Ranked consistently among the top 1% of the world's universities, Aberdeen is also one of Scotland’s largest with an IT infrastructure serving over 16,000 staff and students around the clock. As part of an ongoing strategy to deliver secure IT to ‘any device, anytime, anywhere’; the University contracted Encode to help it proactively detect and prevent cyber-attacks through the deployment of an advanced Security Information and Event Management (SIEM) solution.

The university has a highly diverse environment including network elements from Cisco, Juniper, F5 Networks, Bluecoat, HP and Radius. The diversity extends to the operating system and application layer, which includes critical software running on Linux, Unix and Microsoft Windows. The SEIM needed to be seamlessly integrated with this environment and able to adapt to new threats posed by growth of its Bring-Your-Own-Device (BYOD) strategy.

Working closely with Encode, the University deployed a Qradar SIEM and engaged in a structured education programme to transfer the core skills needed to allow the IT services team to manage the platform and quickly gain more visibility into its diverse infrastructure.

Qradar offers a Security Intelligence Platform within a unified architecture for integrating security information and event management, log management, anomaly detection, incident forensics and configuration and vulnerability management. The SIEM provides near real-time correlation and behavioural anomaly detection to identify high-risk threats. Working with Encode, the University went through a “tuning” process to ensure that data was correctly flowing into Qradar from over 40 sources including server and network elements.

Within just two weeks, the IT services team were up and running and able to significantly reduce its largely manual workload associated with correlating security logs across its infrastructure. Using the out of the box rules engines; the SIEM was able to quickly alert the team to a number of issues such as brute force attacks against user logins as well as more subtle attempts to subvert DNS and other core network routing processes.

As Garry Wardrope, IT Security Manager for the University explains, “With Encode’s help we have successfully deployed Qradar and are benefiting from increased visibility across our infrastructure which is vital as we extend the scope and reach of our IT services across more devices.”

Qradar also ties into several existing securities software applications and uses correlation across a number of metrics to help reduce false positives and prioritise alerts to focus investigations on an actionable list of suspected incidents. “The SIEM means we have the ability to build new rules that can adapt to our evolving IT demands while improving our ability to detect more complex IT security threats and deal with them in a timely fashion,” Wardrope adds.