CYBER SQUAD
Helps keep UAB safe
Secure computing
In an interior room of the Rust Building, a team of cyber detectives monitors network traffic and activities, seeking intruders who wish to harm or steal our data. But often their eyes and ears are the students, faculty and staff who report suspicious activity. Their work, partnered with the information security liaisons across campus and a set of policies and roles that govern data, helps build a protective barrier to secure UAB.
“That’s part of what we do — detective work,” said Paul Walker, who directs UAB’s Security Operations Center, part of the UAB IT information security team.
When a large phishing attack occurred earlier this year, the SOC’s job was to mitigate the attack first and stop it in its tracks. “Then we take a CSI-type approach,” Walker said. “What were they after? What systems were talking to what systems? We try to wrap up the who, what, when, where and whys of the attack.”
But the capacity for those detailed investigations did not happen overnight.
When Walker, a U.S. Air Force veteran, arrived at UAB in 2014, the information security response to network intruders and phishing threats was not exactly organized.
“A couple of people just did incident response ad hoc, putting out fires,” Walker said. But with the arrival of new Chief Information Officer Curtis A. Carver Jr., Ph.D., in 2015, followed by Chief Information Security Officer — now Chief Technology Officer — Brian Rivers, the information security team began to form a cohesive Security Operations Center. Expanding the SOC was a goal of the IT Strategic Plan for 2018. Walker was put in charge of the new SOC, and he put his military background to work and helped his team develop procedure documentation, then process improvement and now procedure review.
The Security Operations Center has grown to include eight employees, including a student worker — a big change from the previous ad hoc response. “Four years ago, it was whoever could handle it,” Walker said.
But incident response is not the only task for the SOC. Prevention — through intrusion detection and threat hunting — helps keep UAB safe. Walker said he and his team assume the bad guys are already in the system — they just need to find them.
“You'll always be doing the detective work,” he said. “The premise is you assume they are in your network. A locked door only keeps an honest man honest. Some of the research we have could be of use to criminal enterprises or nation-state hackers. Why get paid to do your own when you can steal it?
“Given the level of sophistication they possess, it's awfully presumptive to say that we can keep them out of our network. We do our best and we probably keep most hackers out, but all it takes is one user clicking on a phish to cause a problem.”
That’s why UAB also needs its students, faculty and staff to be on the lookout for potential threats and report suspected phishing emails or other intrusions.
Tools such as 2-factor authentication and Keeper help secure your password, and it’s easy to report a suspected phishing email with PhishMe Reporter or the email address 
The SOC has new tools as well, including a network security monitor that tracks what is happening across the network and a security event information monitor that correlates different data feeds and helps hunt threats across multiple systems. The tools are important to threat hunting and prevention — but the people are just as much, if not more important.
“Intrusion detection is as much an art as a science,” Walker said.
So UAB IT’s cyber detectives will keep working — sometimes around the clock — to make improvements that keep our campus safe.