UCLA Threat Detection and Identification (TDI)

What is TDI (Threat Detection and Identification)?

UCLA’s Threat Detection and Identification (TDI) initiative gives UCLA a campus-wide toolset to help manage and reduce cybersecurity risks. The initiative was implemented in a multi-phased deployment of network, email, and host level protection using an array of cybersecurity devices and uses intelligence from many different information sources.

What do these cybersecurity devices do and why are they needed?

They help manage and reduce cyber security risks by using real-time data about advanced threats and cyberattacks. Using automated technology, they focus on threat identification and signs that a system may have been compromised. Upon threat detection, they provide relevant data about the attack. This evidence includes a limited amount of network traffic related to the attack to help reconstruct what happened during the attack. This valuable information provides intelligence for formulating and developing an effective response that allows UCLA information security professionals to respond quickly to these threats.

UCLA’s various cybersecurity devices and threat intelligence give a common operational picture of campus-wide cybersecurity threats. This is critical in assessing the University’s readiness, as well as reducing overall cybersecurity-related risks.

What do TDI devices do?

UCLA’s TDI devices are used to maximize visibility into the cybersecurity threat landscape. These devices also include various advanced forensic tools that can provide more detailed and actionable information regarding cyber threats. These devices detail how threats gain entry and the effect(s) they may have caused. This enables information security professionals to respond faster, more effectively, and help guard against future threats.  Using the automated technology, UCLA’s cybersecurity environment monitors for threats around the clock for the following:

  • Malware, including ransomware, crimeware, and other advanced malware threats that are created for a specific target and/or purpose.
  • Known malicious Internet addresses and websites.
  • Command-and-control (C&C) traffic nodes, which may be how attackers control and manipulate infected computers.
  • Indicators of Compromise (IOC’s) which are information and communications that reveal information in the event a system has been compromised. IOC’s come in many forms including known bad websites, use of covert communications, dangerous metadata, and much more.

Will the TDI technology impact my application or system?

No. The cybersecurity devices that UCLA employs promote a strong ability to detect and alert on known threats on a wide-range of applications and systems. This technology is strategically implemented to ensure that no network traffic or system is directly impacted.

Security/Privacy Work Group

As these capabilities are an evolution of our traditional (but no longer effective) security practices, we are committed to implementing them in a transparent manner. Consistent with our values of shared governance, we have created a security/privacy work group to provide guidance on the implementation of these technologies in alignment with our privacy principles and the Electronics Communication Policy (ECP). Members of the work group include:

  • Jim Davis (OIT)
  • Privacy Board
    • Dana Cuff (Faculty Chair)
    • Christine Borgman (Faculty)
    • Burt Swanson (Faculty)
    • Kent Wada (Chief Privacy Officer)
  • ITPB
    • John Mamer (Faculty Chair)
    • Kathleen Bawn (Faculty Vice Chair)
    • Susan Cochran (Academic Senate Chair Elect)

Please check this site for additional information related to the work group’s recommendations that will be posted as they become available.

Please see frequently asked questions regarding the UC Systemwide Threat Detection and Identification (TDI) Approach for more information.