New automated cyber service from Jisc takes the heavy lifting out of threat monitoring
Author: kate.edser@jisc.ac.uk
Source
As criminals find new ways of infiltrating and disrupting networks and stealing data, cyber security has become an ever-more complicated and time-consuming problem.
Like many other businesses, more and more education providers are turning to automated methods of detecting and mitigating threats. This reduces the pressure on IT and security staff because it saves time and provides peace of mind that attacks will be spotted early, providing the best possible chance of stopping progress before they cause too much damage or disruption. Responding to members’ needs, Jisc has created the first sector-specific cyber security threat monitoring service (CSTM), which uses the world-leading Splunk Enterprise Security platform to aggregate data in real time and identify suspicious activity. How does it work? It takes the heavy lifting out of security monitoring. All IT products – be they servers, firewalls, devices, or networking equipment – generate log files. These tell us when, where and who accesses each system and what they do. The difficulty is the amount of data these log files generate: they are created every time someone logs on or off, connects to the wi-fi, or searches the website. We’re talking about many gigabytes a day of logs, which is impossible to keep track of manually. The CSTM service takes all these event logs, puts them into the platform and constantly correlates them with what it knows to be ‘business-as-usual’ and highlights other events that match known threat activity. [#pullquote#]Alerts are triaged by our security analysts, who will assess the severity and notify the relevant organisation’s security contacts if required. [#endpullquote#]So, it’s important to have the configuration correct at the start, otherwise it’ll generate lots of false positive alerts. Jisc fully supports members through that on-boarding process. We feed the system with information specific to each institution, including their server names, domain controllers, firewalls, and the names of high-risk accounts, such as the leadership team and senior IT and security staff with system admin rights. A risk level is assigned to each of those elements, which is how the system categorises and prioritises alerts. Alerts are triaged by our security analysts, who will assess the severity and notify the relevant organisation’s security contacts if required. ‘Critical’ alerts are automatically sent to the Jisc computer security incident response team (CSIRT), whose staff will be available to support an affected organisation, provide advice and take remedial action if needed. The system might detect potential unauthorised access by tracking the number of failed logins to high-privilege accounts, or by spotting that a user has apparently tried to log in from multiple locations simultaneously. Either scenario could indicate a compromised account. Why should members choose this option? As the market leader, the Splunk platform isn’t cheap, but because Jisc is a Splunk partner, we can offer preferential pricing. The pricing model is based on how much data each institution uses calculated on gigabytes a day. In some cases when we’ve discussed cost with members there’s been a sharp intake of breath, but there really isn’t a comparably affordably model on the market; we’ve done our homework on that front. On the flip side, the cost is usually a drop in the ocean compared to the impact of a serious cyber-attack, as our cyber impact report notes. And this kind of service will free up staff time. [#pullquote#]The cost is usually a drop in the ocean compared to the impact of a serious cyber-attack[#endpullquote#]Continuing the ‘defend as one’ theme of Jisc’s cyber security campaign, threat information provided by service users will help continuously improve the service for the benefit of all. There’s one other considerable benefit: Jisc is in the unique position of being the only vendor of this sort of solution that operates its customers’ network connections to the wider internet via the Janet Network. So, we can detect threats on the network before they cause problems and integrate that intelligence to increase the effectiveness of the CSTM platform. It sounds like the perfect cyber security solution… Well, yes and no… I think that this kind of product is essential for any organisation, be it educational or commercial. Without it, nefarious actors could be sniffing around systems undetected for days or weeks. Indeed, we know of ransomware attacks where just this sort of reconnaissance has taken place, but not picked up until the forensic investigation after the event. By then, of course, it’s often too late to recover systems or the data within them. [#pullquote#]I think that this kind of product is essential for any organisation, be it educational or commercial. Without it, nefarious actors could be sniffing around systems undetected for days or weeks [#endpullquote#]To stop or mitigate attacks, it’s really important to quickly pinpoint the ‘what, when and how’ to prevent an attack from spreading or happening again. However, no security solution will provide 100% protection. This kind of service should be considered as just one tool in the box. Each element of a cyber security strategy needs to be strong, with no weak links. Further information Steve Howard will be talking about CSTM at Jisc’s annual Networkshop event, on 14-15 June at Nottingham Trent University and online on 16 June. In time, CSTM will become part of the security operations centre that Jisc should be able to offer to members later this year.