with us so we're decrypting it anyways in order to actually process so what you can do is instead of decrypting it at the server level we would decrypt it the laugh and then they would still it would have insight into you know the traffic it's a lot harder to do that from the client to server side so if you're a client on campus and we're trying to you know you put it something in line to to decrypt going outbound that's not something we do right now and it's not something we probably will do any time in the future opens a whole can of worms of decrypting people's traffic and trying to figure out what not to decrypt it yeah it mean it breaks S.S.L. it's it's a it's a problem. As can do it but it's the only places I can see us doing it really at any point is like really sensitive like labs that need it by contract that kind of thing the most of the decryption we would do is you know server side so clients coming into our servers and we would be corrupted there because the traffic's decrypted on our side anyways. Yes it's a great question and if you saw that let me know. I mean so you know we have you know multiple ways of trying to train you know we're always at facet So we always do our should be let you know the freshman orientation and we used to do the new employer in Taishan too but when they changed the format from it used to be like you give presentations which you know people's eyes glazed over so but we are at least telling them what we want to tell them the new format is basically the way we would as a department do training is we set up a booth and then people come to us and what we're saying was that we really have a whole lot to offer as far as a new employee coming to you know work here and it's like I need to stop at the security booth was a really thing so we would have just a few like really good conversations with people that were very interested but we were getting the bulk of people like we were when we're you know talking to a bunch of glazed over eyes. So that's another strategy we do a lot of like communication awareness type stuff as far as like the data protection money and then the security and I think it's October and then of course the fishing training that kind of stuff we always do and we always we target the fishing training to to basically reinforce a specific topic so last year most everything was basically built around you can't trust the email address so I mean that's I was sending eat all the phishing emails from. You trying to basically reinforce that you know it's you can't trust just because it says I got you can't trust it which is a very common misconception that we've heard by talking to people at facet and the orientations is you know well it came from God takes a should be fine and so we just try to target based on what we're you know trying to teach that makes any sense. Not really I mean we're already a pretty Global Institute so it didn't really change a whole lot I mean the difficulties we definitely had difficulties like you know two factor was a big one especially like up to a certain point we were only in Rolling people in person. That doesn't scale so so we had a re evaluate and you know we decided let's let people and roll themselves do self in Rome and it's good enough for all the other you know tech companies like Google you don't go to some Google office to get rolled into a factory just you know yourself. I don't know that it comes one becomes one factor and certainly weakens it but again it's all it's multiple layers right and so there's also there you're using your account I mean it you have to if your adversary if it's a nation state and they enroll user and they really care because they've started that user because of their access they're going to get in regardless so I mean if you just have them being and doing and then controlling the do the token I mean it's it doesn't really help but like for the it's just like I was talking about with a direct deposit fraud they're not going to go to that trouble so they're not going to maintain access or people and so the user doesn't know that someone is maintaining their two factor account for them they they approve the push notifications you know twenty four seven and twenty for seven hours a day you it's. Basically it's just who you who are you targeting as far as your adversary and do it for us it is more of the money type adversaries that you know it makes it more expensive so they're not going to deal with that so it weakens it but it mean it's still still beneficial. So. It varies greatly depending on you know what what data you're talking about it so like P. all that centralized so it's on you know certain servers they've got firewalls in front of them they've got policies in place to protect them as far as like Access policies and there's a bunch of systems and it varies greatly depending on. Where and what data you're talking about. Like the on the endpoint side of the the things I was talking about are kind of we do on the endpoint side there's also host fire walls all kinds of things you can do yeah yeah so I mean we mandate encryption for laptops which you can use the built in encryption and we don't we don't have a paid for product for encryption. Bit Locker for Windows for Macs it's file vault but answer when you get. No No No Good question yeah I didn't really talk about what we're doing so far as I.D.'s or I.P.S. So on the I.D.'s side which is the detection side so not in line we run sir kata which has multiple paid for rule sets that we we pruned down the rule sets to kind of be what we think is important and so we run that over our the traffic at the border of campus so any traffic entering or leaving tech goes through that doesn't go through it it gets it's a tap so it's out it's not a band doesn't actually stop anything it just alerts on it other things we do is the fire I appliance that's also out of band it's and I yes as well so that's running over the same traffic SARS I.P.S. which is the stuff that actually can stop traffic before the Palau to is we had a Cisco product it was actually they called it their legacy I.P.S. because it was their. But that's what we used to block you know malicious traffic and then with the pallet is they've got it built in and so that's what we're using now as far as I P S is concerned and we're also one of the I guess I didn't mention is we're looking at putting those fire I appliances in line so they can actually block things this year. A lot of the other changes are making as far as networks security is concerned is right now most of his ability is at the border and that kind of doesn't really fly anymore as far as you know what how people are you know hacking us and everything so we're pushing a lot of that closer down to the like the departmental firewalls is what we call them so we're very segmented network. We're very fortunate in that regard that we did that really early on. But basically every network on campus as a fire wall and that's mostly unheard of as far as higher end is concerned and so that's we're pushing down a lot more of the security like the I.P.S. functionality is we're pushing it down to those now that we have firewalls that can do it which puts us in a really good place. Right so it seems so. So we don't really do much with science D.M.Z.. There's the network team is really proud of what they've done and they've done some really cool things as far as we don't have any I.P.S. is on there but basically how it works is traffic starts going through the firewall and when it figures out what it is and it matches a certain preset list of what can go through it actually pushes the fire the traffic out of band from the firewall it's really neat what they've set up basically So what it does is we determine what the traffic is if it meets the criteria of this should not be. Filtered because it's high speed needs to not be filtered then it basically it talks with the router and basically switches the route so that it bypasses the firewall entirely so really like the just beginning the build up of the actual traffic is what's monitored and then you know that it gets shunted off to a different traffic flow it's really neat what the network team is built for that but there's no like I.P.S. in place except for what works on the Palo Alto So if if the traffic that comes in doesn't meet that criteria they get shunted off to be protected just like normal traffic. That's a good question it's really cool stuff that they've done in the house it's you had. Yeah. So it all comes back to one of two places on campus but there are several I a species I mean for the most part at all it is all routed through our infrastructure so I didn't mean that we don't have visibility into like what it is it's more of we don't have we're probably not even trying to get control of like the actual At the very end where you know if you run your own lab and you have to get a P.C. or a server it's that step it set it up and without talking with us at all that's kind of us talking about is that because of how distributed and how open we are it's hard for us to know exactly what these things are that just appear on the network that's where I was going with that more more than you know we still have visibility and our traffic is because we all we control the network because we've built the network out but it's more of like knowing what it is and being able to tune our you know security policies to what those are it's that's way more distributed to like basically any I.T. person on campus can kind of manage their own set of rules to a certain point. We go. Yeah more or less. I mean it's the sure you could probably get a contract Comcast link somewhere but I mean if you're if you're plugging into like the you know the network ports on campus or the wireless it it all you know it's we look at it as one giant network and there's a couple like the vapor is like a data center data center network it's separate physically then you know the rest and then same with. Science D.M.Z. is kind of separate too but I mean it's all from our standpoint it's all kind of one one big thing as far as what we're dealing with the. No there's multiple So there's we have multiple Internet service providers that like our routers will put traffic between different service providers depending on what makes sense costs we have to pay for some of them others we don't pay for we're peer directly with some networks like I think we're peer directly with Google and with Netflix and. Akamai so like a lot of a lot of the companies that you know provide a lot of. Data Service we just have a direct link to them like we don't go through any other anyone else's network just you know basically directly connected. It looks like that might be as well. So we're moving there so our departments will be there so it affects us in that regard as our office space is going to change but I mean one of the main changes for us there is it we're trying to build like a central operation center so instead of just the security operations center alone in our own room separate from the operations center and separate from G. to your I security operation center where there is a current initiative to try to combine us all together so that we work as one unit so that's one thing that might change it is if that happens then they'll be more communication and collaboration across security ops G. to your I security ops and I T. operations Yeah data center so that that's actually probably improved there mostly because of work where a tenant of that data center instead of you know we own the data center so we have to abide by their security policies for Juan but. Since it's a managed data center most of what actually gets done there will be done by a set you know few people will be actually like if you need like a server rebooted instead of having and I see person walk down the data center and do it they'll be a set of people that that's their job is to do all that kind of stuff you know servers and rack the servers do all the physical data center type tasks Yes exactly it's yeah we're not we're not the only ones there is going to a bunch of different companies it's going to be open to it just it's a regular data center really. It's probably I don't know offhand who's already signed up to be in there but I know there's definitely a couple companies that are looking for space. Wireless is you. Know so we do have it in certain areas but we're not doing really any nack network access control on the like Wired layer or the wired network right now that's actually one of the things and I didn't actually talk about it but that's one things are working on this year specifically like we need to do it for the contracts in the requirements to do that. But so what we're going to do is you know Dot want to X. and then with probably Cisco's product is what we're leaning towards just because it integrates with all of our Cisco. Switches and everything but yet so the idea is that we're going to do it in a way that doesn't necessitate either a supplicant or which is the software you put on your laptop or whatever will be multiple ways of signing and just you know the only place you're really doing it is in the residence halls and it's sort of like we don't we built it ourselves it's you log in name and password and then you can register your your personal device in the residence all. Right well thanks for coming everyone.