Duke ITAC - August 10, 2017 Minutes

Duke ITAC - August 10, 2017 Minutes

4:00 - 4:05 – Announcements

4:05- 4:25– Device Management mandate, and Planisphere , Richard Biever (10 minute presentation, 10 minute discussion)

What it is:   Due to risks posed by systems missing security updates, the university is implementing a policy to require all Duke-owned computers to be enrolled in campus security management systems by September 30, 2017; Richard will discuss what this means in practice.  A new tool helps us to better understand the many disparate devices on our network.  Planisphere is a locally developed tool that combines information from over 20 disparate sources about devices on the Duke network.  The tool provides reporting, drill down, and editing capability on devices by owner and support group.  Planisphere can be used to track IT assets and help identify, among many other things, which devices are enrolled in endpoint management tools.  Sean will describe Planisphere and its capabilities.

Why it’s relevant:  Duke’s policy is designed to significantly reduce the number of vulnerable machines on campus.  The severity and number of threats against our network is only increasing with time.  Tools like Planisphere (and STINGAR discussed later in the meeting) help us prevent and remediate attacks.

Notes: There is an effort across IT groups to ensure that Duke-owned laptops and desktops are in a managed state. A managed state, from a security standpoint, means using various tools to make sure the Duke-owned machines are getting software updates and are fully protected. It has been found that machines that are in a managed, updated state are very rarely involved in security incidents. By running analysis on security incidents year-over-year, the team found that missing software updates and bad passwords are the primary reasons a machine is left in a vulnerable state. As a follow-up to last summer’s message regarding end-point management, email communication has gone out to the Duke community outlining the direction and goals of this effort.

One of the things the IT teams have worked on this year was to come up with a way for departments to be able to look at the totality of the machines in their environment and to be able to manage those machines from an inventory perspective. Planisphere is the result of that work. Currently available to IT groups, Planisphere has the capability of being opened up to anybody. The intent is to get to the point where an individual could log in and see a list of their machines, and also see the state of their machines. The goal of Planisphere is to show the inventory of machines and if they are in a state where they are being properly managed. The application displays all the devices associated with the employees in an office, including VMs, etc. It shows information on the machines, a status for each machine, as well as it’s activity on the network. That last piece – a machine’s activity on the network – is particularly useful from a troubleshooting perspective. If a user calls in and is having difficulty connecting, knowing their activity on the network allows a support team to see the last time the user was successfully connected. Information is gathered from the machine itself, as well as its data source. Planisphere has become the tool that is used collectively for abstracting the image of where devices are on the network.

IT teams are using Group Manager support groups in conjunction with Planisphere. There are support groups for the different areas around campus. Support groups allow for fine-grained access control because one can add and remove people to/from the group as needed. It is important to note, the IT teams leading this effort are primarily interested in Duke-owned desktops and laptops, and not student machines, phones, or tablet, printers, IoTs, or personally-owned devices. Even with those exceptions, the system has reported about 60K devices in the past 30 days. The departments in OIT are using Planisphere to take a look at the environment, make sure we’re accounting for the machines, and make sure the machines are managed from a security perspective.

Questions:

Q: Does it show only devices on the Duke wireless networks?

A: Yes, that is correct. It will not show anything outside of Duke.

Q: Does this require software on the machines?

A: Yes. Some of the detection is passive. With the software we’re using, there is this concept of fully managed vs. self-managed. Departments have been tasked with making sure there is a process to allow individuals to continue to manage their machines. What we want to avoid, for example, is the situation where someone is about to give a presentation and their machine reboots. We want to allow the user continued control over software updates.

Q: Law has been testing Planisphere. Any feedback?

A: We have liked it. As a tool, it is totally non-invasive.

Q: How well will this scale when you start adding in IoT?

A: This is not a real-time feed, so it will not slow things down.

Q: I have my own machine. Would the best course of action be to ask my IT people to manage it?

A: In Trinity, we offer that to faulty – to install the management tools on their machines so they don’t have to think of it. The faculty get the benefits of what we have to offer - pre-testing of a patch, for example - and their machine shows up as a managed device.

Comments:

Planisphere is an aggregation tool that will grab data from various places, and glean from various sources.

I do want to point out that some faculty use their own machines and not managed machines because the faculty handbook specifies that our intellectual output is our own. That being the case, I would caution you not to make things too difficult for faculty.

Response: That is one of the reasons we provide security guidelines - in order to provide security recommendations to anyone who is managing a machine, whether it is your own, your family member’s, etc. With this particular case, we talked about reporting vs. manage and the difference between the two..

Response: The software used for reporting does not allow access to remote into the device.

Response: I would urge you to consider the risk. It is hard for individual computer users to stay up to date with management of their devices.

One of the other value adds is that Duke IT groups conduct testing prior to releasing patches. So, it’s not good enough that a company is sending out updates or patches because, in some instances, those updates may actually break your machine. Thus, there is extra help from the IT community and protection for the end user, who, in turn, is therefore not putting the rest of the university at risk.

There are faculty members that would be highly concerned.

Response: The people that have been entrusted to manage the machines and manage this process are very concerned about privacy and think about it daily. Further, the data to which the folks have access is limited. And, what they may see, they may not release it without approval from governing bodies within the university.

4:25- 4:45 – STINGAR, Jesse Bowling, Richard Biever (10 minute presentation, 10 minute discussion) Alex Merck

 What it is:  Jesse and Richard will discuss how Duke is continuing to improve and automate detection of and response to network attacks by making use of a novel mix of commercial and open source technologies, and locally developed glue.  The STINGAR approach has dramatically increased the number of threats we are blocking at the border of the campus network.

Why it’s relevant:  STINGAR is another component of Duke’s response to the hostile network environment we face in 2017.  Parts of this approach have been developed through grant-funded research in partnership with Duke faculty.

Notes: With STINGAR, Duke is developing its own internal threat intelligence and turning around to share that intelligence with other higher ed communities. The idea behind STINGAR is that if we can collect and analyze data about what’s hitting the network, we can use that data to take concrete action. STINGAR works in conjunction with intrusion prevention software. In addition to that, STINGAR also employs tools for log analytics and network flow information, along with a key part of this being automation.

One of the things that has proven powerful and effective, is generating our own intelligence and not relying entirely on other’s rules regarding what to block. By collecting information through open source and partner feeds, and incorporating that into our intelligence, fidelity got better and false positives went down. The other piece of the puzzle is community sharing and working with other school. The power in this is for us to be able to provide information about what we’re blocking and get information back.

Questions:

Q: Does it peek inside the payloads?

A: Not in the way we’re building it.

Q: What’s the relationship, if any, between this and Proofpoint?

A: There is a relationship in that if there’s a phishing attacks that come in through Proofpoint, we can
take that data and feed it back into the intrusion prevention system.
A: Proofpoint can be a source through which we collect data so we know what to block.

4:45- 5:05 – Dr. Robert Califf’s New Role, Robert Califf, M.D. (10 minute presentation, 10 minute discussion)

What it is:   ITAC heard from Dr. Califf back in 2015 in his prior role as Vice Chancellor of clinical and translational research.  After his stint at the FDA, he has rejoined Duke as the new vice chancellor for Health Data Science at Duke Health and director of a newly created cross-campus center focused on integrated health data science.   We will hear about this new center.

Why it’s relevant:   The cross campus center he leads will seek to advance and create inter-campus collaborations focused on science-driven research and innovation, while also amplifying Duke’s role in building a nationally regarded network for generating evidence to guide clinical treatment.  

Notes: After a phenomenal experience in the government, Dr. Califf was pleased to rekindle many conversations at Duke and learn about the plans for a university-wide center to focus on health data science. Half of his time is with a company that in, simplified terms, is a vehicle for developing health applications from the Google environment. The other half of his time is with Health Data Science at Duke Health. The associate directors of center include an informatician/surgeon and a statistician. The center hopes to appoint two clinicians to associate director positions as well. The goal of the center is to make the use of data and analytics a routine part of the health system, and not something that is done as a one-off activity.

Universities can lead the way in dealing with the erosion of trust and expertise in the current social and political climate. In the area of healthcare specifically, we understand the need to adapt to enormous changes in computational and analytic capabilities. At the core is a need to do practical things in order to develop a better base of evidence. There has been tremendous enthusiasm across the campus about the mission. The Health Data Science center is catalyzing the efforts of people who go beyond the usual scientific inquiry. They are working to implement health system activity based on a higher level of evidence.

The north star of this center is a refusal to be yet another structure with a moat around it. The goal is to build bridges with a very lean group of people who work across systems to optimize the goals of the center. The team of people fit together like a puzzle, taking advantage of their collective resources. The center is making a point of not leaving anyone out by building teams that are inclusive and not segmented. They are amplifiers in that they are able to leverage resources that people need in a variety of ways.

Questions:

Q: Does the team include some statisticians?

A: Yes, one of the leaders is a statistician. The goal is to engage all of the statistics and quantitative people in the effort. One advantage we have is that the team has a close working relationship. We can lead the way on how teams work together and solve problems with different tools.

Q: Is this group located in the same physical space? Is there a front door?

A: Yes, this group will be located on the 4th floor of Davison.  

5:05- 5:30 – PACE, Billy Willis (15 minute presentation, 10 minute discussion) 

What it is:  PACE (Protected Analytics Computing Environment) allows for the creation of virtual data science environments leveraging a host of data, including protected health data, and various analytics tools and capabilities to support research and education.

Why it’s relevant:   Basic and clinical research are the engines that drive advances and innovation in medical care, health promotion and policy, and improved outcomes. Protected Health Information (PHI) is at the core of the data being used to support research.  The project is an example of a collaborative effort between the Office of Information Technology (OIT) and Duke Health Technology Solutions (DHTS) providing campus researchers with access to data and storage while keeping PHI within the bounds of the DHTS network.  

Notes: There is a lot of opportunity to bring different people to bear on analysis and understanding from health data. Health data, however, comes with custodial requirements, and those requirements come with teeth. We want to protect people’s health data. We want to bring in folks with great analytics and bring together a level of expertise, while fulfilling our obligation to protect health data. When one looks at the way we keep the data, we have systems that are very carefully managed, logged, audited, and secured. For research purposes, it is clear that we needed to create a place where people can do creative work on identified data and not have to worry about security.

PACE is intended to be a secure place for people to work on PHI and other protected information and resources, and a place to give people privileges and controls over resources they could not access outside of that environment. This particular implementation is around PHI. PACE can be thought of as a closed-off network, a protected area of the network. It can be described as a marketplace. To get into the marketplace, a user needs training (regarding the responsibilities around PHI, etc.) and a reason (user is on an IRB, or on a quality improvement project, etc.) There is a way to bring data into the environment. To take data out, a user can do so via a set of honest broker mechanisms. If one wants to export data, s/he will have to convince someone it’s appropriate under his/her IRB or project. There are storage environments that can only be seen from inside the marketplace. One of the exciting aspects of PACE is the collaboration among teams in the Health System and the University to bring computational resources into the protected environment. There’s an application that allows clinicians and other people doing clinical research to compare data, create cohorts, and extract data. The risk is too high to allow people to download the extracts onto their laptops. Instead, because of computational capabilities, that resource is moved to the protected environment. Further, we have the ability to add services to the environment as people need it.

At present, there are 200-300 users. Half are people who are starting up projects, and half are people who are providing support. There are challenges, but it’s working and is successful. More than anything, PACE represents a great collaborative effort between the University and the Health System to together build an environment where people can work in a safe place on protected data.

Questions:

Q: You said that right now, you have to wait for a human to look before you can download data? What is the scope of that? If I’m running, for example, a regression. Can I get the slope?

A: Yes. When we first started doing this, no cut and paste was allowed. It’s predictable, but you realize that it is crippling when you’re trying to work. In an environment like this, being compliant is a big deal. There are a couple of important aspects of an environment like this: 1. Can the environment protect people from mistakes? Yes, it can protect people from mistakes. 2. Does it prevent people from doing the wrong thing? No, because that would be crippling.

Q: Is it reasonably easy to move things in and out of the protected environment?

A: If it is a physical thing, it is accomplishable. There is a decommissioning process you would have to go through to get out. Most of what you see, however, will be virtual capabilities.

Comments:

I want to underscore that this is partnership between OIT and DHTS. The kinship has blossomed into something we’ve all benefits from.

Automating the provisioning makes it easier to reprovision whether inside or outside. Further, the containerizing of the analytical environment is also a big win.