Education is the mission of every university, but paradoxically, the curiosity that stimulates learning can have other consequences – particularly for cybersecurity. With 61,000 students from across the world, Deakin University is one of Australia’s largest higher learning institutions and ranks among the top 1% globally.
The challenge: a student community in constant flux
The university puts a priority on helping its students prepare for jobs of the digital future and presents its curriculum in trimesters, creating three major waves of change in student population annually. Compared to their relatively stable pool of academic and admin users – some 4,750 individuals – the student community tends to flux, creating challenges for security teams charged with detecting risky behavior.
“Students typically use technology in an unusual way compared to staff, and this sometimes triggers indicators of compromise for their behaviors,” says Fadi Alja’fari, information security and risk manager at Deakin University.
Alja’fari explains that, as a team, they had to find a security solution that focused on user behavior and helped normalize the often random online behavior of students, while separating malicious or compromising actions from something that’s just “unexpected.”
While student behavior and the challenges it poses was a key factor in Deakin University’s decision to expand its cybersecurity portfolio, it certainly wasn’t the only reason. A university of this size often deals with threats shared by other large enterprises.
In conjunction with UEBA, Deakin sought to upgrade their overall approach to protecting the university’s operations with a security posture program called “Deakin Shield.” This priority focused the team’s search on the leading tools for security information and event management (SIEM).
The team needed a tool that brings security events from all the tools that Deakin has deployed and presents them in a digestible and actionable manner and some of the criteria behind their decision included:
- Better visibility via user- and device-based analytics
- Easy implementation
- Ease of use
- A good support model
“When we tested Exabeam’s Advanced Analytics, we were drawn to the fact that out of the box, our security operations analysts can use Exabeam SIEM to respond to alerts without much customization,” says Alja’fari.
This allowed the university’s security engineers to focus their time on improving cyber defenses, instead of learning how to create anomaly detection and event correlation queries – which was incredibly time-consuming. Finally, and by no means an afterthought for anyone looking to grow their cybersecurity posture, the cost factor associated with the Exabeam Security Management Platform (SMP) impressed the team at Deakin University. Compared to all of the other solutions in the market, Alja’fari found the support and operational overhead associated with a SIEM solution were minimal with Exabeam.
Exabeam in action
Deakin University’s security operations (SOC) team was being overwhelmed by the sheer volume of data they had to process, as their existing log aggregation tool generated massive amounts of feeds and alerts on the network. Exabeam’s automatic analysis of all the university’s security data helped the team bring this under control, notifying security operators of anomalies only as they materialize.
“Before Exabeam, operators had a delay of deciphering the data and attempting to understand which events might lead to an actual security incident,” says Alja’fari.
An example of this would be a student using a VPN service to jump through proxies, using the Tor network, or merely trying it out as an experiment… behavior that would ordinarily have triggered a security alert.
“With Exabeam, we can tell when a student’s VPN behavior is legitimate and not an indicator of compromise. This saves our security team an enormous amount of time.”
Other use cases include:
- Identifying legitimate network logins from multiple geo-locations
- Leveraging email logs for data leak prevention
- Implementing a more cost-efficient logging strategy
“Exabeam’s threat hunting capability is something the security operations team looks at on a daily basis for anomaly analysis,” says Alja’fari.
The best way to learn is by doing
Deakin students enrolled in one of the university’s cybersecurity courses have the opportunity to learn in a real-world environment. These include job shadowing the university’s security team operators as interns, augmenting the team’s existing capabilities; with the caveat that data and analytics exposed to interns are masked or anonymized for privacy and security purposes.
In this manner, students gain hands-on security operations experience with the Exabeam Security Management Platform before graduation.
Key benefits of the Exabeam Security Management Platform
The university has noticed some specific benefits following the rollout of our SMP, including:
- Stronger enterprise security with behavioral analytics by discovering unusual risks from student “experimentation”
- Deeper visibility on enterprise risks and a streamlined, proactive method of addressing security issues
- Augmenting cyber security education for student interns who shadow a security team using Exabeam
Striking a balance between facilitating an environment of learning and experimentation, without stifling the spirit of enquiry in higher education is essential to any higher learning institution. Deakin University’s implementation of the Exabeam Security Management Platform not only achieved that; but went as far as giving them the opportunity to augment their cybersecurity curriculum.