Colleague Connection: The Defenders of Digital Data
The Information Security Office (ISO) serves as a central hub for safeguarding the University’s digital assets, establishing and maintaining policies and standards for the use of technology, and ensuring the confidentiality, integrity, and availability of Northwestern's systems. We asked Brandon Grill, senior director of technology planning and security, to share how his team works behind the scenes to provide crucial enterprise services and protect Northwestern from bad actors.
What teams make up the Information Security Office?
The Information Security Office consists of three teams: Security Operations and Engineering, Identity and Access Management, and the Contracts Office.
Nowell Arnold is our deputy chief information security officer (CISO) and leads our Security Operations and Engineering team. This team runs Multi-factor Authentication (Duo), our endpoint protection tools (CrowdStrike), and vulnerability management tools. They perform third-party risk assessments for our vendors and review firewall rules and email protection technologies in collaboration with other Northwestern IT colleagues.
In addition to running the prevention systems, anytime there is a threat indicator from any of the intelligence sources, this team conducts a meticulous investigation and determines the implications of the threat. This is no small task.
Over 60,000 computers throughout the enterprise generate millions of emails, data packets, and network connections.
The team collects all this data and creates detection rules to look for threats and take action as needed. This comprehensive approach ensures the thoroughness of our data protection. In any given month, about 100 million malicious emails are blocked, 53 million threats are blocked by the border firewalls, and 1,000 endpoint threats are investigated.
The Identity and Access Management (IAM) team, led by Myndi Brown, associate director, plays a crucial role that goes beyond being “the NetID people." This team maintains the primary identity system that generates our NetIDs and Wildcard data and the authentication and authorization systems (WebSSO). They also control and maintain the flow of NetIDs into other systems, including integration with NUFinancials, myHR, CAESAR, and distributed directory systems throughout schools and units at Northwestern. The IAM team ensures that one identity—NetID and NetID password—can be used in various systems and services across the enterprise.
The IAM team also builds and maintains community-facing applications, such as the Northwestern Online People Directory and all the other directory systems. Their work is integral to the smooth functioning of Northwestern’s operations. Our IAM program is a critical aspect of the University’s security posture, as identity compromise and credential theft are leading forms of attack in all industries, including higher education.
The Contracts Office is responsible for reviewing and handling negotiations for all technology agreements on behalf of the University. They coordinate with other areas of the institution, such as privacy compliance, insurance, and the Office of General Counsel, and then coordinate with third-party risk reviews. Finally, the contract is packaged and sent to the person authorized to sign on behalf of the University. For IT-related contacts, that is Sean Reynolds, Northwestern IT's vice president and chief information officer. Most people do not realize that every technology software and hardware-as-a-service comes with some sort of agreement. There is purchasing going on all the time by different units, and all those agreements and contracts must run through the Contracts Office. On average, the team reviews more than 100 contracts annually.
What are the biggest cybersecurity challenges facing higher education?
Our biggest threats are like those facing every other industry: identity compromises (primarily from responses to phishing attempts), sensitive data exfiltration, and ransomware.
The things that make higher education amazing also make it challenging to protect. Anyone who has worked in a corporate environment knows it is a very locked-down structure. In higher education, such unilateral restrictions can place an undue burden on education and research. We must balance appropriate protections and risk mitigation with keeping our environment as open as possible to enable teaching, learning, research, and academic collaboration.
Most higher education organizations, us included, used to operate as a castle protected by a moat. You are either on the outside of the castle or the inside. Once inside, you have access to all the rooms within the castle. Nevertheless, we are moving to an airport model—you can get to the parking garage and baggage claim without too many security checks. But if you want to get to the gates, you must go through the security check. If you are on an international flight, you may need to go through additional security checks, etc. Keeping as many areas as possible open while understanding where we need to adjust to meet enhanced security requirements and appropriately protect our community is a balance.
For example, we recently changed the University People Directory to require NetID authentication. Placing it behind WebSSO prevents bad actors from easily accessing email addresses and other data for impersonation attempts and as phishing targets. Similarly, we are enhancing Multi-factor Authentication on all our systems and services to further protect the University from unauthorized access to sensitive information.
What measures are in place to protect sensitive data from unauthorized access or breaches?
Northwestern is a member of several cybersecurity communities. We participate in OmniSOC, a research and education security operations center, REN-ISAC, a cybersecurity information sharing network for higher education and research institutions, and the FBI’s InfraGuard program. Participation in these networks helps keep us apprised of emerging threats and trends impacting our community.
Northwestern IT also operates several defensive layers of technology to prevent security incidents.
- We receive regular feeds from Palo Alto, our firewall vendor, providing us with a list of suspicious websites and IP addresses that have been analyzed and determined to be suspicious.
- Our email defense system analyzes messages for malicious links or attachments and quarantines them if they are suspicious.
- Our vulnerability management system lets us know our weaknesses in our environment and helps us develop mitigations.
- Our endpoint detection and response tool goes beyond traditional anti-virus services to provide dynamic analysis of files and system activity to protect against fast-paced and evolving cyberattacks.
We also have our Northwestern community as a layer of protection – so-called “zero-day” attacks or vulnerabilities occur where our defensive systems may not fully protect us. When such an event is identified in the cybersecurity community, we look across our systems and reach out to the campus Technology Leaders to assess our exposure University-wide. We evaluate the severity level, build rules and detections, and investigate if there are indicators of compromise. We also work with our technology partners across campus to implement appropriate mitigations.
Still, even with all our safeguards, it’s important that we’re prepared to respond to an incident. In the event of a security incident on campus, we follow procedures outlined in the Incident Response Protocol, which are in accordance with applicable legal and regulatory requirements and University policy to address instances of unauthorized access to or disclosure of University Information.
What is your favorite place on campus?
My favorite place on campus is not that unique—the rocks on the southeast corner of the Lakefill. I enjoy sitting on the rocks, listening to the water, watching the planes go by, and hearing the campus sounds. You see the Chicago skyline, and to the east and south, you see the lake; behind you is the lagoon and the Global Hub and Tech. It is a great vantage point to see the growth of the campus and why we are here.
ISO By the Numbers
Below are some statistics from the ISO mentioned in this article.