Whenpersonalcomputerswereintroducedroughly30years ago, everything was so much simpler.There was no Internetoremail, andonly a handful of threatsto worry about.Protectingourselveswaseasy:Weonly needed to installanantivirussoftwareandupdate it yearly.Phishing and ransomware were not among our concerns.
Wehaveseen atremendous shiftin the prevalenceof computing devices (phones,tablets,…)inour lives.30 years ago,who could haveimagined thatwewould be able to useourphonestosee who justrangthe doorbellwhile weare away on vacation?
Why we need threat intelligence(TI)
Asmany aspects of daily lifehavemovedonline, criminals haveadapted and followed us there.Cyberthreatstargeting our professional and personal livesareexponentiallyincreasing.How can we defend ourselveseffectively in this evolving threat landscape?Consideringthatknowledge is power, threat intelligence(TI)isan important wayto improve our defenses.
What is threat intelligence?
Threat intelligence(TI)is informationthatorganizations can useto protect themselvesagainst cyber threatsin a timely manner.The dataTIprovidesenablesus to analyze and mitigate threats.
Thesethreats are identified as“indicators”,or evidence related to malicious activity. An example of an indicator may be an IP addresslocatedin aforeign country.
How does threat intelligence(TI)work?
Using TI enables us tousedatafrompotential cyber threatstodefend againstattacks on our network.
McGill’s Information Security (InfoSec)team inITServicesmonitorscyber threats to the University’s data and systems,andcontinually receivesTI datainvariousformatsfrommultiplesources.This data iscalled athreat intelligence feed (TF);an ongoing stream of data related to potential or current threats to an organization’s security. It maycontaininformation on suspicious domains, IP addresses associated with malicious activity, or known malware.
Thechallengefor McGill,and other institutions, ishowtouse this information effectively.To addressthis,theThreat Feed (TF) servicewas createdand isnow offered within the jointinitiativeforhigher education institutions throughoutCanada.ItallowsCanSSOCmembers to access and share current TI data, including information about threats specifically targeting higher education institutions.
ThroughagreementswiththeCanadiangovernment, commercial threat intelligence providers, the open-sourcecommunity (aglobal networkof individuals who work together to producepublicly accessiblesoftware)andtheinternationalhighereducationcommunity,itaccessesthe most up-to-date TI information.
The service detectsandtags imminent threats. The data is then analyzed and filtered topreventmalicious activity.This is doneeither automaticallyviaalgorithms or manuallybyanalysts. Theapproved TIdatais thenused tocreate feedsthat areused byprotection devices such as firewalls.
Over30Canadianhighereducation institutions nowparticipateinthe TF serviceand many of them, like McGill,now actively shareTIdatafromcybersecurityincidentswithin their own environments.Through the malicious activity reports receivedat McGill andother Canadian universities, we now haveunprecedentedvisibilityonthreatsthatspecificallytarget higher educationand research.
The benefits of creating a TI community through the TF service will only increasein the futurewith the wider development of the service.Presently, the TF service includesaround40Canadianparticipantsworking togetherand exchanging TIdata.In addition, weareestablishingrelationships withhighereducation and research communities inother countriesincludingtheUS,UKand Australiawhose research and academic sectors facea similar threat landscape.
HowMcGill benefitsfrom theThreatFeed(TF) service
At McGill, the TF servicehasnow been integrated withourInternet-facing firewalls.By being on the McGillnetworkon campus or via McGill’s Virtual Private Network (VPN),you automaticallybenefitfrom that protection!
Weplanto further improve the protection provided by the TF serviceat McGillthrough increased integration with our existing cybersecuritycontrols.These include ourInternet filtering,protection of devices(akaendpoint protection), andthe security of our cloud environment.We are also working on an automated feedbackmechanism forsightings of TF indicatorswithinthe TF participants’environments, allowing us toprovide even morereliableindicatorswiththe service.
ܳ
When you useMcGill’s network, security tools and IT-approvedsolutionsthat are offered at no extra cost for McGill equipment and activities,youbenefitfromthe work performed behind the scenesto keep you and your data safe:
-
Continuous monitoring and identification of global threats, especially those targeting higher education
-
Collaboration with otherinstitutionsto share knowledge and protect against thesethreats.
-
Rapid prevention ofcyber attacksdue to the automatedprocessing of threat intelligence data
What you can do
WhileMcGill’s threat intelligence servicesignificantly protects McGill’s network,you can helpbyfollowingcybersecurity best practicesin all online activities:
-
on your McGill account.2FAwill berequiredfor all McGill accounts by the end of 2021.
-
Learn to recognize and protect yourself against online fraud, such as .
-
Familiarize yourself withIT Policies: UseMcGill-approved cloud solutionsand follow thePolicy on the Responsible Use of McGill Information Technology Resources (RUP)
-
Explore the tools and resources at./ڱto help you stay safe online.
About the author
Martin Vezina is an IT Security Architect at 㽶Ƶwith17years’ experiencein information security.Heleadsthedesignand developmentof theCanSSOCThreat Feed servicewithMcGill’s Information Security (InfoSec) team.