Security analysts in the education sector must contend with evolving cybersecurity threats despite limited resources. MeriTalk recently sat down with Helen Patton, cybersecurity executive advisor for education at Cisco, to discuss how an open, collaborative approach to threat detection and response can help streamline processes for overburdened security teams.
MeriTalk: What are the biggest cybersecurity threats and types of attacks that educational institutions are facing today? How has that evolved since, say, five years ago?
Patton: Ransomware remains the biggest threat to education. It has enormous potential to interrupt operations, which can keep students out of classrooms and disrupt research. Five years ago, education and its regulatory agencies were most concerned with data privacy, and they still are, but losing the ability to operate and the resulting disruptions to the education community is a bigger concern to educational leadership right now.
MeriTalk: What are some of the challenges that differentiate how K-12 and higher education institutions approach cybersecurity?
Patton: There are many common challenges across the entire education sector, but some differences do exist. K-12 organizations typically have fewer IT and security resources than equivalently sized higher ed institutions, so their security investments must be economical and easy to implement. Colleges and universities must protect an enormously diverse set of technologies and Internet of Things devices that connect to networks and production systems, particularly in research environments and schools with medical facilities.
We also see distinct challenges related to the user base. K-12 students are at an age that makes it more difficult to implement security training and awareness activities. Universities contend with students living on campus, which makes enforcing security and privacy controls more complicated. In addition, these institutions have large alumni populations, which are only loosely connected to the institution but still require security awareness support.
MeriTalk: In addition to these challenges, staffing is also an issue. The Center for Internet Security reports that 90 percent of K-12 school districts have less than five employees with security-related duties. How does staffing affect how schools approach cybersecurity? What needs to change, and how?
Patton: The fewer the staff, the more likely that they will focus on compliance-driven security rather than risk-based security. When this happens, it’s increasingly likely that their security investments won’t detect and respond to attacks in a timely way.
This is why it’s so important for districts to assess their security posture – what is working and what is not. Then, to make a shift toward risk-based security, security teams need to look for automated solutions, wherever possible, that enable management across the broadest volume of people, devices, and networks.
Because of their staffing challenges, educational organizations have recognized the power of partnerships. For example, the Multi-State Information Sharing and Analysis Center (MS-ISAC) K-12 community provides free cyber tools, resources, and alerts about current threats, risks, and vulnerabilities. And many higher ed institutions are members of shared security operations centers (SOCs), such as OmniSOC or CyberPosse.
MeriTalk: What are some of the tools that overburdened security analysts can implement to more efficiently detect, prioritize, and remediate threats?
Patton: To keep pace with evolving security threats and requirements, security teams in the education sector have typically added point solutions to address specific issues. Now, they may be overburdened by siloed data flows from those tools and alerts that aren’t prioritized. The time they need to remediate threats multiplies as a result.
So, any solution that simplifies the processes that security analysts must follow is going to be useful. Tools that integrate multiple data feeds into fewer screens or data views, tools that intelligently eliminate false positives and revisit false negatives, and tools that can look across multiple technologies simultaneously will all be helpful.
Ultimately, they need a solution that aggregates data into a unified view and integrates threat intelligence to provide consolidated visibility into their security posture so they can quickly detect, prioritize, and remediate threats.
And not every institution, system, or district has a SOC. Security teams need a tool that can help, regardless of the size or organization of the team. Extended detection and response (XDR) is a tool that helps security analysts define the most critical events. It integrates and correlates data from multiple security products into a single pane of glass view, enabling them to direct resources where they are most needed.
MeriTalk: We’ve heard Cisco XDR referred to as a SOC in a Box. How does it work?
Patton: XDR integrates telemetry from different security tools and correlates the detections to surface threats across all attacking vectors: email, network, firewall, endpoint, and cloud. If you have a well-integrated security stack, you can optimize the work your security and IT teams do, increasing efficiency.
What sets Cisco XDR apart is its open and collaborative approach. Rather than relying on closed, proprietary systems, Cisco embraces interoperability. Cisco XDR is an extensible solution, with more than 50 turnkey integrations with a variety of third-party vendors. This allows security teams to quickly adopt a unified approach without having to rip and replace the tools they already have in place.
MeriTalk: Intelligence is critical to keeping up with the evolving threat landscape. Cisco XDR incorporates Cisco Talos and data from other sources. Why is it important to take an open approach to threat intelligence?
Patton: Security analysts need reliable and updated threat intelligence. Cisco Talos, our threat research organization leveraged by Cisco XDR, has the expertise and resources to gather and analyze a wide range of threat data, including emerging threats and vulnerabilities. Taking an open approach to threat intelligence ensures that security teams have access to the most up-to-date and comprehensive threat intelligence, so they can proactively gain valuable insights into the tactics, techniques, and procedures used by threat actors.
MeriTalk: Cisco XDR also offers assisted guidance for responding to security incidents. What are some of the key benefits for security analysts in K-12 or higher education environments?
Patton: Assisted guidance is a capability within Cisco XDR that leverages artificial intelligence to address threats. It provides optimized remediation tasks to stop an attack faster and mitigate threats before they can cause greater damage. It also provides support for decision-making during the containment stage of security incidents delivering automated responses to attacks such as ransomware.
This assisted guidance provides direction and helps security teams standardize response processes, ensuring consistency and accuracy. With the consistency and standardization of incident response tasks, SOC analysts have more time and resources to focus on the most critical issues.