Brought to you by Rice University Office of Information Technology

Barry Ribbeck, Dean Lane, Paul Engle, Dylan Jacob

A long time ago, in a university far far in the south……

Our Environment

Medium sized private school (~12K people total)

Research focused

Centralized IT but with a lot of free range options

• No centralized inventory control or IT purchase control

• No centralized authX requirements

• NetReg network moving to auth based network access

So opportunities for improvement are abundant

Our Security Challenge

Improve or maintain network security and increase

clock speed (time to implement).

Make it more secure but don’t get in the way

So we started looking for ways to do that.

Where do you start?

Our institutional mission statement lists a focus on research,

academia and community as our top priority in that order.

Improving IT security clock speed for anything research

related looks like a good place to start.

The solution would need to be measurable since speed was

a factor.

Our Approach

Of all the tools in our toolbox, which technologies provide the

potential for the highest positive security impact?

Of all of those tools which ones can be used to improve our

clock speed in support of research?

Then how do we measure them?

Potential Tools vs Controls

CIS CSC # Control Discription

802.1X Wired(ISE)

Grouper(I2)

SIEM(Splunk) VPN

TrustSec(Future)

1HW Inventory 1 1

2SW Inventory 1 1

4Vulnerability Assessment and Remediation 1 1

5Administrative Privileges 1 1 1 1

6Monitoring and Log Analysis 1 1 1

9Controlling Network Ports 1 1 1 1

13Data Protection 1 1 1 1 1

14Controlled Access 1 1 1 1 1

15Wireless Access 1 1

19Incident Response 1 1

IMPACT TALLEY 9 5 8 4 5

TOOLS

IT Security Choke Points

Where are we slow or inefficient?

• Firewall rule changes for researchers accessing

restricted data

• Dis-contiguous research network subnets

• Compliance management & reporting

• Inventory management

Est. Security Maturity Change

0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4

Polices Completed

Controls 1-5 Implemented

All Controls Implemented

All Controls Automated

All controls Reported

Predicted Maturity Increase

If implemented correctly, we estimated almost a full point improvement in

security maturity

Addressing Clock Speed

• Say no (doesn’t support our mission very well)

• Delegate / Distribute control

• Eliminate Steps and automate

• Remove / Reduce barriers

• Measure and evaluate consistently

Sanity Check

1. Identified the problem

2. Developed a plan and approach

3. Identified the tools

4. Predicted goals to measure against for success

5. Verified implementation should not decrease security

6. Applied acceleration methods

All that’s left is to implement and measure

Measuring Clock Speed

• We used our ticketing system to look at time to completion

before and after implementation in specific areas.

• We also looked at before and after ticket count where tickets

no longer exist because they are self service.

• Some functions such as group changes went from days to

no recorded effort.

• The longest times recorded now are for creating something

unique. Once a new profile is create it takes much less time

to copy and leverage the existing template.

Clock speed for security has been measurably improved in the

areas we where we wanted to have a positive impact.

Review of Successes

• Access through firewall & ad hoc segregated network

– VPN with 802.1X profile and distributed

administration via Grouper

• Inventory management – 802.1X ISE reporting

through SIEM for compliance management and

reporting

• Correlate users to incidents, vulnerabilities and access

request before and after changes show signs of

improvement

Where we failed or are failing

• Could be deploying more quickly.

• Did not comprehend and communicate the importance

of the inventory benefits of 802.1X

• Could have been more timely and purposeful in

explaining the benefits properly to administration.

• We did not set out from the start to use 802.1X wired

for inventory purposes.

Deployment Examples

1. Wired systems – about 30% of campus

2. The 802.1X and Security (Identify, detect, protect,..)

3. Research (Provost Project)

4. Research (ad hoc Network)

Grouper Benefits

• Leveraging group across services

• Moving the control point for groups from IT to the

group owner/steward

• Automation of reporting to the group owner/steward

THE END

Barry Ribbeck {Security} - brr at Rice.edu

Dylan Jacobs {Network} – dtj1 at Rice.edu

Paul Engle {IAM} – pengle at Rice.edu

Dean Lane {IAM} – dlane at Rice.edu

Breeder Questions

• What do you do with devices that can’t do 802.1X?

(MAB + Profiling)

• How do you segregate your research Network?

• What problems do you incur with 802.1X supplicants?

• How difficult is it supporting 802.1X clients not bound

to AD? (BYOD)

Network Port Access Control

• Our Network Registration needs to be replaced

• The current solution

• Is end of life

• Has a number of security holes

• Does not really provide accurate data (our fault)

• 802.1X solution provides both better security, accurate real time

data and appears to work well in our environment

What About Inventory Management?

Inventory is only as good if you can keep it up to date.

Tracking changes manually does not scale and eats up

too much staff time.

Using authenticated network access, we can

dynamically identify anything and anyone on our wired

network which is really the thing we care about.

From person to IP to MAC to machine to services it is all

there.