From Alerts to Action: Making Public–Private Threat Intel Actually Useful - Ian Washburn - CSP #222

SC Media is proud to present this month's SISO Stories program hosted by Yours Truly, Jessica Hoffman.

This is a show where SISO shared tales from the trenches and unpack leadership lessons learned along the way.

Listen to previous SISO Stories podcast episodes at SISOStoriesPodcast.com.

The Cyber Risk Collaborative is a unique membership community enabling cyber security leaders to work together

in an trusted environment. To learn more, please visit SISOStoriesPodcast.com forward slash CRC.

Greetings, greetings everyone. Welcome back to another month's episode of SISO Stories podcast.

You got myself just Hoffman as your host today and we got Ian, Ian Washburn with us today.

The deputy C still for notes are dumb. That is like so impressive. I'm like, wow.

When your bio came through, I was like, yes, we got to talk to this gentleman.

I love that in education. I think I had one other, the Temple University SISO, as my girl was on, but you know, you being in the education higher learning space.

I can't wait to talk about your cyber security experience. How are you today, Ian?

I'm doing great, Jess. Thanks for having me on. I appreciate it.

Yeah, yeah. Well, let's talk about a better threat inside between public and private sectors.

I know education is, you can get grouped into the education state local and education as far as support from the federal and state government.

For the plus, you are, no, it's your job as a private or community college. It's not a state college.

So you got that aspect as well. You deal with both aspects being in compliant with federal and state and other regulatory requirements from an education perspective.

But then you're also private donors and stakeholders and being a public or private, probably funded and owned educational facility.

So let's talk about that. So what's your experience with how you get your information? How do you stay secure over there? What's your guy going on?

Yeah, well, absolutely Notre Dame is a great place to work. You know, we are highly involved in the higher ed community.

I've been with Notre Dame for going on four years now and before that I was with Indiana University.

So I spend a lot of time in the higher education space and specifically here in Indiana.

You know, Notre Dame, again, participating in groups like EDUCAS, the research and education network ISAC,

and also my participation in the Redwood group really, I think, you know, we rely on our neighbors to share our intelligence information,

what we are augmenting that's coming from federal sources. So I think it's really, it's a great community to be in.

Notre Dame does a great job at Cybersecurity.

That's awesome. You mentioned the Redwood project. I know I heard that before or Redwood group. I heard that before, but besides when we first talked, you know,

I wasn't really involved. I think it's an invite only so super secret, you know, but great mission.

So why don't you tell our listeners a little bit about it, which your role is there and what you get from,

especially from your position and education, but just anything that you think our listeners regardless of the industry that they're in could benefit from.

Absolutely. So the Redwood project, this this iteration of the Redwood project is kind of a play on the original Redwood project.

It was a group of scientists that got together around the the nuclear project during World War II.

This group is built on the the need for better communication between federal government private industry and education.

So the the group, I think, was stood up three years ago. I joined the last year in October to join them and helping to start understanding and approaching legislation to this new paradigm shift where the federal government is looking for state and local governments to take on more of the cyber security responsibility.

And so I didn't realize that the Redwood maybe that's where I heard him before from the new from back with the nuclear because it just just made me think as far as to landscape cyber security wasn't even thought back then, right?

That's right. That's right.

Yeah, well, that's as a as a public servant, I you know, working for the city, I worked for state and federal for that matter.

You know, there's kind of like I don't want to call it a buzzword, but it's you know, a saying a phrase now, whole and state approach.

So I don't PA we do the whole state approach where the states looking to really centralize like the visibility across all the counties when it comes to continuous monitoring incident response, procuring software tools resources for

professional services, all that. But the whole in whole and state approach concept and the federal government to have adopted that.

So, you know, what is your take on, you know, this shift, especially with this administration for better force, whatever.

But we have seen that there's significant cuts in cyber security services that state local governments education, tribal have depended on for, you know, various reasons they depended on the skills, the tools, all of that.

The strategic planning as well. So what do you think? How is that really going to impact when we're talking about public and private sectors and the communication and threat intel between?

Yeah, absolutely.

One, I just want to say I think Indiana is much like your state and where we're taking a whole state approach. Indiana sees so him on chain and the Indian Office of technology.

I think has been working to kind of adapt and figure out what their new process looks like for data sharing.

The challenge I think becomes when we are talking about moving that source of high fidelity information from the federal government to the state government as we go from a kind of a hierarchical top down to a, you know, kind of a spoke or a shared intelligence community, which means there may be differences in the way, you know,

our two states are handling cyber security information and how do we make sure we're ingesting that and we're getting that out to our local businesses and, you know, folks that matter, right, our hospitals, our police departments. How do we do that?

I think there is a lot of support and even sounds like grant funding that's going to be available to help states get this set up for themselves. However, you know, we remain to see how that will play out based on how states are going to prioritize the funding and how they implement it.

Yeah, that's my arguably very, very important funding. There were quite a few grants out the department of homeland that state's benefited from.

I mean, today, this is not funded today.

That's right.

You're working for free or they're furloughed right now and those are clearly clinical services.

I think it's interesting once you just said as far as, you know, Indiana could be doing one thing or getting one or what they might have one way to address the cyber security threats within the city, you know, whether it's private or public industry within their state.

Pennsylvania could be another way. And I believe you could I'm sure you can agree that we have like an overload or abundance of alerts going on information.

There's there's just so much information to sit from wherever you get it.

What are some of your thoughts or as far as how we can, you know, say let's say, you know, the federal government is, you know, kind of stepping back and it goes to the states.

Would it be more like the state coalition kind of thing or what would you, what would you suggest or look at to how we can continue for that collaboration.

So we're not reinventing the wheel.

Yeah, absolutely. That's a great question.

So the MS Isaac, the multi state Isaac was funded at a federal level and now that funding has ended.

So there's already a consortium of states that are starting to work together to figure out how they kind of recreate that that trusted source of information.

You know, I think that will be hopefully a service that most states will come back into and we will be able to recreate a lot of that trust between that sharing entity in multiple states.

I think the opportunity to share back up is back up into this entity is something that will be widely valued.

The MS Isaac is much the same way, but I don't think that all states were really participating in a bidirectional way.

And I think that it's really important for us to let our neighbors know what we're seeing, what threats are landing on our doorstep to give them time to prepare to defend against those things.

I mentioned the MS Isaac and yeah, that was defunded with the CIS from the guests around this time last year was one of the first cuts to go from the administration.

But I was just hanging out with sister today. I told you that love sister.

I love my local sister folks. We hang out in a modern time. We open line and get a great, great information from them.

I was very surprised for the services they provide, but there are like I had no idea how many ISACs were out there from the water ISAC to nonprofit ISACs.

Real estate ISACs. I mean, there's like so many ISACs available per industry.

Yeah, absolutely. I want to take a second here while we're talking about ISACs to mention the research and education network ISAC,

which is higher ed in the National Science Foundation amongst others, have come together. And this ISAC is actually sponsored by Indiana University here in Bloomington.

So not only are they still around and doing a great job at sharing amongst higher ed, but trying to figure out what their role is as the cybersecurity legislation changes, how are they going to become better suited to share with the community?

Right, whether that be K through 12 or small and local businesses. So as you mentioned, there are a lot of ISACs out there.

And I bet you they're all kind of trying to figure out how they retool and, you know, become a better resource in their sectors and in their communities.

So is that how you communicate with other higher educational institutions? Like do you have a coalition or working groups so you can talk to Temple or you can talk to University, North Carolina, whatever you do?

Okay.

You know, I can't speak to all the members that are in the research in the REN ISAC, but yes, we are not only does it include universities in the US, but also in the five eyes.

So Australia, New Zealand, the UK, and others also participate in the REN ISAC because we have a unique need, right?

There's a lot of research that goes on that can be the target of attackers because of the intellectual property that's involved.

So yeah, the REN ISAC is is neighborly. We can talk to our folks here in the US, but we're also sharing information with folks in Australia, New Zealand, for example.

That's awesome. That's awesome. I love education. So I'm like thinking there's so many different education styles or presentations or models of how we're disseminating education to our students and cohorts and professional services.

But I'll get together to just to ask the cyber security aspect. I would think there's probably a lot of similarities there.

What are some of the what some of the threats if you don't mind sharing? I'd love to hear where some of the threats that you've learned from some of the other participants in that ISAC.

We abide by the traffic light protocol. So I really don't want to share out of turn what some other universities have experienced.

But what the things that we're seeing in the news, which I can speak to, is a direct targeting of donor data of universities.

We've seen some of the IV leagues show up in the news recently because that information has been exposed.

And those things can, while they don't impact students on a daily, necessarily a direct correlation there, the donor data is responsible for a lot of funding that can fund specific programs or grants or scholarships for students.

And so those things are really important for us to protect. But what we're seeing in some cases are students are not necessarily the target of large attacks, but they're more social engineering.

More of a working on trying to either take advantage of someone's position in an athletics program or their involvement in a research lab.

And so not only do we need to protect our students and teach them how to be good digital citizens in order to protect themselves, but not only is it research that needs protected with defense contracts and very important life-saving medicines that are going to save people's lives.

But then we're seeing things which you might not think are a high value target, but donor data for universities tends to open up people in those populations for targeted attacks.

And so we have a responsibility to protect those type of things as well.

So those are just some of the things that are going on in higher ed, but we're still susceptible to all the same attacks that we're seeing in private sector as well.

I was just testing you to breadlight traffic light stuff.

Yeah, I love that she said that because yeah, the vendor donor information, if I know so and so donated a million dollars, well, that might mean that they have another million dollars like a stealer.

I've been seeing I've seen quite a few instances educational institutions not necessarily higher learning, but some school districts that have been a victim of vendor fraud, which is so sad because gosh, these these schools need the money.

What about do you think, how can I create this? Okay, so let's say let's go back to the scenario that, you know, we're kind of all on our own.

Maybe we have our ice acts in our state and local government, but what do you think would be the biggest disadvantage to or do you even think there would be a disadvantage by not having like a sister or not having.

The top down from our federal government as far as cyber threat cyber intel cyber coordination, etc.

Yeah, I think there is there is a real disadvantage to not having that federal level of cyber defense and threat intelligence.

I don't think states are necessarily equipped to deal with nation state actors, pressure from the brunt of entire countries, cyber espionage divisions like North Korea and Russia.

And so I think we really we do need that understanding and that intelligence from a federal level who have that context and understanding of the motivations of these groups.

And, you know, helping us understand where those attacks are also being carried out in other places in the United States and around the world.

If ransomware campaigns are amping up in specific areas, we've really in the past relied heavily on the federal government to let us know.

So that, you know, we can, you know, put additional controls around our protected research data or, you know, look at hardening our active directory environment or whatever it happens to be where that attack is taking place in our neighbors area is helping us to understand and protect.

And so I think it's difficult for states to kind of create that wealth of knowledge that the federal government has, you know, put together and collect it over the last 30 years.

Yeah, you just reminded me about the research. So I used to work for CMS that are some Medicare Medicaid services and I know that there was some colleges, universities that would request data from CMS related to like healthcare, you know, diseases and, you know, vaccines and all those things to do to use that data for research.

So I imagine that that's another data set that you're responsible for as a devisa so that data come, you guys do research there. So would you think that I'm just thinking out loud here too, like for CMS, they have their own set of guidelines too.

So we, I feel like we would still get some support there or, you know, whether it's 171, CMC, you know, some kind of framework or security and privacy control.

So we would need to be in compliance with in order to operate or have connections with the federal government agencies, but like as far as like the intel from the NSA and the FBI and the secret service and kind of like those agencies that are this even, you know, that and homeless security that are out like it constantly with a pulse.

I just, I don't think it's they're not, they're not going to give it to us at all, but I'm interested to see how they're going to because no shade, but I feel like sometimes they are kind of behind the ball too.

I don't rely just on federal government intel because they are, you know, for some things like I just mentioned, yeah, boost on the ground, some things have nothing to do with us, right, where we don't necessarily get hit directly or immediately.

But you know, boost on the ground, I love that she said that, you know, right now we deal with fishing every day, we're dealing with, you know, people banging on our, our external perimeter firewalls all the time trying to get in, you know, those type of things.

So I just don't feel like we're going to get some support, but maybe I am curious what that would look like.

You know, and the research data too, I just think that yeah, you have a lot of, you have a lot of sensitive data not just from a student perspective of faculty, PII probably PHI to and research data is that accurate.

We don't, we do our, we don't have a medical facilities and so we're not beholden to health record, you know, compliance.

But we, you know, every school is has compliance requirements around student data around other specific federal regulations.

And so we're all working on the protecting those things as is required, you know, by by NIST and others and we do have CMMC contracts and so we're working on making sure that we're prepared for those.

You know, the going back to talking about what the federal government shares and doesn't share and why it actually might impede sharing is because we don't know about active ongoing investigations.

So right, so they may have attacks that are going on and they may not tell the public or share with their through their intelligence channels because they're still working on figuring it out or building a case.

That would be different likely in a, you know, in a shared intelligence model where it's state to state because we might be more likely to make sure that information is in our neighbor neighbor's hands because perhaps we're not building a case, right.

So there can be some impedence there and I think that we've experienced that in higher education also.

But we do have good relationships with a lot of folks in federal law enforcement, CSAS, Secret Service, et cetera.

And we want to continue those good relationships, whether or not the federal government is funding a specific unit to provide threat intelligence.

We hope that we will still continue to receive, you know, messages of warning to help us understand what threats we might be at our doorstep.

Okay. Well, we're going to just get rid of Ohio there.

We can be neighbors.

Yeah. Well, I mean, you know, I would definitely consider everyone in the United States and neighbor and for that matter, north and south of the border as well, we should all be sharing intelligence to the point where we're protecting our people and their privacy.

That's what it boils down to in the end, right.

As we're all here to protect the people that we live next door to and to do that, we take care of everyone, not just not just the neighbors whose doors we can knock on.

So let me ask you this just as far as like information overload or, you know, fatigue so to speak as far as alerts.

I'm sure you're on a lot of the same distros. I am a read in the same articles and listen and podcast and all the things.

How do you as the deputy system prioritize those those materials to make sure that you're getting the most value when you need it.

Yeah. Well, I think, you know, one, you have to know your environment, because you can't protect what you don't know about.

And then you need to have a good system of prioritizing what's important to your organization, what's important to your leadership.

And so taking that risk based approach is I think really where it's important to distill those priority alerts to the top and say, here's something that we actually need to put effort into as a priority one.

Continue to document. Don't let those things that are secondary and tertiary fall off the list.

But recognize that one communicating with your leadership about what you're seeing working with them to understand what they want to take action on and working together on that because, you know, like you said, alert fatigue.

It's like drinking from the fire hose. You couldn't possibly come to your leadership with 100 different alerts and expect, you know, any, you know, informed decision to come out of that.

So I think it's a lot of distilling taking that risk based approach and then presenting to your organization, the things that you should be taking action on, you know, in the in the media.

So give us, drop us some, some false answers or vectors for this information mentioned for you specifically in your role, you mentioned the redwood, you mentioned the research, Isaac, what else is that has been a valuable to you for sporting your program and your strategy there.

Yeah, absolutely. It's a great question.

So we're also a member of the education consortium, which is another higher education group that has a specific cybersecurity and privacy wing that is comprised of many BTA schools and ACC schools, private institutions across the country.

They do a great job of intelligence sharing and helping the larger schools helping some of the smaller schools who maybe don't have the capacity or the funding for programs to share information that way.

Again, Notre Dame is very lucky where we are in the community and, you know, the contacts that we have, we feel we are doing a pretty good job on receiving those signals.

I think the important part to understand is that it's the distillation of those signals to the immediate threats or vulnerabilities that you have in your environment.

And so having people who have very similar environments to you to share that information with and understand is important right education is that's why we have these ice acts in these different sectors.

It's because they're all thinking about security as it pertains to their specific, you know, motivations or or mission.

So not only is it the REN ISAC, EDUCAUSE, but there are tons of other little groups that have been stood up, see core is another one, and we just tried to really create a good community of open intelligence sharing.

And then where non attribution is needed, we can use organizations like the REN ISAC in order to share intelligence without attribution should that be, you know, a requirement.

At plus our coordination with the federal law enforcement connections that we have in the Secret Service, Indiana ISAC is coming online and we hope to be a part of that organization as well.

So I think we have a pretty broad community of intelligence partners.

That's awesome. I love that.

This is cool. I want to come visit. I'm a come visit. I don't know when I'm coming to Indiana, but I'm gonna stop by and see you.

You absolutely should. We'd love to have you.

Yeah. Oh my gosh. I'd love to see a campus too. And that was amazing. I can only imagine all the great things that are going on from a cyber security professionals and all the all the next gen of cyber professionals that are being cultivated right now,

it's just super dove.

You're you're speaking my language. I love when we talk about talent pipeline and helping, you know, new folks enter into the cyber security field.

As part of that, I help organize the Bloomington B-Sides conference that we have every year, which is a community driven cyber security conference.

You may be aware of that, but your listeners may not be. And so B-Sides is an international community. And there are there are events in Rome and Las Vegas in Milan.

And, you know, we all have the same mission, which is to, you know, bring cyber security to the community, help locals understand how to protect themselves, local businesses, you know, how to protect their their important intellectual property and their services.

It's something that I love to do. And when we talk about how we bring more people into the cyber security field, I think there's.

There's a more than enough people who are willing to share their experience and help others find their way.

What's the date on your B-Sides?

Actually, we just we just decided that last week, so it'll be October 2nd and 3rd here in Bloomington, Indiana at the Monroe Convention Center.

You can find information at B-Sides Bloomington.org. So thanks for asking, Jess. Great plug. Thank you.

Of course. Well, I'm going to do a shameless one. I'm an organizer for B-Sides Harrisburg. And ours is May 29th and Harrisburg Central PA and all the things. But I love B-Sides too.

I support all the B-Sides. Really, I can go to B-Sides Philly is near and dear to me too. So that's awesome. You do that. Ian, I'm sure you bring on your students.

It's just such a great time. So anybody out in that area want to make a road trip. I don't know how far it is.

I'll check my October schedule, but make sure you check out Bloomington B-Sides Bloomingdale. Sorry. Bloomington or Dale?

Bloomington. Yeah. Bloomington. Okay. B-Sides Bloomington.org. That's right. Yeah. That's fantastic.

So lastly, this has been awesome. Ian, I like to always ask my guests this question. If you could give your younger 18-year-old self, little baby Ian, 18-year-old Ian, what advice would you give him?

Wow. That's, you know, I think that's a pretty common question, but I have to admit not one that I put a lot of thought into.

I think the thing that I would try to tell myself, which is the same that I try to tell others, is give yourself grace and understanding the same grace that you would give others, give yourself.

I think where we often put a lot of pressure on ourselves and maybe there's more negative self-talk than there is positive self-talk.

And I think I would have been a lot more comfortable in my skin if I had just told myself that I'm working just as hard as everyone else's.

And, you know, have a little, a little grace and compassion for the hard work that you're doing.

Love that. Shout out to everybody. Just give yourself a little grace.

We all do what we can as long as we move forward and you seem to be doing all right, which are guitars and your piano back there.

You speak in our produces language, you see the drummer.

And you're in that piece of self-renote, you know, I'm very, very cool.

I know that you're making a big difference out there and we appreciate you joining us on the show, dropping all of them gems, anybody in education should definitely investigate and join any of those organizations that you mentioned.

And I'm sure you're open for some new friends. They can reach out to you on LinkedIn.

Cool.

That's absolutely right. Yeah.

Build a bigger table. That's right, Jess.

Happy to answer any questions that folks might have about the topics we've talked about.

And yeah, always looking to, you know, widen that network. So absolutely.

Thank you for having me. I appreciate it.

Yeah, this was great.

And thanks to all the listeners out there. We appreciate your time. Can't wait to see you next month.

For whatever topic it is, it'll be amazing. I promise.

I look forward to it.

No, I'll be listening. I'll tune in. I will.

Okay, you can tune in.

All right. Thank you so much. Take care, everybody.

Thank you for tuning in for this week's episode of the CISO Stories podcast.

Please subscribe to the CISO Stories podcast and you'll receive a new story each Tuesday at 10 a.m. Eastern Standard Time.

We'll see you next week for a new episode. Thanks for joining.