Over the shoulder view of man with light beard and glasses smiling looking to the right

Case study

A Stirling approach to advanced threat protection in the higher education sector

arrow icon arrow icon

How a leading UK university amplified its threat detection and response through a partnership with Kocho and the power of Microsoft Sentinel.

The University of Stirling, an ambitious and forward-thinking institution, sought to further enhance the protection of its sensitive data and strengthen its defence against cyber attacks.

Using our Managed Sentinel security service, Stirling was able to enhance its security visibility, threat monitoring, and incident response.


  • Improved and fully-managed security established in just three months.

  • Maximised ROI of existing Microsoft 365 licensing and solutions.

  • A unified approach to threat detection and response through Microsoft Sentinel.

  • Complete visibility and continuous monitoring across the client’s estate.

  • Reduced false positives and alert ‘noise’ to focus on the real threats.

Security challenges for an ambitious university

The higher education (HE) sector is a prime target for cyber attacks – subjected to over a thousand attacks per year in the UK.

Cyber attacks are also growing more sophisticated, with criminal organisations seeking valuable research information and large databases packed full of personal data.

Coupled with this threat of attack, HE providers also regularly face challenges in ensuring compliance with several stringent regulations such as GDPR, the Data Protection Act and aspects of the Scottish Government Cyber Resilience Framework.

The University of Stirling has big ambitions for the future, revolving around research excellence and collaborative learning delivery.

The university recognised that as its reputation as a leader in research grew, and as the complexity of its cloud infrastructure and the resulting growth in potential threat vectors became bigger, improved security was a priority to address.

Maintaining a high degree of protection against cyber threats is no easy task. As with all universities, Stirling needed to incorporate and protect a diverse range of systems on-premises and in the Cloud, without an existing SOC/SIEM capability.

Even though the perimeter was locked down with a strong firewall, it was recognised that improved visibility of threats and centralised monitoring of independent systems was required for enhanced protection.

As part of its Microsoft licensing, the University of Stirling had access to a wealth of Microsoft 365 security tools, and it wanted to ensure these tools were utilised to maximum effect with the resources available.

Stirling’s IT security team had a broad remit and was integral to a multitude of diverse projects. As a result, the team could not solely focus on threat monitoring and incident response, so leveraging the available solutions to their full capabilities was vital.

tag icon

Free demo

Find out if your business is cyber safe with a Security Posture Assessment

Identify threats, reduce your risk, and build a prioritised roadmap for improvement and continued compliance.

Speech mark icon

We believed a partnership approach with a security specialist would be a key enabler and a great addition to our team, helping improve security visibility and increasing the efficiency and effectiveness in the way we spot and respond to threats.

Victoria Szymanska Cyber Security Specialist, University of Stirling

Cyber Security Specialist, University of Stirling

Lastly, when COVID-19 hit, the rapid rise in cyber threats, the huge demand for remote working needs and a requirement for secure remote access, massively upped the ante – compelling the university to accelerate improvements to its security posture.

To address these challenges, the university was keen to secure the services of a Microsoft partner that could help protect the organisation and make the most of its Microsoft technology investments.

Building a first-class security partnership

The University of Stirling was put in touch with Kocho via our partner Phoenix, a specialist in IT services for the public sector and higher education. Stirling’s research and continual analysis and review of its security position confirmed its belief that Microsoft Sentinel would be a great fit.

As a SIEM platform, Microsoft Sentinel would bring together all of Stirling’s Microsoft solutions for a holistic security setup and drive improvements to ROI – but the university knew it would require assistance with set-up and continuous monitoring.

Kocho were the perfect fit, as a Gold Microsoft partner in security, with intimate knowledge of the Microsoft 365 security suite.

The University of Stirling had identified several security areas where it wanted to provide industry-leading protection, namely:

  • Improved (and continuous) visibility across the threat landscape.
  • The ability to quickly identify security threats and incidents, including new and emerging threats within the industry.
  • The ability to mitigate, remediate, and minimise further events and limit the impact on the organisation.
  • The capability to provide actionable intelligence at an operational, tactical, and strategic level to ensure that, from the Board down, risk can be proactively managed.

Kocho and the University of Stirling agreed to a tailored approach to supply Security Managed Services, focused on improving security posture.

Speech mark icon

“Partnering in such a way enables the sharing of knowledge and expertise and facilitates knowledge transfer to the University of Stirling’s teams, enhancing our expertise and capability.

David Telford

Executive Director for Information Services, University of Stirling

A personal approach to onboarding

The first stage of the journey, as with any managed security partner, was to carry out a client Readiness Assessment and personal onboarding process.

The Readiness Assessment exercise included a detailed review of critical assets, IT strategy, IT infrastructure, and regulatory requirements. Upon completion of the assessment, several improvement opportunities were identified for the Kocho and University of Stirling teams to work on together, including:

  • Fine-tuning Microsoft Threat Protection tools to improve visibility and prevention of attacks against endpoints, identity, email, and applications.
  • Improving processes for external access for trusted third parties, such as researchers, business partners, and supporting organisations.
  • Consolidation of identity management processes across the university’s cloud and on-premises solutions.

Up and running in no time

From initial discussions through to managed threat monitoring services in Stirling’s environment took three months. The Readiness Assessment and personal hands-on onboarding formed a critical part of the process, whereby our security experts worked closely with Stirling to understand its needs and how to set up the service in an optimal manner.

Throughout the onboarding process, Kocho worked closely with Stirling to set up the SIEM platform and handle the initial configuration of log sources and connectors, as well as elements of fine-tuning.

The Kocho SOC team then took responsibility for handling the day-to-day monitoring of critical assets, collation of threats, incidents, and events. We also took care of operational, tactical, and strategic reporting, bringing our experienced insight to the fold to help stay ahead of new and emerging threats.

The onboarding process started with the connection of Microsoft log sources, giving visibility into some of the challenges that Stirling was facing. High numbers of anomalous sign-in incidents were quickly identified because the university’s student population is widely dispersed around the globe.

The Kocho team helped Stirling reduce the noise in these alerts and focus on the most important ones.

Smart solutions for the education sector

The threat monitoring tool that underpins Kocho’s Managed Security Services is Microsoft Sentinel, Microsoft’s newest cloud-native SIEM.

Sentinel uses scalable machine learning algorithms based on decades of data from the Microsoft security team and can find, investigate, and respond to threats in record time.

These built-in models correlate millions of low-fidelity anomalies and connect the dots to help you cut through the ‘noise’ of false-positive threat alerts and find the high-fidelity security incidents that matter.

Microsoft Sentinel provides the University of Stirling with built-in automation and orchestration tools with the ability to build custom playbooks to enable threat response automation, eliminating repetitive tasks, freeing up resources, and allowing quicker threat response.

A+ results and a promising future

With the managed security service now in place, Stirling’s IT team has a clearer view across its estate and a newfound peace of mind that the Kocho security experts are pro-actively monitoring its most critical assets.

“Using a managed security services partner helps to bring clarity to what is a complex operating model and allows us to identify noise and potential threats much quicker.” – David Telford – Executive Director for Information Services, University of Stirling

The integration of Microsoft Sentinel, alongside the wider suite of Microsoft services, has also helped to drive improved value from its existing Microsoft licencing.

tag icon

Security health check

Book a Security Posture Assessment Demo today!

Remove the guess work, wasted spend, and vulnerabilities from your security.

A Security Posture Assessment:

  • Cuts through complexity to uncover security blind spots
  • Pinpoints key risks and prioritises security investments
  • Helps you demonstrate improvements and measure ROI
Butterfly overlay image

Got a question? Need more information?

Our expert team can help you.