I'm good the week of July 13th.  But it doesn't sound like Chuck is.  The rest of July is hit and miss for me.  

I could probably do either first or second week in August for an assessment.  I was playing with the idea of going to Defcon, but haven't decided.  I could put that off if everybody else wants to do an assessment that week.  I could also do the following week (10-14).

As for tools/priorities:

Duo is a given.

I agree with Chuck for the need for some time of detection of anomalous behavior, both for user accounts as well as for network hosts.

I also wondered about some kind of Privileged Access Management product.  Maybe the need is lessened with proper Duo implementation.  The idea here is that admins don't actually have their own admin accounts on servers.  If they need to access a server, they go to the Privileged Access Management server, check out a One Time Password for the server they need to access, use that for their session, and then check the OTP back into the management server when they're done.

EAP-TLS solution.

Log Management/SIEM  (This just goes to an overall lack of detection capabilities)

IPS/IDS  /  Fireeye

Mark



On Tue, Jun 30, 2015 at 1:06 PM, Chuck Kimber <chuck.kimber@usu.edu> wrote:
On Mon, Jun 29, 2015 at 9:46 PM, Andrew Goble wrote:
SUU report materials please
Mine just got uploaded. 

  What does everybody's July look like?

Week of July 6th, or week of July 13th. Could also do the last week of July if it was late in the week.
I'm out of town and out of even cell reach from July 7 - July 19, but can make anything else work.
 
We are set to continue.  A longer time period is a go, (conditional upon institutional approval).
Muahhh haaa haa haaaaaa....

CIOs would like to designate a few system-wide standards, most of which could probably be taken straight out of SANS (e.g. system-wide password standards.)  Send me any suggestions on what SANS controls should be considered system-wide mandatory standards.
As far as passwords go, the "Stanford Model" is what I've been pimping here at USU.  I think I'll get it soon.  We're waiting on one last Banner piece of the puzzle to work with SSO and we'll be set.
https://itservices.stanford.edu/service/accounts/passwords/quickguide

Given the results we've seen with passwords under 10 characters though, I'm inclined to rule out the lowest rung of Stanford's password guide, but I like the flexibility of their model and that it has a built in reward system for users who start to think in passphrases instead of passwords, in that the complexity requirements get easier, the longer your password gets.

CIOs also want a prioritized list of tools / software that could be used across the system and requested as part of a legislative initiative this coming session. 
We're all using Duo, pretty much.  Collective purchasing for this would be great to get organized.

I have seen a demo of Rapid7's UserInsight and was blown away.  It was easy to configure, you can trace users login movement across all the network, they notify you if they discover one of your institutions credentials in the wild out there, you can create incidences for compromised users and increase the monitoring of those accounts etc.  Being able to track users and detect anomalies is very high on my priority list and of the softwares I've looked at for that, nothing has had as good of a price to features as that one did.

Regardless of if it's that specific software or not, I think having user logging and alerting is a critical thing that has to start happening for all of us.  We can run our ELK stacks till the cows come home, but inventing algorithms that can detect anomalous behavior on a case by case, just isn't practical for us to write on our own.  Purchasing a software collectively would go a long ways to getting us all running something.

There are two schools (UVU & SLCC) and sorta three or four (Dixie & Utah) that are running IDS and IPS, but I would like to see something we could all get onboard with and collectively afford as well.  I don't have any specific wares to recommend to the CIO group, but I think it's critical we all find a sustainable and affordable way to do this across all the institutions.

My $.02

_______________________________________________
USHE-assess mailing list
USHE-assess@lists.dixie.edu
http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess