Network Security Threat Detection

U-M is always seeking to improve its security posture to protect the university’s data and digital assets from increasingly determined and well-funded malicious actors. As part of the university's larger threat intelligence and mitigation efforts, Information Assurance (IA) and ITS Infrastructure are collaborating on an innovative approach to network security. This approach combines cutting edge technologies, open source tools, and U-M's MITN threat intelligence framework to provide a security solution that scales across our entire network.

As part of securing an open society like U-M, these enhancements include privacy protections. Privacy is a fundamental value in higher education and, especially, at U-M. It underpins academic freedom; student growth and development; freedom of speech, association, and expression; and more. U-M respects your privacy and actively builds privacy into its use of these powerful tools (see Privacy Oversight below).

To enhance our network threat detection capabilities, we are deploying a network security threat detection and mitigation system. Components of the system are used by many educational and scientific institutions to help secure their cyberinfrastructure. Use of this system allows us to detect and mitigate network threats across more U-M networks.

Phased Rollout—Test Deployment

In early 2019, ITS Infrastructure and IA implemented the new security system as a proof-of-concept for evaluation purposes. It now sits at the borders between U-M networks and some external networks. Testing thus far shows no negative impact on network traffic.

As of late June 2019, ITS is testing the use of the system in production to block the same malicious traffic at the Ann Arbor campus border that is already blocked on a subset of university networks. This shifts the location of where the blocking and mitigation takes place, but does not change what is blocked. This will lead to more comprehensive protection for UM-Ann Arbor networks. Discussions and planning are in progress for use of the new system for Michigan Medicine, UM-Dearborn, and UM-Flint networks.

Benefits/Impact

The new threat detection capability will:

  • More broadly protect U-M networks.
  • Assist IA in detecting attacks more quickly so they can be analyzed and blocked.
  • Reduce the risk that attacks will be able to progress undetected.
  • Streamline the meeting of compliance requirements for some university researchers.
  • Move some baseline network protection from the unit to the university level where it can be customized to meet the university's unique needs.

Users don't need to do anything differently and likely will not notice any difference in their use of U-M networks. As always, if you are having trouble connecting to a website or other online resource from a university network, you can contact the ITS Service Center for help. ITS staff members will then work with you to resolve any situations where apparently malicious traffic may have been misidentified.

If your university research requires unimpeded access to malicious sites or software, the enhanced network threat detection and mitigation service could potentially impact it. Contact the ITS Infrastructure Network Service Team (its.is.nso@umich.edu) to discuss any concerns or questions about potential impact to research activities.

Threat Detection

Threat detection focuses on metadata associated with network traffic, such as the source and destination IP addresses, DNS activity, protocol validation, ports requested, file types, connection types, and so on. This excludes the contents of encrypted traffic; no decryption is done.

Privacy Oversight

Network protection tools are used to identify and block threats to university systems, data, and resources.

Our approach to privacy when implementing these and other security tools is embodied in Privacy and the Need to Monitor and Access Records (SPG 601.11), which states, "The University of Michigan respects the privacy of its employees and seeks to foster a climate free from arbitrary or capricious monitoring of employees and the records they create, use, or control."

  • Monitoring of network traffic is done for the purposes of detecting and analyzing potential attacks, intrusions, and phishing.
  • Information gained from threat detection is used to mitigate malicious traffic, including blocking inbound attacks and outbound attempts to connect to malicious sites or machines.
  • Under the appropriate circumstances, we may also use this information to support U-M researchers who work in the network and security space.

The U-M Chief Privacy Officer approves what can be monitored and how the information can be used. Concerns and questions about privacy and the use of threat detection and other IT security tools may be sent to privacy@umich.edu.