Security professionals in the education space face a special kind of challenge with the dual mandate of keeping their networks open to facilitate research and information sharing while at the same time keeping the environment secure and safe for their users. Best Practical got some first-hand updates on this difficult challenge last week at the Educause Security Professionals conference in Baltimore.
Request Tracker (RT) and Request Tracker for Incident Response (RTIR) are used by many colleges and universities to support a variety of needs from helpdesks to security incident response and this conference showed us some examples of how they are being used by security teams. As you can see from the conference brochure above, there was a nautical theme for the conference and some of the presenters really took it to heart with some pretty amazing puns. Phishing anyone?
Puns aside, the University of Pennsylvania security team has used RTIR for many years and they presented a session describing how they use automation and weekly reviews to manage their large ticket volume (slides available). They had always been very motivated to automate incident management whenever possible, but in 2015 the large volume of DMCA requests made this even more important. Using RT's flexible scrip automation system, along with extensions like RT::Extension::ACNS and some help from Best Practical, they were able to automate handling of almost all DMCA requests (see graph on slide 7).
This is just one example of many other types of automation UPenn has put in place to handle repeatable tasks. With all of this running, it is important for the team to monitor the system and watch for anomalies. They do this in a weekly SOC meeting where they review a series of charts and reports generated in RTIR (see slide 32 for examples). This reporting and review allows them to see trends as well, which can lead to more in-depth investigations of possible new problems.
We have been happy to provide UPenn with support and professional services over the years, extending RTIR to fit their use cases. These are the types of projects that allow Best Practical to continue to improve RT and RTIR, and it was great to see them describe how it has helped their team manage a variety of threats.
This was just one presentation in two days full of informative sessions, many with resources available on the conference website. We got lots of new ideas from these sessions and we'll be thinking about ways we can continue to improve RT and RTIR. And if you missed the conference this year, there is still a chance to see some sessions at the encore web session in August.