Re: success stories

[Bob Bayn <bob.bayn () USU EDU>]

Emilio is right.  We have a couple of real-time graphics that help to convey the message without a lot of tech-talk.  

We depict the traffic crossing our border with a 256x256 grid of dots for every possible IP address here.  When a 
packet passes the border, the corresponding dot for the sender/recipient on our end lights up.  So, we see how busy 
various parts of our network are.  We also see when we get scanned.  

In a 5 minute presentation to one or a group of VPs, you can usually see a scan.  Sometimes it's a sequential scan and 
is pretty obvious, and the rest of the time it's "snow" from a randomized scan that hits our darknet areas as well as 
the subnets that are assigned.  We include in the display the probes that are blocked by border firewall rules.  That 
shows how much we are pre-emptively blocking as well as how much is still getting through.  We've talked about having 
an outside machine that we could use to launch a scan (with a small TTL) during a presentation, but we've never needed 
to go to the trouble.  The hackers are always very accommodating.  This is a useful tool for talking with local 
reporters who can then help get the word out to our users about the importance of patches, updates, firewalls, virus 
protection, etc.

The second graphic is a dynamic visualization of a subset of our traffic, selected by port or IP range, showing the 
source and destination and bandwidth in use.  We can show unauthorized email servers (like hacked spammers), or unusual 
DNS queries, or remote desktop connections to unusual outsiders or to sensitive insiders, etc.   We mention that we are 
careful to not show this second display to reporters.  ;-)

 With these tools we can visually demonstrate to administrators that we are always subject to probes and frequently 
have "misbehaving" systems.  A picture is worth a thousand words and, for us, a realtime dynamic visualization is worth 
a thousand pictures.

Bob Bayn     (435)797-2396     Security Team coordinator
"IT will NEVER ask for your password via email, honest!"
Office of Information Techology at Utah State University
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Emilio Valente 
[evalente () SDSC EDU]
Sent: Wednesday, November 19, 2008 12:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] success stories

In advance, evaluation and testing of new security tools and bringing very colorful graphs to senior management, before 
ask for anything. (altogether: Working behind the scene and Metrics)

Emilio.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kathy 
Bergsma
Sent: Wednesday, November 19, 2008 11:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] success stories

I'm interested in hearing about your success stories engaging senior
management support for security initiatives.  What methods worked at your
institution?  I've suggested some methods below.  Let me know which ones have
worked for you and identify others ideas not listed.

Fear, uncertainty and doubt
Metaphors and analogies
Comparison with peer institutions
Financial benefits such as ROI (return on investment)
Leverage an incident
Metrics
Working behind the scenes
Ask forgiveness rather than permission
Little by little baby steps
Relationship building with key players?  Who are the key players
Other ideas

--
Kathy Bergsma
UF Information Security Manager
352-392-2061