Oklahoma University

CASE STUDY

Oklahoma University

Industry: HIGHER EDUCATION

University of Oklahoma Remediates 1,000 Exposed Email Accounts in Less than 24 Hours with SpyCloud

Challenge

With few internal resources or sufficient tools to identify and remediate exposed student, faculty and staff email accounts, OU was at constant risk for accounts being compromised.

Scroll to Challenge

Solution

OU chose SpyCloud for its user-friendly API and comprehensive and operationalized exposure data it could quickly compare with its Active Directory accounts to automatically stop bad guys from compromising accounts.

Scroll to Solution

Result

OU is now able to take proper remediation action based on reliable SpyCloud data and student employee ingenuity, saving thousands of accounts from being taken over and causing harm to users and the university.

Scroll to Result

University of Oklahoma Remediates 1,000 Exposed Email Accounts in Less than 24 Hours with SpyCloud

Founded in 1890, the University of Oklahoma (OU) is a public research university located in Norman, Oklahoma. With just over 21,000 undergraduate students, 6,000 full-time employees and 80,000 active accounts, the institution realizes the potential for cybercrime activity is a constant threat. It approaches security with a proactive stance but needed automation and good data to make a real difference.

Challenge

Establishing Internal Means of Identifying Exposed Accounts

OU faces the same challenge that most higher education institutions face: students and staff use school email accounts for personal use, often reusing their OU passwords on multiple sites. When they do, they make it easy for cyber criminals to get into not only the personal sites but find their way into the school accounts as well.

OU knew some of its 80,000 active accounts were periodically exposed to cyber criminals. It just didn’t have an effective way to monitor these accounts and discover all of the exposures. It was relying on third parties, and open source resources such as Pastebin and Have I Been Pwned sites.

“We look at Pastebin and they will alert us of exposed credentials, but that only gives us part of the story because not everything gets posted publicly when there’s a data breach,” says Aaron Baillio, deputy CISO at the University of Oklahoma. “There are a lot of dark web and non-public sites that have our information but we can’t see it using open sources. We had to find a more reliable way to get alerts and manage exposures.”

Managing those credential exposures was no easy feat. Even when OU received a breach alert, they didn’t have the resource capacity to investigate and determine if all of the accounts belonged to active students or staff, if the exposed password matched their current OU password, or when the exposure occurred. The institution also had no password policy in place to secure active accounts. Baillio and his team made it a priority to protect the institution on the front and back ends.

Solution

Use SpyCloud API to Integrate SpyCloud Data with Internal Tools

The first thing OU did was establish a campus-wide password policy. Students, faculty and staff are obligated to reset their passwords every year with an eight-character minimum and complexity requirements. The same password cannot be reused for five cycles. Once good password habits were enforced, the school moved on to automating account takeover precautions.

OU had a few credential exposure products in their security stack but none with the scale and capabilities they required. They chose SpyCloud because the solution not only shows them where the credentials are located but gives them plaintext passwords and hashes so exact matches can be more easily found. It also reveals exposures in the dark web, those that aren’t listed in open sources. By catching the exposures before they are on public forums, OU can take more preemptive actions before criminals do harm.

“We don’t want to block an account if we don’t have to, so having such detailed and usable data from SpyCloud helps our security team be more discerning,” says Baillio. “We see the date of the breach, when the exposure was discovered, and its severity. If SpyCloud flags an incident with 10 emails affected but leaked more than a year ago, we hope our password policies forced a reset already and we wouldn’t need to lock the account.”

OU decided to integrate SpyCloud with its internal SOAR platform (security, orchestration, automation and response). Using the SpyCloud API, they pull SpyCloud breach data into their platform. When there is an alert about a particular data breach or credential leak, a ticket is automatically created.

As part of their practical application initiative, instead of using the SpyCloud Active Directory Guardian to generate automated scripts, the school selects a few SOC student employees to practice their skills to create homegrown scripts that check the SpyCloud data against the school’s Active Directory. These scripts determine if active accounts and passwords are the same.

“The SpyCloud API automates the heavy lifting and data gathering for us,” says Baillio. “Our student employees integrate SOAR and SpyCloud so we can quickly react. Having the API documentation in Apiary clearly defined, allows our team and students who have limited security experience to build effective automations. We can’t get that with other platforms out there.”

Results

Fast Remediation with Minimal Resources

Using the SpyCloud API, a student employee was able to take a list of more than 7,000 exposed emails from SpyCloud, run it through their own script, and discover over 1,000 Active Directory accounts with matching passwords.

“Before SpyCloud, if we were alerted to 7,000 exposed passwords to manually check, we would most likely have had to ignore them due to a lack of resources,” says Baillio. “With SpyCloud, we can get that information in less than 30 minutes. We passed that information along to our help desk and in a matter of hours, 1,000 accounts were secured. Using SpyCloud and the ingenuity of our student employees, we are legitimately preventing bad guys from compromising accounts.”

Baillio believes the university is in a much better place now that they have SpyCloud in their security stack. Because SpyCloud enables them to quickly and efficiently identify compromised accounts using their own tools and in-house integrations, they can make decisions and remediate much quicker.

He and his team are focusing on training and outreach to educate students, faculty and staff on the dangers of password reuse, as well as phishing campaigns he says can generate up to a 60 percent click rate from students. “If you get your password compromised in one place, you can bet it’s compromised everywhere you reuse passwords. We need users to understand the many dangers that are inherent with emails and passwords. OU is striving to be a place of learning that goes beyond the classroom and impacts their everyday lives.”

7,000 emails checked with 1,000 exposed password matches found in less than 30 minutes

About Aaron Baillio

I’ve spent the first 10 years of my career with the Department of Defense. With them I traveled the world and supported both in garrison and deployed network operations and information assurance. I’ve written compliance documents for AF accreditation and NIST accreditation including policy and technical documents. I’ve also spent a lot of time performing security engineering through the system development process. Currently, I am the managing director of security operations at the University of Oklahoma. We cover the whole range of security operations from day to day sustainment to incident response. We’ve planned for and developed tool sets for malware detection, DNS security, vulnerability discovery and remediation and incident response maturity. We support the entire university in security operations and advise on departmental security projects.

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Top 10 Travel Booking Site

CASE STUDY

Top 10 Travel Booking Site

Industry: TRAVEL & HOSPITALITY

Top 10 Travel Booking Site Discovers Up to 11,000 Exposed Customer Credentials per Hour with SpyCloud

Challenge

Preventing account takeover begins with monitoring the dark web, but without the ability to match user accounts with a database of exposed credentials, a top 10 travel booking site was vulnerable to attack.

Scroll to Challenge

Solution

The booking company uses the SpyCloud API to continually monitor and protect customer accounts against SpyCloud’s massive database of exposed emails and plaintext passwords.

Scroll to Solution

Result

With automated dark web monitoring, the company discovers thousands of exposed customer accounts every hour, enabling the company to better protect their customers from account takeover.

Scroll to Result

Top 10 Travel Booking Site Discovers Up to 11,000 Exposed Customer Credentials Per Hour with SpyCloud

The online travel booking company profiled is one of the largest in the world, with nearly two million room nights reserved at more than 140,000 global destinations on its online platform every day. With a mission to remove the friction out of travel, the company unites travelers with every type of accommodation available.

Challenge

Preventing Account Takeover After a Breach

Account takeover (ATO) is a growing problem that impacts virtually every industry, particularly those organizations with an e-commerce capability. When cyber criminals steal usernames and passwords or purchase them from breach data on the dark web, both consumer and company can suffer.

The risk of ATO keeps security leaders up at night. Beyond the financial loss, ATO is often the dreaded aftermath of a security breach and can continue to cause damage for years.

For one of the top 10 travel site’s Account Security Group, keeping constant watch over their user accounts is a full-time job that would greatly benefit from automation.

“It has always been our goal to prevent, detect and remediate any account security threat,” says a security leader at the online travel company. “We wanted a solution that would enable us to continually evaluate our security stack and if we detect any gaps in our strategy, take immediate action to protect our customers and our brand, starting with ATO prevention.”

Solution

Identify Exposed Credentials Early and Rapidly

SpyCloud always has its ear to the ground in the deep and dark web. Through proprietary tools, techniques and technologies, SpyCloud is able to detect corporate breaches earlier than any other company. The earlier exposed credentials are discovered, the more likely a future breach can be prevented.

To prevent a breach, ATO and ongoing fraud from happening, this top 10 travel booking site turned to SpyCloud, recognizing the value of the detailed, real-time, accurate data SpyCloud provides. They chose to work with SpyCloud to launch a new initiative to automatically detect exposed customer credentials and alert security leaders early in the process, before criminals have the opportunity to take over the account and cause damage.

The company uses SpyCloud data as part of their account stuffing attack monitoring. For each login attempt to their domains, they initiate an out-of-band SpyCloud check for an account match. They then check match alerts against SpyCloud’s recorded spikes in account stuffing attacks to identify any correlations.

“We use SpyCloud to detect the ATO storms – when an attacker targets our system with a list of breached credentials,” says the security leader at the company. “The SpyCloud data reveals which accounts are compromised so we can force the account down an alternate road that includes a second step in the verification process. This is typically requiring the account owner to answer security questions or engage in two-step multi-factor authentication.” 

“Without the SpyCloud data, we would be in constant risk for attacks we never saw coming. We may not be able to stop every breach, but we feel we are being more proactive and have dramatically improved our security stance.”

Results

Thousands of Exposed Credentials Discovered Every Hour

One of the unique aspects of SpyCloud is the ability to discover direct matches with emails and passwords. Identifying exposed emails is not enough and doesn’t indicate the account has been compromised. With SpyCloud’s proprietary password cracking methodology, more passwords can be cracked, unencrypted and operationalized. In fact, SpyCloud owns the largest database of emails and plaintext passwords, eight billion and counting.

“SpyCloud allows us to see where we are vulnerable in order for us to fortify those potential entry points,” says the security leader. “With the SpyCloud database constantly updated, we can continually monitor our customer base with the freshest, most usable data available. Using the SpyCloud data, we discover anywhere from 3,000 to 11,000 direct matches per hour. Every one of those exposed accounts could have led to account takeover. “

While the SpyCloud solution does include the capability for users to automatically remediate accounts with matches to breach records, typically forcing a password reset, the travel company prefers less friction in the booking process.

“For now, we are using SpyCloud simply for monitoring, but we are aware the solution can do much more,” says the security leader. “We are evaluating our options and are considering moving towards being more proactive without compromising our mission. The fact that SpyCloud is customizable to our needs now but also scalable to where we may go in the future is one of the reasons we chose their solution.”

4.7% email and plaintext password match rate.

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Understanding the Underground Market for Stolen Credentials

REPORT

Understanding the Underground Market for Stolen Credentials

Account Takeover & the Darknet

Even after the fall of the large darknet markets, such as Hansa and AlphaBay, there still exists a sophisticated underground ecosystem that thrives upon the sale and trade of stolen credentials. The fall of these markets represented a paradigm shift in how credentials are bought and sold on the underground. Phishing and spear-phishing attacks are becoming increasingly sophisticated and that’s just the tip of the iceberg.

Download this SpyCloud report o read our experts’ breakdown of how the underground market operates, how it is changing, and what can be done to protect you and your company.

Download the Report:

Understanding the Underground Market for Stolen Credentials​

A few of our happy customers:

Related Resources

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Check Your Exposure

See your real-time breach exposure details powered by SpyCloud data.