When personal computers were introduced roughly 30 years ago, everything was so much simpler. There was no Internet or email, and only a handful of threats to worry about. Protecting ourselves was easy: We only needed to install an antivirus software and update it yearly. Phishing and ransomware were not among our concerns.
We have seen a tremendous shift in the prevalence of computing devices (phones, tablets, Internet of Things (IoT)…) in our lives. 30 years ago, who could have imagined that we would be able to use our phones to see who just rang the doorbell while we are away on vacation?
Why we need threat intelligence (TI)
As many aspects of daily life have moved online, criminals have adapted and followed us there. Cyber threats targeting our professional and personal lives are exponentially increasing. How can we defend ourselves effectively in this evolving threat landscape? Considering that knowledge is power, threat intelligence (TI) is an important way to improve our defenses.
What is threat intelligence?
Threat intelligence (TI) is information that organizations can use to protect themselves against cyber threats in a timely manner. The data TI provides enables us to analyze and mitigate threats.
These threats are identified as “indicators”, or evidence related to malicious activity. An example of an indicator may be an IP address located in a foreign country.
How does threat intelligence (TI) work?
Using TI enables us to use data from potential cyber threats to defend against attacks on our network.
McGill’s Information Security (InfoSec) team in IT Services monitors cyber threats to the University’s data and systems, and continually receives TI data in various formats from multiple sources. This data is called a threat intelligence feed (TF); an ongoing stream of data related to potential or current threats to an organization’s security. It may contain information on suspicious domains, IP addresses associated with malicious activity, or known malware.
The challenge for McGill, and other institutions, is how to use this information effectively. To address this, the Threat Feed (TF) service was created and is now offered within the joint Canadian Shared Security Operations Centre (CanSSOC) initiative for higher education institutions throughout Canada. It allows CanSSOC members to access and share current TI data, including information about threats specifically targeting higher education institutions.
Through agreements with the Canadian government, commercial threat intelligence providers, the open-source community (a global network of individuals who work together to produce publicly accessible software) and the international higher education community, it accesses the most up-to-date TI information.
The service detects and tags imminent threats. The data is then analyzed and filtered to prevent malicious activity. This is done either automatically via algorithms or manually by analysts. The approved TI data is then used to create feeds that are used by protection devices such as firewalls.
Over 30 Canadian higher education institutions now participate in the TF service and many of them, like McGill, now actively share TI data from cybersecurity incidents within their own environments. Through the malicious activity reports received at McGill and other Canadian universities, we now have unprecedented visibility on threats that specifically target higher education and research.
The benefits of creating a TI community through the TF service will only increase in the future with the wider development of the service. Presently, the TF service includes around 40 Canadian participants working together and exchanging TI data. In addition, we are establishing relationships with higher education and research communities in other countries including the US, UK and Australia whose research and academic sectors face a similar threat landscape.
How McGill benefits from the Threat Feed (TF) service
At McGill, the TF service has now been integrated with our Internet-facing firewalls. By being on the McGill network on campus or via McGill’s Virtual Private Network (VPN), you automatically benefit from that protection!
We plan to further improve the protection provided by the TF service at McGill through increased integration with our existing cybersecurity controls. These include our Internet filtering, protection of devices (aka endpoint protection), and the security of our cloud environment. We are also working on an automated feedback mechanism for sightings of TF indicators within the TF participants’ environments, allowing us to provide even more reliable indicators with the service.
Summary
When you use McGill’s network, security tools and IT-approved solutions that are offered at no extra cost for McGill equipment and activities, you benefit from the work performed behind the scenes to keep you and your data safe:
-
Continuous monitoring and identification of global threats, especially those targeting higher education
-
Collaboration with other institutions to share knowledge and protect against these threats.
-
Rapid prevention of cyber attacks due to the automated processing of threat intelligence data
What you can do
While McGill’s threat intelligence service significantly protects McGill’s network, you can help by following cybersecurity best practices in all online activities:
-
Enable two-factor authentication on your McGill account. 2FA will be required for all McGill accounts by the end of 2021.
-
Learn to recognize and protect yourself against online fraud, such as phishing .
-
Familiarize yourself with IT Policies: Use McGill-approved cloud solutions and follow the Policy on the Responsible Use of McGill Information Technology Resources (RUP)
-
Explore the tools and resources at mcgill.ca/cybersafe to help you stay safe online.
About the author
Martin Vezina is an IT Security Architect at McGill University with 17 years’ experience in information security. He leads the design and development of the CanSSOC Threat Feed service with McGill’s Information Security (InfoSec) team.