Sep 28 2022

Early Threat Detection Helps K–12 Schools Stop Bad Actors in Their Tracks

Proactive school districts race against time to protect their networks from cyberthreats using a variety of processes, tools and services.

Cyberattacks on schools are on the rise. Since 2016, the K12 Security Information Exchange (K12 SIX) has cataloged more than 1,300 publicly disclosed cyber incidents affecting U.S. school districts, with the pace of attacks steadily increasing. And those are just the ones we know about.

High-profile breaches like the Labor Day weekend ransomware attack that shut down schools in the massive Los Angeles Unified School District have heightened awareness of the rising peril.

Faced with an ever-growing onslaught of cyberattacks, many K-12 schools and districts are looking to improve their defensive strategies. Threat detection and response approaches play a key role, along with the growing use of managed services in support of these critical functions.


What Is Threat Detection and Response?

When EdTech polled its Twitter following, 44 percent of respondents said they needed help with threat detection. What exactly does this entail?

According to Amy McLaughlin, cybersecurity program director for the Consortium for School Networking, threat detection is “the consistent practice of monitoring and analyzing the information ecosystem — networks, servers, devices and applications — to identify whether there is malicious activity happening on those resources.

For April Mardock, Seattle Public Schools CISO and operations manager, “it’s the ability to see a cyberattack in progress, and our ability to intervene.”

SPS has roughly 60,000 machines in the field, “and at any point, somebody’s doing something. I can’t block all the possible threats, so I have to be able to see them and respond to them,” Mardock says.

Click the banner to explore incident response resources from the experts at CDW.

Why Is Speed Important?

Speed is essential in incident response, “because the longer it takes for us to identify and respond to a threat, the more time somebody has to get into the network, to conduct reconnaissance, and to plan and execute an attack,” McLaughlin says.

Mardock points to an industry definition called “breakout time,” which is the time it takes the attacker to pivot off of a phishing attack or other entry point and start moving laterally through an organization. “That number is now under two hours,” she says. “We don’t have days. We have hours to respond.”

The longer an attacker can loiter undetected, “the more they can take, the more they can destroy,” McLaughlin says. “A 2022 survey by IBM and the Ponemon Institute showed the amount of time people are in the network is really problematic right now. It takes about 243 days to identify a potential breach in the worst-case scenarios.”

WATCH NOW: School technology leaders share their strategies for improving cybersecurity.

What Technologies Can Improve It?

A number of tools and technologies can improve detection and accelerate response times.

“It starts with having endpoint detection and response. These aren’t just desktop and laptop endpoints. Servers can also be considered an endpoint,” McLaughlin says. For all these, EDR tools “focus on detecting, investigating and mitigating activities on those individual host devices. That’s really important, especially when you find a tool that can do automated notification and automated response.”

It also helps to use a security information and event management [SIEM] system to aggregate incoming data and identify threats, she says.

Mardock uses the built-in Microsoft Defender with Advanced Threat Detection. “We’ve turned all sorts of things on, including tamper protection and the associated urgent notifications whenever someone tries to disable it, even someone with admin rights,” she says.

“We are also fond of honey pots or decoys, which provide early warnings when the attacker starts snooping for internal targets,” she says. This strategy involves “planting little land mines, like fake password files or fake services that they might be interested in compromising. The moment they touch those files, it lets you know.”

RELATED: Why multifactor authentication is not optional.

What Are Best Practices for Threat Detection and Response for K-12?

For Mardock, it starts with limiting user rights. “Unfortunately, a lot of schools allow people to have admin rights on the machines. That’s a big no-no,” she says.

She also urges districts to invest in automation to support 24-hour coverage. “We’re starting to leverage that ourselves with SOAR [security orchestration, automation and response] tools that remotely disable machines or accounts that misbehave, until we can follow up,” she says. “Basically, shoot first and ask questions later.”

McLaughlin says it makes sense to automate as much as possible. “It can require a bigger time investment up front to set up automation correctly, but it pays off in the long term because you’re not doing a bunch of manual repetitious work all the time,” she says.

“I would also suggest collaborating with others,” McLaughlin says. “If you can leverage your education service district or a partner organization that can work with multiple districts, that could be a really good opportunity to draw from each other’s capabilities and not have to reinvent the wheel in each organization.”

Amy McLaughlin
It can require a bigger time investment up front to set up automation correctly, but it pays off in the long term because you’re not doing a bunch of manual repetitious work all the time."

Amy McLaughlin Cybersecurity Program Director, Consortium for School Networking

Should Schools Consider Managed Detection and Response?

Mardock is a big fan of leveraging outside services in the form of managed detection and response, or MDR. “I have two cybersecurity people for 60,0000 machines. We want to sleep and take holidays off. A good MDR can help with that for less than it would cost to staff the same thing yourself,” she says.

“We use a managed service provider to cover nights and weekends, primarily, when I don’t have staff onsite. They can respond on our behalf, isolating machines or servers or whatever else needs to happen,” she says. “They provide a second set of eyes, with a device on my network that’s always watching.”

For districts looking to go this route, McLaughlin suggests joining with others in a cooperative buying group. Buying MDR as part of a purchasing group “allows people to leverage group pricing to reduce costs, and it allows a higher level of expertise than you might have locally,” she says.

“If a school district doesn’t have a cybersecurity person, or maybe they have just one, managed threat detection and response can provide staff augmentation. It’s a way to provide additional support,” she says.

DISCOVER: Virtual CISOs can eliminate cybersecurity staffing gaps for K–12.

SolStock/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.