Stephen Burr, Associate CIO and Enterprise CISO at the University of Kentucky, says an endpoint detection and response solution helped remediate a 2020 crypto mining attack.

Feb 17 2023

Endpoint Detection and Response Solutions Spot University Security Threats

An evolving threat landscape is causing cybersecurity leaders in higher education to turn to more advanced endpoint protection solutions.

When the University of Kentucky was hit by a crypto mining attack in 2020, the school was operating with a “federated” endpoint protection strategy, says Stephen Burr, associate CIO and enterprise CISO at UK.

Individual departments and colleges were running their own anti-virus solutions, and the university lacked a centralized endpoint protection strategy. Although the attackers were focused on crypto mining, they achieved network access that could have allowed them to pivot to a ransomware attack against the university’s system of hospitals and clinics.

Burr calls the event a “lightbulb moment.”

“I feel like we were fortunate that it did not turn worse,” he says. “The big worry, of course, is ransomware.”

The university’s cybersecurity insurance company brought in endpoint detection and response (EDR) tools from CrowdStrike to remediate the attack, and UK continues to use them, along with Microsoft Defender.

“The most important thing is to have a holistic endpoint protection strategy and set of tools across the enterprise,” says Burr. “When you’re trying to do incident response, and you have people using separate tools, those gaps can really hurt you.”

Click the banner below for exclusive content about security tools in higher ed.

Endpoint Protection Leads to Faster Response Times

Endpoint protection has become even more important in the age of remote work, says Michael Suby, research vice president for security and trust at IDC.

“The attack surface has expanded, and the endpoints are obviously very critical, because they’re the interface into business operations,” Suby says. “Where a stack of security controls and monitoring capabilities exists for employees in the office, the same is not present within the home environment. The visibility, prevention and protection capabilities that an endpoint security product provides is so important, because they compensate for what you don’t have in the enterprise environment now that people are working remotely.”

Burr says that CrowdStrike was critical to remediation, and that it was a “short trip” to deciding to keep EDR tools in place for the long term.

“It brings in a lot of telemetry, and it makes it easier to piece together evidence without going through multiple security tools,” he says. “It speeds up our response.”

DIVE DEEPER: How mobile threat detection protects your network everywhere.

The combination of EDR solutions delivers a sophisticated automated response to more common attacks, while alerting cybersecurity professionals about more nuanced or serious threats.

The university runs CrowdStrike and Defender alongside tools that protect against social engineering attacks, such as spear phishing and executive impersonation.

Burr says that the transition away from traditional anti-virus tools to a more sophisticated set of endpoint protection solutions has been “really fast,” in part due to requirements from insurance providers but also because so many schools now have firsthand experience responding to successful attacks.

“When you have to go from machine to machine, and you’re trying to correlate evidence, it can be challenging,” he says.

EDR Tools Simplify Security Management

Sometimes, it’s the small things that show the value of a cybersecurity solution.

Newman University in Kansas deployed a WatchGuard endpoint protection, detection and response tool in the summer of 2021, spurred largely by requirements from the school’s cybersecurity insurance provider. Shortly thereafter, the tool sniffed out a simple adware program running on a single machine.

“It was one little bitty malicious plug-in on Chrome that was running ads,” says Icer Vaughan, Newman’s CIO. “Our previous product didn’t detect anything. We’d had a lot of malicious plug-ins hit our machines, but we’d never had any visibility to actually see them. I was like, ‘Wow, you alerted me to this annoying little plug-in?’ That was pretty impressive.”

Newman is also using a patch management solution from WatchGuard. The school previously had an employee whose job it was to manually patch endpoints, and when that worker left for another job, the WatchGuard tool enabled Vaughan to handle patch management on his own.

“I check the classroom computers every morning, and ever since this tool was rolled out, I haven’t gone into a classroom with pending updates,” Vaughan says. “Whenever there’s a Zoom update, it’s already running, first thing in the morning. I never touch it.”

“From my perspective, it’s so much easier to have all of this with one vendor, with one avenue for support,” Vaughan adds. “I feel like we’re ahead of the curve when it comes to consolidated security, and it’s made things a lot easier to manage.”

Icer Vaughan
I feel like we’re ahead of the curve when it comes to consolidated security, and it’s made things a lot easier to manage.”

Icer Vaughan CIO, Newman University

EDR Offers Protection Against Current Attack Methods

Doug Streit, CISO and executive director of IT security and planning at Old Dominion University, realized several years ago that the school’s traditional anti-virus software would not be adequate to meet the challenges of the modern threat landscape.

“Workstations and laptops are notorious for being susceptible to compromise in a large enterprise computing environment,” Streit says. “We needed the ability to detect and respond efficiently to suspected security events across our endpoints.”

After rigorous testing and assessment, ODU implemented CrowdStrike Falcon Insight, which provides continuous raw event recording, delivers real-time situational awareness metrics and enables proactive and managed threat hunting.

In addition to these capabilities, Streit says, ODU opted for CrowdStrike in part because of its streamlined management platform and its ability to protect endpoints running a range of operating systems. “We needed a tool that would be easy to deploy and manage,” he says.

LEARN ABOUT: What higher ed institutions should know about security service edge.

The university is now running CrowdStrike on 7,000 devices, and Streit calls EDR “one of the anchor stores of our security mall,” along with multifactor authentication, next-generation firewall and security information and event management.

“The result has been an added layer of protection beyond a traditional anti-virus, which lets us protect against the current attack methods that we are seeing, particularly ransomware,” he says.

Recently, the EDR tool picked up a critical alert from an IT workstation used by an employee with administrative privileges. Without EDR in place, the compromise likely would have gone undetected for some time, and Streit notes that even a one-day delay could have led to disastrous consequences.

“A lot can happen in 24 hours,” he says.


The percentage of higher education institutions hit by ransomware over the past year

Source: Sophos, “The State of Ransomware 2022,” April 2022
Photo by Clay Cook

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.