Hacker News new | ask | show | jobs
by wyager 4425 days ago
Well, I have some evidence in support of what he says (at least, that universities log connections). My university, of some 48,000 students (in 2010), logs 100% of all connections. I know, because I have seen the data. It's provided to researchers with the IPs replaced by some other persistent identifier (which they hopefully generated randomly). You can see IP addresses/domain names, and I think they might have also had URL data for http connections (although I'm not sure on that one).

They also emailed and temporarily disconnected all students who were running servers vulnerable to heartbleed, so presumably they do some form of more intensive inspection and logging as well.
1 comments
ams6110 4425 days ago
Because most universities have pretty wide-open networks with high bandwidth, they do monitor for illegal, commercial, or malware activity on their networks. They don't want to get blacklisted as spammers among other things. They are also highly concerned about possible exposure of sensitive student personal and research data and some have started auto-encrypting emails that appear to contain such.
link
wyager 4425 days ago
Why do they keep old logs if they're just monitoring for illegal/commercial/malware stuff?

And if they were very concerned with exposure of sensitive data, they wouldn't be logging it.

link
ams6110 4425 days ago
They keep the logs so they can use them in after-the-fact investigations, and for research.
link
wyager 4425 days ago
>and for research.

That's not the same thing as "monitoring for illegal/commercial/malware activity".

link
shawnreilly 4425 days ago
In some cases, research does relate to identifying Security Threats. This mostly relates to layer 7, which is much more complex than ports and protocol based detection. The idea is; if you don't know what you're looking for (presumably a 0-day or unknown threat), then how would one find it? The answer is, research (aka analyze) the data. This ranges from Flow Data (which can date back months/years) to Packet Captures, to even Real Time Deep Packet Inspection (all relating to SIEM Solutions). In these scenarios, you would be looking for the needle in the haystack, but the needle is not clearly defined. You would have to work to identify and define it. So research does relate to identifying illegal/commercial/malware activity. Organizations that understand this are working towards implementing (or have already implemented) real time adaptive security models to mitigate these threats. This will allow them to not only identify and attempt to stop unknown Security Incidents, but also effectively investigate Incidents (forensics).
link