Higher education institutions are one of the richest and ripest targets for cybercriminals. They offer the fruit of intellectual property, research and the personal information of both students and faculty. And generally, that low-hanging fruit is easily harvested by bad actors because cybersecurity measures and technology are often implemented piecemeal, without an eye to systematic prevention and response across multiple university or college departments.
“You have so many different departments doing different things, it becomes a complicated landscape to protect,” declares Andrew Frank, Manager of IT Security Services at Mohawk College in Hamilton, Ontario. “Typically, if you don’t have a well-thought-out security program, the technical people will do everything around protecting the environment. They’ll quickly run out and buy some anti-malware, or maybe install fancy, new, next-generation firewalls. And while those fixes are very important, they’re only part of combatting cyberattacks at a college like Mohawk.”
It’s not surprising that Mohawk takes a comprehensive approach to cybersecurity. The college focuses on applied research, with multiple lines of study that allow students to gain real-world experience with businesses in Hamilton and the Greater Toronto Area. It is known for innovation in its own operations, with LEED-certified green buildings and heating and cooling systems.
Mohawk also teaches cybersecurity and has an extensive Central IT department that oversees cybersecurity for the institution. Several years ago, it became clear that the college needed to use state-of-the-art cybersecurity tools to protect and defend against malicious attackers.
Frank recalls how the college’s cybersecurity environment evolved. “Our board was starting to ask questions about it, asking how we could build a program around protecting our critical assets,” he says. Central IT started by looking at different industry frameworks for security, including ISO 27001 and ISO 27002 standards for managing information security. It then used the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) to conduct a gap analysis and score itself across its five pillars: identify, protect, detect, respond and recover.
The college knew that it had done well in identifying the assets it needed to protect and in protecting those assets generally. However, it did not score as well in detection, so if its controls failed, it could not quickly identify the breach and move on to respond and recover from the breach. “You can put all this investment into your protection mechanisms, but there’s no silver bullet,” asserts Frank. “Eventually, there's a high risk of compromise and a complex landscape.”
Mohawk decided to focus on and invest in detection. “We wanted to make sure that if somebody got past our protection, we could quickly detect and eradicate them from our network,” Frank says. In higher education, it can sometimes take months before someone realizes that the attackers have infiltrated a system. “We didn’t want that to happen if our systems were breached,” he says.
“Detecting quickly was important to us, but so was what happens after the fact,” notes Frank. “You want to be able to … replay things to identify exactly what happened and exactly what systems were touched, to rebuild your systems after the fact and re-secure your network after a breach.”
Mohawk began a search for an industry-leading detection platform. At the time, it was already working with IBM to build out its cybersecurity curriculum to include SIEM tools such as the QRadar solution. It was with this synergy in mind that Frank and his colleagues began exploring SIEM solutions for the college.
Frank outlines the college’s criteria: “We wanted a tool that was easy to use, didn't require substantial amounts of training for users to be able to pivot and search through data to both see event logs and do network traffic analysis.” The college needed a tool that would not only store the information for searches but also identify and prioritize incidents and offer the option to apply AI to investigate breaches faster.
QRadar quickly rose to the top of the solutions that Mohawk investigated. The tool stood out above the others under consideration because Gartner had named it a SIEM leader in its Magic Quadrant for SIEM report, it had good standing with public cloud providers and it had received strong references from other higher education institutions.