A Stirling approach to advanced threat protection in the higher education sector

Using our Managed Sentinel security service, Stirling was able to enhance its security visibility, threat monitoring, and incident response.

Results

Security challenges for an ambitious university

The higher education (HE) sector is a prime target for cyber attacks – subjected to over a thousand attacks per year in the UK.

Cyber attacks are also growing more sophisticated, with criminal organisations seeking valuable research information and large databases packed full of personal data.

Coupled with this threat of attack, HE providers also regularly face challenges in ensuring compliance with several stringent regulations such as GDPR, the Data Protection Act and aspects of the Scottish Government Cyber Resilience Framework.

The University of Stirling has big ambitions for the future, revolving around research excellence and collaborative learning delivery.

The university recognised that as its reputation as a leader in research grew, and as the complexity of its cloud infrastructure and the resulting growth in potential threat vectors became bigger, improved security was a priority to address.

Maintaining a high degree of protection against cyber threats is no easy task. As with all universities, Stirling needed to incorporate and protect a diverse range of systems on-premises and in the Cloud, without an existing SOC/SIEM capability.

Even though the perimeter was locked down with a strong firewall, it was recognised that improved visibility of threats and centralised monitoring of independent systems was required for enhanced protection.

As part of its Microsoft licensing, the University of Stirling had access to a wealth of Microsoft 365 security tools, and it wanted to ensure these tools were utilised to maximum effect with the resources available.

Stirling’s IT security team had a broad remit and was integral to a multitude of diverse projects. As a result, the team could not solely focus on threat monitoring and incident response, so leveraging the available solutions to their full capabilities was vital.

Lastly, when COVID-19 hit, the rapid rise in cyber threats, the huge demand for remote working needs and a requirement for secure remote access, massively upped the ante – compelling the university to accelerate improvements to its security posture.

To address these challenges, the university was keen to secure the services of a Microsoft partner that could help protect the organisation and make the most of its Microsoft technology investments.

Building a first-class security partnership

The University of Stirling was put in touch with Kocho via our partner Phoenix, a specialist in IT services for the public sector and higher education. Stirling’s research and continual analysis and review of its security position confirmed its belief that Microsoft Sentinel would be a great fit.

As a SIEM platform, Microsoft Sentinel would bring together all of Stirling’s Microsoft solutions for a holistic security setup and drive improvements to ROI – but the university knew it would require assistance with set-up and continuous monitoring.

Kocho were the perfect fit, as a Gold Microsoft partner in security, with intimate knowledge of the Microsoft 365 security suite.

The University of Stirling had identified several security areas where it wanted to provide industry-leading protection, namely:

• Improved (and continuous) visibility across the threat landscape.
• The ability to quickly identify security threats and incidents, including new and emerging threats within the industry.
• The ability to mitigate, remediate, and minimise further events and limit the impact on the organisation.
• The capability to provide actionable intelligence at an operational, tactical, and strategic level to ensure that, from the Board down, risk can be proactively managed.

Kocho and the University of Stirling agreed to a tailored approach to supply Security Managed Services, focused on improving security posture.

A personal approach to onboarding

The first stage of the journey, as with any managed security partner, was to carry out a client Readiness Assessment and personal onboarding process.

The Readiness Assessment exercise included a detailed review of critical assets, IT strategy, IT infrastructure, and regulatory requirements. Upon completion of the assessment, several improvement opportunities were identified for the Kocho and University of Stirling teams to work on together, including:

• Fine-tuning Microsoft Threat Protection tools to improve visibility and prevention of attacks against endpoints, identity, email, and applications.
• Improving processes for external access for trusted third parties, such as researchers, business partners, and supporting organisations.
• Consolidation of identity management processes across the university’s cloud and on-premises solutions.

Up and running in no time

From initial discussions through to managed threat monitoring services in Stirling’s environment took three months. The Readiness Assessment and personal hands-on onboarding formed a critical part of the process, whereby our security experts worked closely with Stirling to understand its needs and how to set up the service in an optimal manner.

Throughout the onboarding process, Kocho worked closely with Stirling to set up the SIEM platform and handle the initial configuration of log sources and connectors, as well as elements of fine-tuning.

The Kocho SOC team then took responsibility for handling the day-to-day monitoring of critical assets, collation of threats, incidents, and events. We also took care of operational, tactical, and strategic reporting, bringing our experienced insight to the fold to help stay ahead of new and emerging threats.

The onboarding process started with the connection of Microsoft log sources, giving visibility into some of the challenges that Stirling was facing. High numbers of anomalous sign-in incidents were quickly identified because the university’s student population is widely dispersed around the globe.

The Kocho team helped Stirling reduce the noise in these alerts and focus on the most important ones.

Smart solutions for the education sector

The threat monitoring tool that underpins Kocho’s Managed Security Services is Microsoft Sentinel, Microsoft’s newest cloud-native SIEM.

Sentinel uses scalable machine learning algorithms based on decades of data from the Microsoft security team and can find, investigate, and respond to threats in record time.

These built-in models correlate millions of low-fidelity anomalies and connect the dots to help you cut through the ‘noise’ of false-positive threat alerts and find the high-fidelity security incidents that matter.

Microsoft Sentinel provides the University of Stirling with built-in automation and orchestration tools with the ability to build custom playbooks to enable threat response automation, eliminating repetitive tasks, freeing up resources, and allowing quicker threat response.

A+ results and a promising future

With the managed security service now in place, Stirling’s IT team has a clearer view across its estate and a newfound peace of mind that the Kocho security experts are pro-actively monitoring its most critical assets.

“Using a managed security services partner helps to bring clarity to what is a complex operating model and allows us to identify noise and potential threats much quicker.” – David Telford – Executive Director for Information Services, University of Stirling

The integration of Microsoft Sentinel, alongside the wider suite of Microsoft services, has also helped to drive improved value from its existing Microsoft licencing.