...
Patching
Windows machines on campus take their operating system updates from a local update server (/wiki/spaces/itskb/pages/26116233). That update server tells us what machines have updated, when, and which specific updates were applied. We need this information in order to ensure that everyone's computer is up to date and not vulnerable to any obvious intrusions or attacks. It turns out that, out Out of all the various defenses users , and ITS, can deploycan employ to combat such attacks, simply keeping devices up to date is by far the simplest and most effective. See also below on the KBox, under Software Deployment, Packaging.
Software Deployment, Packaging
...
Files in Google Drive, and on storage internal to our network, are scanned for personally identifiable information, like social security numbers. In the case of Google Drive, CloudLock does the scanning, and these scans are fully automated. Users get direct email if a possible issue gets uncovered. In contrast to CloudLock, Spirion (formerly Identity Finder) , at least the way we have implemented it, only runs under user direction. Users, that is, install the software from the KBox and run it when desired. It also uncovers personally identifiable or otherwise sensitive data, but works on local and networked file storage, that is, things on your local computer, rather than in the cloud.
Keyserver Logging, License Management
...
In general, nearly all devices through which Carleton network traffic passes log that traffic. These logs typically include the source and destination IP address, MAC address, and various other relevant details. Additional detail gets logged for WiFi via /wiki/spaces/itskb/pages/26119999. This data, collectively, allows us to locate and fix problems and bottlenecks, and it helps us diagnose problems when we (or our users) discover them. We normally don’t look at this data in detail unless there is a problem. The number of people who can do this is very limited (a few core systems staff and the IT security officer).
The Firewall
Additionally, ITS protects the campus with a central firewall /wiki/spaces/itskb/pages/26119002, which inspects traffic as it flows through and looks for infiltration attempts, brute-force scans of our network, and other hostile activity, and logs and/or outright blocks the that activity, depending on its severity. ITS does not examine logs produced by the firewall, except when performing forensics, troubleshooting, or examining alert notices. The number of people who can do this is very limited (to a few core systems staff and the IT security officer).
Machine-Level Logging
Individual machines (Linux servers, Windows servers, and Windows desktops) also log what they are doing, locally. There are, for one thing, antivirus and local firewall logs. There are also general system logs. These latter logs are written not only to local disk, but also forwarded to a central syslog server, then on to a central repository (Splunk). Every time a Windows machine executes a program, it is also recorded separately, along with the policy that applies to it (AppLocker). ITS knows nothing about what the programs are really doing. But we do use the basic information provided in logs to detect malware-related infestations, and also to perform forensics when and if hostile activity is discovered.
...