Ayad Sleiman | Head of Information Security |KAUST explains the security animalies and the actions undertaken as a CISO.
What are your roles and responsibilities as Head of Information Security at King Abdullah Uiversity of Science and Technology (KAUST)?
My role is to manage the cyber security of the university and the city itself. That is a challenging job because it is concerned with not only managing the university’s cyber security, but also the city around it. So you can think of it as an ISP and a university at the same time because the Internet service provider cyber security responsibilities are quite different from a university that is a little bit more structured than just the city.
Responsibility that includes security compliance and governance, awareness and risk and security operations, incident response, and forensics, and also business continuity and disaster recovery are very key in this era of crisis.
What are the benefits of your Defense-in-Depth (DID) approach?
You have to really adopt and defend in depth approach, which is basically a layered approach to defending the university premise from cyber security attacks and that starts with perimeter security but it does not end with it, but rather ends with the human firewall,.
The layers in between and the technologies that are used to protect each layer in between are very important. Sometimes you may have redundant technologies or you may need redundant technologies because if one fails the other can then take over and still protect you. So these layers of defense are extremely important.
So if you have a super duper firewall and your administrator, the firewall administrator can be social engineered into giving away their password then that firewall was of no use. So it is extremely important to focus on the human element which what we call the human firewall concept at KAUST and is based on a risk based approach by which you need to constantly make your users aware of the cyber-security threats around them.
So instead of using a spray and pray approach by which you spray training on everyone and pray that it would work, you should use a risk based approach by creating a point system and giving a certain number of points, merit points and demerit points for people. Let’s say they get demerit points that violate an information security policy,if they fall for a phish, if they share their password. They get merit points for reporting phish, a security incident for example, attending training or taking courses and quizzes on our LMS: Learning Management System, et cetera. So these points add up and create what we call a risk score and human firewall score for that person.
How does the SecOps team function at KAUST?
The SecOps is the operations of the technical controls. Basically we conduct risk management all the time, when you will come up with certain risks and you evaluate these risks which may be high, low, etc. If they are high and you need to mitigate them, or if they are higher than your risk appetite, you need to mitigate them. You basically introduce controls to mitigate these risks and these controls can be technical, administrative.
The technical controls are like firewalls, the intrusion prevention, intrusion detection systems, the web filtering systems, the web application firewalls, next generation firewalls and point security systems. All of these technical controls are managed by the SecOps team and they are basically responsible for their uptime, their operation, and for their proper functioning.
What are the key critical challenges for a CISO of a university today especially after the impact of COVID19 has changed the operating model of education to an online mode?
If we were to start talking about the challenges that CISO does encounter without a crisis, they are many. Number one there is politics which is usually very important to know how to maneuver through, as a CISO. You need to understand how to speak the language of the business, as well as speaking language of your technical team and you need to be the translator, the go between person between these two stakeholders. Your team will understand vulnerabilities, threats, viruses, malware, etc and then the management team does not understand that, especially senior management understands security from the perspective of risk only. So you need to be able to translate what you see at the level of the technical level to business language, that translates links to risks and controls and threats. These are one of the challenges that most CISOs face, and they have to really be able to master very well to be successful at their job. Most CSOs these days, well, I would say maybe 50%, according to some studies out there that still report to the IT that means you are highlighting the risks that IT may have, but ITs concern is to maximize its objectives and these objectives are performance, convenience functionality, etc, for their users, and customer centricity. So they need to be always maximizing these objectives, while you come in as a CISO and point out issues with what they are doing at some risk s and how they need to address them. This may impede their progress sometimes, but you have to come at it in a different way. Well, we have a motto or slogan at information security here at the university that says we enable your business to be secure and that’ is extremely important because we need to be a business enabler and not to be a showstopper in front of the other stakeholders, especially within IT.
We need to show them that we are like the brakes on a race car where driver is trying to achieve one objective, which is win the race. But they have to have a peace of mind that, that the brakes on their cars work very well because when they hit the curve, ensuring that they can press these brakes and not crush to the wall, which is very important. That peace of mind gives them the ability to speed even further, which means we’= are enabling them to achieve their business objectives with speed and that is what I like my fellow IT stakeholders, for example, and other stakeholders within the business to think about security. Having said that striking this balance between performance and convenience on one side and security on another side is extremely important.
Now in terms of COVID-19, we were not impacted that much because this continuity is very essential. As a CISO, you need to also speak the language of business continuity and disaster recovery. You need to be coordinating with your business community team at the university or at your organization, and ensure that you are always ahead of the game, then you will be ready for it. Some of our BCP items were ensuring that VPN access is working very well since we have a lot of travellers within the university that we had not looked at that before the COVID-19 crisis came about. We have ensured that we have great performance on that and that served us very well because now everyone is using VPN, two factor authentication which are important now in critical business, let’s say processes that were never critical before to the running of your business. Now they made it to the top list and your business continuing to plan.
How has COVID19 impacted higher education and what are the changes in the dynamics of the industry-academia interface?
COVID-19 was tough in multiple aspects. A lot of people forget the human element, not the human element that I talked about earlier about the human firewall, but the human element of resilience. You talk about cyber resilience all the time but how about human resiliency? When you are asking your employees to work on the stress and fear of being infected and you are pushing them to also do their job very well and stay alert all the time. But given that the increase of cyber threats, they say that got increased by 6000% during this COVID-19 crisis.
So in my case, I have a wellness program because I started immediately, as soon as the crisis started and I started sending emails and coaching people on a regular basis about how I am staying positive during this crisis, by staying always alert and thinking about this, how we do we get out of this all together.
How are you adapting to the newer security challenges at KAUST arising out of the current situation?
The increase of cyber attacks has caused a lot of stress on our team and that made it extremely hard to defend and also the team needed to make sure that everyone else in the community and our user community are aware of these cyber threats.
There were attempts of cyber attacks in the form of ransomware at our people. We have to constantly, make people aware about how to handle ransomware, how to mitigate the ransomware attacks.
We encouraged them to do daily backups and ensure that they do not click on any links from anyone they do not know, or any suspicious emails. We have created a cyber security guide to working for home that, we ask people to read and to ensure that they did understand and read that cyber guide. On the other challenges we needed to increase our watch on our SOC and ensure that we have the proper use cases that we are looking for. We created more new cases for our SOC to ensure that we are looking for certain anomalies during this time and the threats that we get on a day to day basis, we are always finding our SOCs to ensure that we are up to date on the latest threats.
How important is a cyber liability assessment today in case of cyber crisis?
They give you a gap analysis of what are your gaps within your organization so that you can fix them. We do comply with ISO 27,001, which one of its main pillars is continuous improvement.
You can’t really do the same thing over and over again. You have to improve your processes on a regular basis on a yearly basis, et cetera. So that’s why it entices you to review your processes, policies, standards, and procedures all the time.
So part of this review, we also review our incident management process and incident response process. Part of this liability assessment is to understand what kind of gaps do we have from an incident response.
We hire, for example, a red team, which is basically a team of ethical hackers on a regular basis, probably twice, sometimes three times a year, sometimes once a year and we asked them to try to attack our systems, we give them basically sometimes target or we don’t give them a target. Sometimes it’s the black box test, sometimes it’s a white box test or even gray box desk.
My incident response team does not know anything about it. I’m the only one who deals with, with that company. And the timing of that attack is only determined by me. This guarantees that my incidence response team are always on alert which is very important because if I tell them we’re going to conduct a test, they’re going to be ready and they’re going to be watching all the time or maybe they move relaxed later on, but no they’re on alert all the time, because at any time during the year, they’re making attack and that maybe a regular hacker or a hacker hired by me.
How is KAUST leveraging on technologies like mobility, AI, analytics, blockchain, IoT among others?
KAUST is at the forefront in research. We’ve announced recently about some research in encryption, for example, encryption algorithms for cybersecurity but other than that, we’re working on tracing apps for the university, because as I mentioned, the university is not just a university, but a city and these compact pricing apps allow us to manage the infections and the COVID-19 crisis within the city, within the fences of our university.
And that was important for us to develop because we have 102 nationalities, and some of them come from Europe, US, India, China, Russia and all over the world, and each has certain, cultural nuances if I may call it.
On the other hand, ILPs are moving into KAUST, we have various IoTs, we’ve also develop a strategy for IOT specifically for securing them for a program that we started about a year and a half ago, or about a year ago, we launched it which is called KAUST Smart Program and that is basically converting our city into a smart city by employing and deploying smart technologies all over, in all facets of life around the city and that uses also AI and analytics and analytics this, because it has to collect data for further processing using the systems.
We have used blockchain in a limited degree but not much but basically we’ve been focusing more on IoT because that play a major role in smart cities. But again, they present another threat vector and the increase or widen our threat surface from a cybersecurity perspective, so we have to put a strategy together from cybersecurity strategy perspective for IoTs to ensure that when we deploy more of these in our university, they are safe and they can serve us but at the same time can be secure.