Cybersecurity Automation Helps Short-Staffed Higher Ed IT Departments Protect Data

Colleges and Universities Face Cybersecurity Challenges

Phang describes a landscape that clearly strains the limits of manually driven cyber response. “In an average week, we may identify between 400 and 500 events that could potentially be security incidents,” he says. “Given our limited staff, managing this volume efficiently is nearly impossible.”

And cyber incident response is only a part of his job. “We are responsible for other critical tasks such as risk assessment, vulnerability management, threat hunting, vendor risk assessments, contract reviews and service-level agreement management,” he says. Since there’s no automation available to support those tasks, automating where he can becomes doubly important.

At Northeast Texas Community College (NTCC), Sebastian Barron describes a similar scenario.

For his six-person infrastructure team, “our primary responsibility is to secure a diverse range of systems and endpoints, serving approximately 3,000 students and 400 faculty and staff members,” says Barron, director of the computer and enterprise services department.

“We oversee a complex environment that includes not only traditional endpoints such as desktops and laptops but also specialized systems such as our student information system, learning management system, and the recently implemented OneCard system for campus access and transactions,” he says. That’s in addition to managing network infrastructure, server environments and various databases.

“Without automation, tasks such as patch management, endpoint monitoring and incident response require manual intervention,” he says. Such efforts “would strain our resources and increase the risk of vulnerabilities.”

At California State Polytechnic University, Pomona, Vice President and CIO John McGuthry is in the same boat as his team works to secure over 100,000 identities and respond to more than 1,000 security events each day.

“Because of the complexity and the number of systems, if you don't have automation running in your environment, it’s really difficult to keep up, especially when it comes to the information security space,” he says. “The faster you can respond, the more likely you are to reduce the risk of bad things happening.”

RELATED: Best practices for managing institutional data in complex environments.

How Automation Helps Short-Staffed IT Departments

Given these challenges, “automated threat detection and remediation are essential tools of the cybersecurity ecosystem” in higher education, says IEEE senior member Rahul Vishwakarma. When these tools are paired with advanced machine learning algorithms and behavioral analytics, “universities can continuously monitor network traffic for anomalies, isolate compromised systems in real time and automatically apply patches to vulnerable endpoints.”

Phang, for example, needs to ensure cybersecurity for about 4,000 students and more than 500 staff members. Microsoft Defender extended detection and response paired with a security information and event management solution provide a response to these challenges, he says.

“Microsoft Defender XDR aggregates all cloud events and incidents, including those from Microsoft 365 and other resources. The SIEM tool addresses on-premises events and incidents. They categorize the incidents, providing a clear overview of what happened, how it occurred and what systems were affected,” Phang says.

Both tools include extended detection and response services, which automatically address incidents by identifying, validating and preventing malicious activity in real time. This automated approach “reduces my workload to reviewing about 20 to 30 incidents a day, a manageable number,” he says.

At NTCC, “automation has been a game changer for bolstering our cybersecurity defenses,” Barron says. “We’ve implemented Fortinet’s suite of tools to automate various aspects of our cybersecurity operations, including threat detection, incident response and network monitoring.”

These tools “integrate seamlessly with our existing infrastructure and allow us to automate repetitive and time-consuming tasks, such as log analysis, patch management and vulnerability assessments,” he says. “This has enabled our IT team to act swiftly in response to potential threats, often before they can impact our systems.”

At Cal Poly Pomona, automation helps the cyber defenders to work in a volatile environment.

“We have more than 100,000 identities, and the numbers aren’t as important as the demographics. We turn over probably over half of our identities every year because we create identities for our applicants,” says Carol Gonzales, associate vice president of IT security and compliance and CISO. “Unlike a private industry where you have a stable ecosystem, ours is constantly changing.”

The IT team has implemented IBM QRadar to centralize, normalize and analyze incoming data to identify potential threats using machine learning and behavior analytics. “We’re taking logs from everything, and the SIEM system is correlating all of those events to create a user behavior,” she says. “We also bring in threat data from IBM’s threat source and other threat sources. And then we put that up against the MITRE framework.”

All of this keeps her team one step ahead. “We may get operational alerts that say, ‘We’re getting a lot of noise from this router.’ That’s a configuration, and we work with our operational folks to improve that. It can be somebody trying to attack us. Overall, we get over 1,000 correlated events per day,” Gonzales says.

Automation makes those events manageable. “The threat intelligence supports prioritization, allowing us to categorize. Things that have to do with sensitive systems get higher priority. Things that involve sensitive users get priority,” she says. This helps the team to target its efforts and maximize its impact.

Automation Saves Time and Helps Prioritize Larger Projects

Across higher education, experts describe a range of benefits that come with cybersecurity automation.

For Phang, time is the big win. Reviewing logs previously took almost a full day; now, he can complete this task in about 30 minutes. “While automation can’t handle everything, it significantly reduces the time spent on high-priority tasks, allowing me to focus on more strategic work,” he says. “This not only enhances productivity but also makes my job more manageable.”

Barron says his team can do higher-level work now.

“Automation has significantly reduced the burden on our IT staff, freeing them up to focus on more strategic initiatives, such as enhancing user experience, improving system performance and advancing our cybersecurity framework,” he says.

And security itself is stronger. The shift to automation “has led to a more proactive approach to security, allowing us to anticipate and mitigate risks rather than merely reacting to them,” Barron says. “Automation has improved our response times and accuracy in identifying and addressing threats, which is critical given the increasing complexity and volume of cyberthreats today.”

Gonzales describes automation as the key to managing an otherwise overwhelming volume of cyber activity. “Our SIEM system processes an average of 220 million events per day,” she says. “These log events are aggregated and processed down to ‘offenses’ — issues, transgressions — by correlating log events and activity” using predefined rules, which takes the number down to between 700 and 900 offenses per month.

LEARN: What is self-sovereign identity, and could it impact higher ed cybersecurity?

“If somebody had to correlate all of that data by hand, it would take a couple of days, if not more, even if you were great at Excel,” she says.

When higher education invests in automation in support of cybersecurity, IT teams get back the time they need to focus on higher-level tasks, and security improves overall. “It’s really about identifying the most critical risks and doing it in a timely manner,” Gonzales says. “It’s about working smarter, not harder.”