The IT security team at the University of Arizona has a lot of ground to cover. The university has nearly 40,000 students and an additional 16,000 faculty and staff spread out across more than 300 departments. About 37 IT groups support the several hundred academic and administrative departments.
That’s why Chris Schreiber, university information security officer, says his team really needs the Threat Analytics Platform from FireEye.
Schreiber says TAP serves two purposes: It runs as a cloud-based log aggregation service, as an alternative to a traditional on-premise Security Information and Event Management (SIEM) tool; and it provides the security team with near real-time alerts from FireEye's intelligence databases based on the log sources that are fed into the tool. Much of TAP's functionality was developed by Mandiant, which was acquired by FireEye this year.
“Basically, there was no real way for us to manage the security for 37 different departments without some kind of centralized management tool like TAP,” Schreiber says. “It gives us the visibility we need to make better decisions and improve security.”
The university deployed TAP about a year ago, and Schreiber says over that time, IT staff discovered that unauthorized users were logging into the VPN without proper credentials . Once they knew that, Schreiber says the security team worked with the campus IT groups to deploy two-factor authentication.
“Information from the cloud-based TAP provided evidence of how frequently our VPN was being compromised, so we then took steps to correct it,” he explains.
A Central Tool
Schreiber says TAP is essentially a centralized tool that manages all of the university’s security information. The university’s core security technologies include Sophos antivirus and Cisco Systems ASA firewalls, and the university plans to deploy an open source IDS/IPS.
“We’ve had the logs from the Cisco firewalls feeding into TAP right from the beginning, from June of last year, but later this year our plan is to have the logs from both the Sophos and the IDS/IPS running into TAP,” Schreiber explains. “By having all this information, we’ll focus less on managing and monitoring and more on specific security policies.”
Frank Dickson, a principal analyst at Frost & Sullivan who focuses on IT security, says solutions such as TAP are becoming increasingly popular because traditional SIEM tools have trouble addressing the needs of both a traditional infrastructure and the cloud.
“A cloud-based analytics platform is better at addressing the needs of security events in hybrid networks,” he says. “Hybrid networks by definition are part on-premise physical infrastructure and part cloud infrastructure. Traditional analytics were designed to protect on-premise infrastructure but are not necessarily well-suited to the cloud, especially as parts of the network are increasingly virtualized. Cloud-based analytics are generally designed from the outset to handle both virtual and on-premise network assets.”