Chair: Ian Shepherd, product manager, Janet connectivity, Jisc Network monitoring and prevention in education Speaker: Arthur Gordon, senior product manager, WatchGuard Technologies. WatchGuard Technologies, Inc. is a leading network security vendor for over two decades in the information security realm for small-medium enterprises. WatchGuard continues to innovate best-of-breed unified threat management services for the education sector including, but not limited to Chromebook monitoring, URL filtering, Wi-Fi intrusion prevention, and network activity reporting. Security for universities made easy Speaker: Henry Seddon, Duo Security. With 450 universities using Duo they will share their experience using Duo and how universities can easily protect themselves from the most common hack.

1. Exhibitor session 3b
Chair: Ian Shepherd

2. Please switch your mobile phones to silent
19:30
No fire alarms scheduled. In the event of an
alarm, please follow directions of NCC staff
Dinner (now full)
Entrance via Goldsmith Street
16:30 -
17:30
Birds of a feather sessions
15:20 -
16:00 Lightning talks

3. WatchguardTechnologies

4. Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Arthur Gordon
Director of Product Management
Network
Monitoring & Prevention in
Education

5. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
KCSiE Regulation
“A child centered and
co-ordinated approach
safeguarding impressionable
children under the age of 18”
5

6. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
KCSiE Outlines
6
1. Schools are an important part of the wider safeguarding
system for children
2. All professionals should make sure their approach is
child-centred. This means that they should consider, at
all times, what is in the best interests of the child.
3. No single professional can have a full picture of a child’s
needs and circumstances. All have a role to play in
identifying concerns, sharing information and taking
prompt action.
All Ofsted inspectors have had training
on KCSiE and online safeguarding in
general, so the new regulations should
not be ignored.

7. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
Web filtering guidance
• Age appropriate, differentiated filtering – includes the ability to vary filtering strength appropriate to age and
role
• Control – has the ability and ease of use that allows schools to control the filter themselves to permit or deny
access to specific content
• Filtering Policy – the filtering provider publishes a rationale that details their approach to filtering with
classification and categorisation as well as over blocking
• Identification – the filtering system should have the ability to identify users
• Mobile and App content – isn’t limited to filtering web traffic and includes the blocking of inappropriate content
via mobile and app technologies
• Multiple language support – the ability for the system to manage relevant languages
• Network level – filtering should be applied at ‘network level’ i.e., not reliant on any software on user devices
• Reporting mechanism – the ability to report inappropriate content for access or blocking
• Reports – the system offers clear historical information on the websites visited by targeted individuals
7

8. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
What To Block: Harmful content
Content Description
Discrimination
Promotes the unjust or prejudicial treatment of people on the grounds of race,
religion, age, or sex.
Pornography Displays sexual acts or explicit images
Self-Harm
Promotes or displays deliberate self-harm
(including suicide and eating disorders)
Violence Displays or promotes the use of physical force intended to hurt or kill
8

9. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
What To Block: Illegal content
Content Description
Drugs / Substance abuse Displays or promotes the illegal use of drugs or substances
Extremism & Radicalisation Promotes terrorism and terrorist ideologies, violence or intolerance
Child abuse image content
(CAIC)
Displays specifically images of child sexual abuse including pornography
Piracy and copyright theft Includes illegal provision of copyrighted material
9

10. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
Acceptable Use Policy
10
An acceptable use policy needs to cover:
 fixed and mobile internet
 technologies provided by the school
 technologies owned by pupils and staff, but brought onto
school premises (BYOD).
 It should also be flexible enough to deal with new
technologies as they emerge.

11. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
WatchGuard Can Help
11
BEST-IN-CLASS
SECURITY
NETWORK
VISIBILITY
FLEXIBLE
MANAGEMENT
WatchGuard’s solutions ensure a school remains KCSiE compliant by offering:

12. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
WatchGuard Best of Breed for Education
12
One powerful network security platform.
• Latest, highest
performance platform
available
• Common management
console gives policy-driven
control of technologies
• Standardized across
products
• Unparalleled security
foundation
• Best-in-class
technologies from leading
vendors
• Designed for modularity;
easy to add or replace
technologies
WatchGuard’s Proxy-based Network Inspection
AntiVirus
URLFiltering
Reputation
EnabledDefense
Anti-spam
IPS
AppControl
Hyper-V
DLP
Industry Standard Platforms
VPN
APTProtection
ThreatDetection
&Response
Dimension Visibility & Centralized
Management Platform

13. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
WebBlocker
 URL and IP packet header information; 130+ categories in addition
to a database nearing billions of URLs that have been categorized
13
KCSIE Aspect Rating Category
Discrimination Intolerance: Filtering promotion thereof
Drugs/Substance Drugs: Filtering illegal web categories
Extremism Militancy and Extremist: Reject violence/hate
Malware/Hacking Security: Reject known proxy bypass sites
Pornography Adult Content: Filters pornography and enforces
SafeSearch on Google
Self-Harm Violence: Filters and control sites that promote
violence or occult

14. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
 Combination of WatchGuard’s powerful explicit proxy, L2TP VPN +
Google Admin Console for enterprise enrolled Chromebooks
Agentless Chromebook URL Filtering
14
31 2
Configure VPN, explicit
proxy via Google admin
console
Configure explicit proxy
and WebBlocker policies
Denied on Chromebooks
via Explicit Proxy

15. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
Wi-Fi Intrusion Prevention
 Who it works for
– BYOD environments
– Access points (APs) contain Wireless Intrusion Prevention systems to reject access
from rouge APs
– Resist AP impersonation attacks as well as powerful detection and prevention against
rogue APs
 URL filtering happens on DNS layer
– Widely deployed in educational and family-friendly environments
15

16. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
Dimension Threat Intelligence Platform
Instantly identify and distill key network security threats, issues, and trends in order to track, manage, and
report on the security of your network
16
Visual Dashboards
• Network traffic
• Security policy efficacy
• Network health
Drill down data into intelligence
• Spot trends
• Pinpoint weakness
• Stop cyber loafing
• Track security policy effectiveness
Take immediate action with Dimension Command*
• Block malicious users, sites, and applications
• Create and secure connections to remote locations
• Restore previous configurations
Automated Predefined & Custom Reporting
• Management visibility
• Compliance
• Audit trail

17. Copyright ©2017 WatchGuard Technologies,Inc. All Rights Reserved
THANK YOU
Arthur Gordon
Director of Product Management
arthur.gordon@watchguard.com
Martin Lethbridge
Senior Sales Engineer
martin.lethbridge@watchguard.com
http://www.watchguard.com/wgrd-products

18. Duo for Education
Henry SeddonVP EMEA

19. Duo for Education
“ Security made easy for
Universities”
Henry Seddon VP EMEA

20. Sadly - No one gets hacked James Bond or
Mission Impossible style
Real compromises can be quite boring

21. Top 3 Real World Threats
● Phishing
o Credential theft
o Malware installation
o Information gathering
● Ransomware
o Encrypt all the things, profit.
o Data Exposure
● Other Malware / Attacks

22. Root Causes
● Unpatched endpoints
● Unmanaged endpoints - BYOD
● Unsupported software
● Credential reuse
● Weak credentials
● Lack of multi-factor authentication
● End Users

23. No! Numbers! Who are Duo…..?
15,000+ customers
450 Universities
10M+ authentication events per day
Millions of unique endpoints analysed every day
18,000+ Microsoft-related integrations analyzed

24. What Does The Data Tell Us?
● Android versions as old as 2.2 are still seen. 6.01(marshmallow) most popular version in the wild.
● iOS versions as old as 2.1 are still found. 7.2 most popular while 10.2.1 is latest.

25. 2009
Windows 7 was released

26. 40%
Of endpoints that Duo sees are Windows 7

27. What Does The Data Tell Us?
● 60% average of out of date Flash installations
● 45% average out of date Java installations (92% of endpoints have this enabled vs. 81% in NA)

28. But What About Windows 10 and Edge?
28% of endpoints run Windows 10
47% of Win10 browsers are IE/Edge
8% of IE/Edge are Edge v14

29. Phishing The Data Tell Us?P
● 44% of recipients opened the phish email
● 26% clicked on the link
● 14% entered in credentials
● 15% were using out of date browsers
● 0% had out of date flash or java
● Average time to first click: 23269 seconds
● Median time to first click: 790 seconds
● Average time to first phish: 26331 seconds
● Median time to first phish: 1455 seconds
● Average time to first out of date device: 23832 seconds
● Median time to first out of date device: 857 seconds
Credit: Kaspersky

30. Mitigations
Healthy Paranoia
● User Awareness
○ Educate - Phishing
○ Helpful, but not the answer
● Proactive Monitoring
○ Logging - Don’t box tick
○ Prove to me you are good!
● Incident Response
○ Have a plan & test it

31. Mitigations
Cyber Hygiene
● Secure Design
○ Back-Up, 2FA, Device Encryption
● Secure Configuration
○ Build, Patching / Updates, Passwords
● Manage Privileges
○ Enough, but not too much

32. Duo for Education

33. Duo in Education
450+
customers
7M+ faculty and
students

34. 4 reasons why EDUs choose Duo
1. Duo works for any end-user device
2. Duo can be rolled out easily to all students and faculty in less than a week with
75% fewer helpdesk calls
3. Duo helps protect all users and applications
4. We offer site license for Students, Faculty Staff, IT & Contractors

35. World’s easiest two-factor authentication
Push Soft Token SMS Phone Call U2F Wearables Biometrics HW Tokens
Several Auth Methods: Protect all your users easily
Deploy 2FA for your entire organization within a day
VPNs Windows Cloud Apps Custom Apps Web Apps SSO Unix SSH Legacy
Out-of-the-box: Protect all your apps easily

36. Rolling out is fast and easy with Duo
Students and faculty self-enroll into Duo
✓ Students and faculty can manage devices themselves
✓ Each department can manage their own sub-account in Duo
✓ Duo can help train your help desk team
✓ Easy documentation to integrate apps and train your staff
75%fewer help desk
calls with Duo
“With Duo, you expend 10% effort and you get 90% benefit. The fact that the value for money comes
along with what I consider to be one of the most robust 2FA systems out there is just icing on the
cake. I would highly recommend Duo to other organizations.” - Loyola University Maryland

37. unix
Secure access to all your apps with ease
MICROSOFT
RRAS
VPNs CLOUD APPs EDUCATION CUSTOMIDENTITY
REST
APIS
WEB SDK
RADIUS
SAML
OIDC
Out-of-the-box integrations with 100s of apps

38. Duo’s Commitment to Accessibility
38
✓ Works with screen readers such as
VoiceOver, NVDA and JAWS*
✓ End-users with low or no vision authenticate
with Yubikeys or Push
✓ Full keyboard support for users who cannot
use a mouse
✓ Zoomable text and big clickable buttons for
authentication
Companies like Duo Security, who are committed to enhancing the accessibility of their
services, can provide an exceptional user experience for all people - Michigan State University
*Following the Federal Section 508 and WCAG 2.0 guidelines

39. Thank You
Security made easy and effective

40. Thank you