De Universiteit Maastricht is volgens Times Higher Education World University één van de top 100 universiteiten wereldwijd. Security speelt voor de universiteit een belangrijke rol om de gegevens van zijn 16.000 studenten en 4.000 medewerkers veilig te houden. De universiteit beheert 400 verschillende IT-systemen. Deze systemen genereren een enorme hoeveelheid data die met het oog op security relevant kan zijn. Het uitzoeken van deze data kost veel tijd. In deze Engelstalige case kijken we hoe de inzet van Splunk Enterprise de Universiteit Maastricht helpt door de bomen het bos te zien in deze enorme hoeveelheid data.
According to the Times Higher Education World University rankings, Maastricht University (UM) is one of the top 100 universities worldwide. With almost 45 percent of its 16,000 students and more than 30 percent of its 4,000 teaching staff hailing from abroad, UM is considered to be the most international university in the Netherlands.
Having to manage nearly 400 different IT systems which generate gigabytes of potentially security-relevant data per day made it very challenging for UM to investigate whenever security incidents, such as phishing or a ransomware attack, would take place. This negatively impacted the availability of services for staff and students. Specifically, phishing campaigns would typically successfully penetrate at least one account out of UM's 50,000 email users, and then proceed to send spam and new phishing mails using UM resources. Slow troubleshooting when this occurred resulted in UM mail servers getting blacklisted as the team was unable to tackle the problem in a proactive fashion. Another common issue was users getting locked out of their accounts; whenever this happened, it was an extremely time consuming process for the sysadmin team to identify the root cause and solve the problem.
In order to speed up the troubleshooting process, UM tried a number of different solutions--centralizing the log data, using a number of open source products and experimenting with building their own solution. The volumes of data coming from disparate sources, however, slowed everything down and made searching difficult. UM needed a product that could handle gigabytes of machine-generated data per day.
UM was recommended Splunk Enterprise by Splunk partner SMT, and it is now used by the sysadmins in the UM server management, workplace and networking teams to monitor system health and search and investigate security incidents. In addition, the administrative team uses Splunk software to monitor the university's Wi-Fi and VPN in order to troubleshoot connectivity issues.
UM is sending all the data from its numerous applications--including VPN, web servers, firewall logs and VNS logs--into Splunk Enterprise, which gives the sysadmin teams the ability to investigate and correlate events across a huge amount of data. UM runs two Splunk indexers with a single search head sitting on top. The initial indexer was used by the security team; when other UM teams learned what Splunk software was delivering from a security perspective, they also wanted access. To avoid compromising sensitive security-related data, UM then deployed an additional indexer with log files that can be searched by users across the organization.
Improved security by identifying anomalies
Splunk software makes it easy for the UM team to spot when something unusual happens because they now have a better understanding of what 'normal' looks like in their environment. This enables the university to investigate any suspicious activities in student and staff accounts. Examples of how this works in practice include monitoring important groups in Active Directory so that if an account is added to the domain admins group, it triggers an email alert; monitoring access to important or sensitive mailboxes for any unauthorized access; and monitoring for abnormally large volumes of mail to one inbox, which could indicate abuse.
Increased visibility into IT operations
With Splunk Enterprise, UM is able to gain a better insight into the state of its IT environment. For example, with Windows XP coming to the end of its support, using Splunk software has enabled the university to get a view of the number of Windows XP machines in the network and correlate them to their owners. In addition, UM moved from manually updating its Windows environment to using the Windows software update service. They now have visibility into the patching status, with pie charts showing the progress of updates in real time, and can identify if there are patches missing. This wasn't possible before the Splunk deployment.
Delivering better service to UM's users
Successful phishing attacks resulting in regular blacklisting of UM's servers by email providers meant that the university's staff and students would sometimes have trouble sending mails to external mail services like Hotmail or Yahoo! for days at a time. Splunk Enterprise has allowed UM to spot patterns that were invisible before and determine the attributes of a phishing attack, even if it's an unknown threat. These attributes trigger an alert so that the team can deal with the attack quickly and efficiently. Not only does the new approach to phishing attacks mean that blacklisting rarely occurs, but the security team is also able to react more quickly when other things go wrong. For example, when the common issue of users getting locked out of their accounts occurred previously, it was a struggle to identify the cause and fix it. Splunk Enterprise has made that not only possible, but easy. In the majority of cases, this problem is caused by people forgetting to change the configuration of their Wi-Fi settings when they change their password; with Splunk software, the sysadmin team can now immediately identify the device on which the wrong credentials were used.
In summary, the insights that UM gets from Splunk software have enabled the sysadmin team to provide improved service for users, while saving a huge amount of time. UM's sysadmins used to spend countless man-hours dealing with phishing attacks and the subsequent blacklisting by email providers, as well as investigating and resolving user issues. The ability to address issues proactively has saved weeks in manpower, freeing up the sysadmin team's time to be more productive elsewhere.