1. Higher education and research –
actively protecting our investment
Alan Hill
Chief Information and Digital Officer
2. University of Exeter
Top 10 Universities
in the UK
98% of research rated as
international quality
3. The University as a Business
• £100m of research income
• £420m turnover
• 22,500 students
• 4,500 academic and professional staff
• 4 campuses in the South West of England
7. What we have to protect
• All research data is
valuable
• Intellectual property
• Patents
• ‘High value targets’
8. Education
• Students as customers
• Battle-rhythm of the
University
• Critical services
– Collaborative learning
environment
– Recruitment and admissions
– Online exams
9.
10. Education
• Students as customers
• Battle-rhythm of the
University
• Critical services
– Collaborative learning
environment
– Recruitment and admissions
– Online exams
11.
12. The Threat
• What do we look like to an attacker? Inside and outside
• Tactics: DDOS, theft, reputation, exploitation
• Capability, routes, intent, techniques
• Attackers’ options
13. • One tool to manage security, operations and application
development
• Minimise training overhead
• On-premises option to control costs
• Available through contract frameworks
Why
14. Splunk in action for the University
The What? MITRE ATT&CK
• Tactic: Credential Access
– “Adversaries will likely attempt to obtain legitimate
credentials from users or administrator accounts (local
system administrator or domain users with administrator
access) to use within the network.“
The How? MITRE ATT&CK
• Technique: Kerberoasting
• Technique: Credential Dumping
• Technique: Brute Force
Where to look for? Data Sources
• Domain Controller
Authentication Logs
• PowerShell Logs
• Process Monitoring
• …
https://attack.mitre.org/
15.
16. Step by Step SIEM Success:
Security Monitoring + Forensic
The What? MITRE ATT&CK
• Tactic: Credential Access
The How? MITRE ATT&CK
• …
• …
• Technique: Brute Force
• …
Where to look for? Data
Sources
• Domain Controller
Authentication Logs
• …
• …
https://attack.mitre.org/
17.
18. Reality of deployment
• Need to truly understand your estate
• On-premises comes with its own overheads
• Energising the staff for the new capabilities
• Ensure you have enough professional service
support
• Start small and grow big - control the use cases
• Keep focused on the business benefits
• “No plan survives contact with the enemy”
19. We’re only just getting started
• Splunk is central to our operations
• The use cases are growing daily
• It’s in action now protecting the University
• Tangible value for money
Notes de l'éditeur
Alan Hill
CIDO
Contributing to amazing research and excellent education
Combining research and education to “make the exceptional happen”
Today I want to tell you about:
What is a University – a business, a charity, and educational establish, a world renowned research institute
What we need to protect – Research and Education
The Threat to higher education institutes
Splunk’s role in protecting our investment (UK taxpayers, commercial organisations, student fees)
Lastly – the reality of a Splunk deployment from zero to hero in 8 weeks.
Business drivers:
Student recruitment: international students pay more than UK/EU. Everyone is after the same market.
League tables driven by student recruitment.
Research quality drives future research income
Its success is built on a strong partnership with its students and a clear focus on high performance.
So you can see the lines of business and how that can drive income.
Ensuring those Lines of Business operate effectively and remain secure is the role of Splunk in the Univeristy
.
.
Formed in 1955
22,500 students from more than 130 different countries.
The University of Exeter combines world class research with excellent student satisfaction at its campuses in Exeter and Cornwall
4 campuses across Devon and Cornwall. No international sites.
For those of you that are not familiar with the UK, these are beautiful areas for the sea and the countryside
The value of the University is an important economic point
We are not only educating and researching
We create more than £1.17 Billion economic output
So this is a significant business, that has real and tangible impact
That needs digital services and IT systems that are reliable, high performing, and secure.
Recent breakthroughs to come out of Exeter's research include:
the identification and treatment of new forms of diabetes and
the creation of the world's most transparent, lightweight and flexible conductor of electricity.
Our research focuses on some of the most fundamental issues facing humankind, including on disease prevention through predictive biology
We have a specialist research IT team that directly contribute to:
Discovery of the atmospheres of exo-planets 200 light years away
Research into dementia in the over 50s in Hong Kong and the UK
Research data is valuable – it needs protecting
Even if it is to be published openly there are few years first to get maximum value from it.
Commercially funded research needs protection for the duration of the contract.
From research derives intellectual property rights, and patents
The professors who do the most valuable or sensitive research are ‘high value targets’ to an adversary who wants the information without the work or the cost
So wrapping Splunk around the research data and the high value targets, helps protect our research
Identifies unusual patterns of access, and helps prevent the theft of research data
Education line of business:
Like any business – we value our customers
Customers expect services to he of high quality and to run effectively
So we will be using Splunk to help us focus on those critical services
There is a battle-rhythm that means we have peaks times for services that simply must not fail:
Virtual learning environment where course content is placed, with LECTURES recorded (SLIDE NOW)
Each lecture is recorded – the speaker and the content
Uploaded to our cloud provider and accessed through the virtual learning environment
Last academic year = 650,000 viewings
I know what you are thinking – lying in bed instead, but usage indicates it’s about revision
Recruitment and admissions is about getting all our spaces filled each year with the best quality students
A – level results download
Place allocation
Filling spaces - setting up a call centre, high availability on the website, low latency in the back end systems
Each unfilled space is a hit on 3 years of income
Online exams: similar pressure to make sure these critical services operate effectively
Splunk will help us do all these things
So what is the threat to these Lines of Business
10 MINUTES check
Assume all of your research has been copied – as a starting point
Understanding the threat
What we look like as a target:
Graphene research
Animal research
Military research
How might we be attacked
Leads us to prioritise the deployment of Splunk to support the overall protection plan.
We are a small team
Need one tool that does everything
Low cost of training in ££££ but also time
Need options such as on-premises to manage the through life cost, based on previous investments in our data centre.
Critically – the availability of procurement frameworks. Universities act like public bodies and so procurement can be a painful process.
Now Splunk has an arrangement that can be accessed by all universities and colleges.
So let’s look at Splunk in action
protecting our research data
Ensuring that critical services remain available
Mitre ATTACK methodology as the backdrop, I am going to show some videos of day 2 in our deployment
Starting in the Access Centre
Do not be alarmed by the word EXTREME – this is day 2 so everything looks new!
Looking over time at Actions and Access. Exploring the patterns and anomalies
We can see Access denied/failure etc
Focus on Failure
Look specifically at server EMPS LEANDRO – and we can see an Admin account has multiple failed attempts to access
We can look at the signature, and at the time.
So we have an admin account – Credential Access
Using Brute Force Attack
This is something we would not normally be able to see, certainly not with the speed or ease. We can take action now.
Now in the Intrusion Centre
We can quickly see the attack locations and start to interpret what that may mean
Then to the Traffic Centre
Looking at patterns over time
Focusing on one particular device that has drawn our attention
Multiple ports open
Facebook (may be this is a misconfiguration)
Peer to peer file sharing website – if this was a research machine, this would be a red flag.
University is a business
It has customers
It has value
Splunk now plays a key role our day to day operations
Use case are coming in thick and fast
Protecting our key assets and our high value targets is critical security activity
But remembering that this was an investment, so getting the benefits realised, getting the value for money evidenced is important for a business perspective
The vision for the University is to Make the Exceptional Happen, and I am delighted that Splunk are playing a part in doing that.