Higher education faces a number of unique cybersecurity challenges. To help meet educational needs, most colleges must have an open network that is accessible to students and faculty regardless of the device they use. Further complicating the situation, many colleges also allow limited network access to local community members and family members of students.
This creates a scenario where numerous devices that are not owned or managed by the university are allowed to access network resources. Student devices could become infected with malware when connected to their home networks, then spread it when they return to school. Or a student themselves may attempt to compromise network resources.
In addition, colleges may also be subject to subpoenas to identify students who are violating Higher Education Opportunity Act (HEOA) rules against peer-to-peer file sharing. Many colleges lack a reliable way to monitor for peer-to-peer traffic and correlate it with a username, and consequently, complying with these subpoenas can be difficult.
Colleges and universities are increasingly taking advantage of cloud computing, but few have the visibility to understand what is happening in their cloud instances. This leaves a door open for attackers, giving them a place to hide and steal data.
Fortunately, institutions of higher education can address these challenges with network visibility and control.
You can’t protect what you can’t see
How do you protect your network when you can’t see what is happening on it? Comprehensive network visibility provides real-time situational awareness of network activity and can help identify suspicious and malicious behavior.
Cisco Stealthwatch relies on NetFlow, a context-rich and common form of network traffic metadata, to give you an eye on your network. NetFlow is collected directly from your network infrastructure devices such as routers, switches, and firewalls, which effectively transforms your network into a power security sensor. While NetFlow doesn’t record the contents of a network transaction, it does record important aspects such as:
- Sender and receiver IP address
- Sender and receiver port number
- Time
- Date
- Duration
- Amount of data transferred
This approach provides vital insight into network traffic while remaining lightweight enough to store for long periods of time. Many Stealthwatch users retain NetFlow for months or even years at a time.
Once NetFlow is collected, Cisco Stealthwatch employs behavioral analysis to identify signs of malicious activity. It does this via two methods: identifying activity consistent with a known threat and detecting anomalous behavior. For instance, malware propagation has tell-tale signs that Stealthwatch can detect. Similarly, if a user who normally accesses only a few megabytes of network resources a day suddenly downloads gigabytes of data from a sensitive server, it could be a sign of an insider threat. Stealthwatch can detect this and more.
Because Stealthwatch relies on the network and not the endpoint, this allows you to monitor and protect the many different users that connect to your network, even if they are using personal devices. If a threat actor takes advantage of your open network policies, you can quickly identify and respond to them before damage is done.
Stealthwatch also uses NetFlow to build a historic audit trail of network activity, which incident responders can use during an investigation. Using thing audit trail, investigators can quickly query past activity and pivot on a variety of data points, allowing them to uncover the source of an incident in minutes. It also has a workflow page that allows investigators to quickly obtain the information necessary to satisfy copyright infringement notices.
When used in conjunction with Cisco Identity Services Engine (ISE), user names and device information are collected and woven into the network audit trail. This allows investigators to quickly identify what user and device was responsible for suspicious traffic.
In addition, the Cisco Stealthwatch Cloud License allows organizations to extend the visibility and threat detection capabilities of Stealthwatch to public, private, and hybrid cloud environments. By deploying a lightweight agent in your cloud environment, Stealthwatch can collect the same telemetry from the cloud as the traditional network. This gives security operators insight and understanding into what is happening in the cloud.
Control network access and segmentation policies
Cisco ISE can help address the challenges associated with open networks through its next-generation secure network access and endpoint awareness. ISE helps answer the following question about each endpoint:
- Who is responsible for it
- What device it is
- When it connected
- Where it connected from
- How it connected
- Is it compliant
It can simplify guest access by automatically registering guests when they connect to the network and limiting their access to only the Internet. When necessary, ISE can also quarantine users and devices from the rest of the network. For instance, if security operators use Stealthwatch to identify a student machine that may be compromised, they can use ISE to quarantine the machine until it can be properly investigated and remediated. This helps prevent the spread of an infection.
With Cisco TrustSec, ISE can also reduce the networks overall attack surface through microsegmentation. TrustSec assigns each user and machine with a security group tag (SGT) based on their role – student, professor, or teaching assistant, for example. Administrators can then assign policies based on SGTs to restrict users from accessing network resources they shouldn’t be able to. These policies are as dynamic as your network, allowing administrators to easily adjust them without disrupting network availability.
Learn more
Together, Cisco Stealthwatch and ISE can help colleges and universities institute a more secure and responsive network to better protect their valuable data from today’s advanced threats. To learn more about how to protect your network with Cisco, www.cisco.com/go/naas.
Kevin Ransom is an SLED Security Account Manager at Cisco.
Ashley Harper is an SLED Security Account Manager at Cisco.