Mark Wantling, CIO at the University of Salford, tells us how the university has improved its cybersecurity posture by deploying Tanium solutions. He explains how Tanium’s real-time visibility, integration with ServiceNow and Microsoft Azure Sentinel, and tools like Tanium Impact have fortified the university’s defences against cyberattacks, enhancing endpoint management and fostering a proactive security culture, significantly improving the university’s response to cyberthreats and overall IT efficiency.
Can you elaborate on the specific vulnerabilities in education institutions’ IT environments that make them attractive targets for cyberattacks?
Unfortunately, educational institutions are appealing targets for cyberattacks for a number of reasons. To start, universities hold a huge amount of personal data and classified research which criminals would love to get their hands on.
Plus, the optimisation of universities for a hybrid learning environment has led to more distributed networks, with students, staff and visitors using an array of personal devices to connect to networks from different locations. This has increased the attack surface and is making it hard to keep track of the ever-increasing number of endpoints. To add to this, different schools and departments across campuses are often siloed, making visibility even foggier.
For example, our Tanium implementation uncovered shadow IT endpoints and multiple missing patches, revealing the security risk posed by unauthorised devices and outdated software.
Resourcing also plays its part. Universities typically have smaller security and/or IT teams than large corporate organisations, which can hamper the ability to monitor and respond efficiently to cyberthreats. This cements the need for automation to support us in visibility and response.
Key moments in the academic year, like clearing, are an especially attractive time for hackers looking to wreak havoc. If a university were to suffer a cyberattack during that time and be fully offline, it would be nearly impossible to financially recover, as it could mean £30 million a year in lost revenue for three years.
How did the shift to remote education in 2020 expose or exacerbate the University of Salford’s cybersecurity challenges?
The shift to remote education in 2020 significantly enlarged and distributed our attack surface. We faced heightened vulnerabilities, with students and staff utilising a mix of personal devices and networks for teaching, learning and research. The increased complexity and diversity of thousands of endpoints led to the discovery of missing critical patches and vulnerabilities, posing a substantial security risk. To address these challenges, we worked to modernise endpoint management, implementing Tanium in 2021.
Tanium’s real-time visibility of endpoints, integration with ServiceNow and Microsoft Azure Sentinel, and capabilities such as Tanium Impact have played a crucial role in enhancing our cybersecurity posture. The integration efforts have facilitated total visibility across platforms, faster response times and improved risk assessment, contributing to a comprehensive security framework and cultural change within the organisation.
What were the key steps and strategies you implemented to strengthen the University of Salford’s defences against cybercrime?
As mentioned, we took a significant step by adopting Tanium to gain real-time visibility across our network and centralise vulnerability management, which has been instrumental to strengthening our defences.
We’ve also implemented Tanium Impact for risk assessment, enabling the team to swiftly identify, prioritise, and remediate access rights and dependencies, thus mitigating the risk of lateral movement when accessing a network.
We have also integrated Tanium with ServiceNow CMDB, ensuring a single source of truth for consistent and comprehensive security data that seamlessly feeds into ServiceNow for streamlined management.
While the integration with Microsoft Azure Sentinel expedites incident response and remediation using real-time data and control to resolve incidents and/or enforce compliance.
Looking ahead, we also plan to adopt a Zero Trust model to further bolster our defences. This approach acknowledges the perpetual risk of security threats from internal and external sources, adding an authentication or authorisation procedure to every person and device accessing our network for an additional layer of control. This enables the university to proactively minimise risk at every touchpoint. Crucial to this is driving cultural change, instilling a security-conscious culture across the university.
In your experience, what are the most common types of cyberattacks targeting educational institutions, and how can they be effectively countered?
In my experience, the most common types of cyberattacks targeting educational institutions include phishing attacks, ransomware (encrypting critical data and disrupting operations), and exploitation of vulnerabilities in distributed networks.
Phishing attacks often aim to compromise university credentials through deceptive emails, exploiting the distributed nature of the university’s network and users. It only takes one individual to slip up for an attacker to gain access. Often, the goal is to either steal data to sell, or hold it for ransom and demand a large pay day.
To effectively counter these threats, a multi-layered security approach is crucial. The University of Salford’s implementation of Tanium for real-time visibility, integration with ServiceNow and Microsoft Azure Sentinel for streamlined security operations, and the emphasis on cultural change and move to a Zero Trust framework, give us the comprehensive strategy we need. This includes proactive threat detection, rapid response and a security-conscious culture to mitigate risks in an evolving educational IT landscape.
How do you manage the balance between ensuring robust cybersecurity and maintaining an open and accessible IT environment for students and staff?
Maintaining an open and accessible environment, while ensuring the university is secure, is a challenging task. By its nature there will always be hundreds of thousands of potentially vulnerable endpoints connected to the network, thousands of potential phishing victims with university credentials and a continued need for 24/7 access.
Striking a balance between providing adequate protection and allowing the university to function efficiently starts with understanding the university’s risk appetite – each institution will differ and having this understanding will shape the level of controls implemented.
It’s also important to consider the impact of overly tight, or lapse restrictions. If controls are overly restrictive it starts to strangle the ability for the business to operate, which could either lead to loss of organisational agility or worse, could drive staff and students to look for ways around the controls.
On the other hand, if controls are overly permissive there is an opportunity for bad actors to move very quickly through the organisation, resulting in increased damage and more time and effort to identify, detect and respond to an attack.
To avoid these outcomes, security teams must establish close relationships with staff and students, creating a feedback loop to quickly assess the impact of controls on teaching, research and learning.
Ensuring we have real time visibility into the entire university network is also crucial. This allows us to be less restrictive, as we can immediately react to any threat and cut it off before any damage is done. With the help of automation, we can also ensure that every device is patched, making our environment as secure as possible.
For example, tools like Tanium Impact have proved crucial in identifying areas where we may have been overly permissive, allowing proactive adjustments before bad actors exploit vulnerabilities.
What advice would you give to other educational institutions looking to enhance their cybersecurity, especially in terms of endpoint protection?
Educational institutions need a proactive security culture to enhance cybersecurity defences. This means having real-time visibility the entire environment, comprehensive software integration and collaborative workflows. Being able to identify a threat quickly from a central console, and initiate remediation, improves response speeds and mitigates the potential impact of a breach.
Plus, operational and customer experience benefits bring significant return on investment. Since implementing Tanium, we’ve used fewer resources and saved money. And with complete visibility of the devices connecting to our network, we’ve improved the efficiency of software development that has significantly improved customer experience. Prevention is better – and costs far less – than a cure.