How Oklahoma U. protects 80,000 email accounts from the dark web

Before 2018, Oklahoma University had no systematic way of tracking its compromised email accounts, which numbered in the thousands for some breaches. A new exposure detection software that relies on human and machine intelligence, however, has made the inevitable issue of compromised accounts into a non-concern for the university’s IT team.

The 80,000 active accounts that Oklahoma University’s deputy chief information security officer, Aaron Baillio, is in charge of are guarded by Spycloud — a cybersecurity startup that provides an “account takeover service” that trawls the internet and dark web for compromised login information from institutions. When a Spycloud researcher or tool discovers lists of stolen OU.edu email accounts and passwords online, Baillio is immediately notified and the active accounts are locked down.

Before it began working with Spycloud last year, the university’s only method of checking whether accounts had been compromised by a breach or a phishing attack was to use free, manual-search tools like haveibeenpwned.com. With access to an OU.edu email, bad actors can do any number of damaging things to the wider OU community — steal credentials, financial or medical information, or spam faculty and students.

“Since Spycloud, now that we can check all of those, I don’t think about it anymore,” Baillio told EdScoop. “It’s kind of put my mind at ease about the situation.”

While the concept of an index for compromised account data isn’t new, this is the first time Baillio and his team have been able to automate such monitoring. Instead of checking email addresses one by one to see if they match with a known breach, Baillio and Spycloud worked together — initially through a beta test with Alienvault, a popular all-in-one cybersecurity tool — to automate the detection process. Spycloud provided an API to the university to link the university’s account database to Spycloud’s detection tools, and Baillio’s team of three to four student security analysts wrote the script to connect the two. When a breach or exposure happens, Spycloud sends an alert and a ticket for the student analysts to respond to is automatically created.

An initial scan of 7,000 OU.edu emails from a breach returned a match of more than 1,000 active accounts for Baillio and his team to lock down. That would have been impossible before, he said.

“We tried [other tools], and the problem there was we couldn’t automate the process,” Baillio said. “Some of our breaches could be hundreds, if not thousands of email addresses.”

Higher ed as an industry is uniquely vulnerable to data breaches, due to the amount of sensitive data it holds and the sheer number of users — Oklahoma University, for example, has 21,000 students and 6,000 faculty members. School networks are often kept open between faculty, students and staff to allow for collaboration and communication between departments and for research purposes, making them enticing targets for malicious actors. While outright prevention of exposed accounts might not be possible, administrators like Baillio are always looking for way to mitigate the damage.

“We see the date of the breach, when the exposure was discovered, and its severity,” Baillio said in a statement. Previously, that information was not available to his team.

The new software uses researchers and automated scanners to collect its breach information, a multi-pronged approach that Chief Strategy Officer Chris LaConte said is key to speedily recovering exposed data.

“[We] have researchers that navigate the underground where a lot of these threat actors are having conversations. They’re able to recover the data much earlier than when it ends up on the dark web,” LaConte said.