University of York Adds Security and Broader Data Analysis Using Splunk on AWS

The University of York needed to improve its security stance. While it had an Elasticsearch stack for basic security logging, it needed a more sophisticated set-up to help it move to a security information and event management (SIEM) solution. It chose the Splunk platform, a well-known SIEM solution used by many universities. The university knew it could get help and expertise from colleagues in other institutions if necessary, and that staff with the right skills were available. Having seen peers struggle with hosting on-premises solutions, the University of York wanted to use Splunk Enterprise on Amazon Web Services (AWS) so it could maintain full control while not having to spend time building new infrastructure.

Universities remain a top target for cybercriminals. With personal data of students and staff, and valuable research data to protect, they need the right tools to defend their IT infrastructure.

The University of York had a complex network and 18,000 students to protect—and needed to strengthen its security capability. “We knew we needed to move to a security incident and event management solution. Like multi-factor authentication, it’s just a necessary tool now,” says Richard Fuller, assistant director of IT at the University of York, “We were doing basic logging with Elasticsearch but needed something more fully featured to meet our needs around security information and event management. We’ve worked with Splunk solutions before and thought it was the right tool for us.”

He said the university’s existing relationship with AWS and knowledge of the issues other universities had with hosting on premises made using AWS the obvious choice. “We’ve seen other universities hosting Splunk Enterprise on premises and it takes time for the team to maintain it—we didn’t want to spend time maintaining it; we just wanted to focus on adding business value and improving our cyber security.”

The first step was establishing a Proof of Value (PoV) pilot with a dedicated AWS Partner Splunk engineer and with the AWS environment funded by AWS. This was a 30-day trial of the software running on a single AWS Elastic Compute Cloud EC2 Spot Instance. This was run with existing university data and confirmed the department’s decision was correct.

An additional bonus was that the data and modelling could be carried over from the pilot when the contract was signed, effectively giving them a head start on getting systems up and running. “The PoV—and Splunk’s flexibility—really helped cement that we’d made the right choice and let us prove the business case, too,” says Richard Fuller.

Splunk Enterprise on AWS, which lets you search, monitor, and analyze machine data from any source to gain valuable intelligence and insights, quickly proved its worth as a security logging tool. It is now being used by 38 users across operations and IT.

Splunk on AWS supported a security use case in helping the university address issues caused by Log4j, the widespread and critical vulnerability hidden in a component used by thousands of software systems. The IT team was able to easily interrogate security logs, even before dedicated security staff were at work, and make sure its network was quickly secured.

The University of York’s IT leaders also made an early decision to take the Splunk platform beyond just the security team. They sent out ambassadors to demonstrate its use across the IT and operations departments and it has been adopted for various analytics and monitoring use cases.

A key benefit is that the Splunk platform can correlate data after the event—you don’t need to know what you want from data before you store it. Business users are adding data for their own use cases, which can then provide extra resources for analysis to the security team almost as a side effect.

While it is still primarily used as a security logging tool at the University of York, Splunk Enterprise on AWS is also proving useful for other business use cases. The University of York recently set up a new Virtual Private Network (VPN). The operations team uses Splunk Enterprise on AWS to quickly and simply extract user data to see who has moved to the new system and help those who are still on the legacy network to make the upgrade.

When there were funding questions around another network set up for Chinese students to access the university systems, Splunk Enterprise on AWS could quickly show which departments were using the system most frequently.

The deployments were trouble-free, and staff were quickly gaining useful insights —the university’s high expectations for the project were met.

The university also praised Splunk’s training for aiding wider adoption. “The training is free and it is excellent. Users experience a sort of ‘aha’ moment during training. It gives them the confidence to just go and play with the Splunk platform, and then they start to realize what it is capable of,” says Robert Hurt, head of cyber security at the University of York. “It really provides a bridge between IT and the business in terms of data use. And, because it is all cloud-based, we know we can easily provide access to other partners to extend our security capabilities.”

 The team plans to extend its use to the university’s service desk so that staff can run queries on frequently occurring issues. But it expects use of Splunk Enterprise on AWS to spread ever wider across the university.

It will play a growing role as new, smarter buildings come into use on the campus. It gives visibility into use of the estate, attendance monitoring for welfare purposes, and use of office and lecture spaces to help the university make the best decisions about hybrid learning. Because governance and data protection are well set up, the team will be able to reassure users about privacy and data protection. 

As the university’s use of data matures and increases, Splunk on AWS will be able to grow to satisfy that demand and provide answers to help improve decision making across the campus.