Cranfield University deploys Elastic cloud-based SIEM to protect vital IT infrastructure and support revenue opportunities

Like many academic institutions, Cranfield University has maximized its budget and resources to maintain a first-class IT infrastructure. This includes the security systems that safeguard networks, data, and devices used by thousands of students from all over the world.

Robust security protocols also support the reputation of an institution which derives revenue from partnerships with global businesses attracted by Cranfield's world-class expertise and large-scale research facilities.

"We receive substantial income from research where our business partners entrust us with sensitive information," says Luke Whitworth, Network Specialist, Cranfield University. "They have strict security requirements that we must meet without fail."

At the same time, the university must accommodate the needs of students logging onto Cranfield's networks using their own devices. "While students need to register their devices to access the network, we don't manage them as you would in a private enterprise that issues its own laptops," says Whitworth. "Students have more freedom, but we must match that with an equally resilient security regime."

Cranfield's security solutions must also address the diverse nature of its networks. From common laptop productivity tools to cutting-edge aeronautical research, it must protect against ongoing cyberthreats such as ransomware, brute force attacks, and zero-day incidents. At the same time, it must remain available to students, most of whom log on to the network with personal devices.

Prior to using Elastic at Cranfield, security log monitoring was largely manual and decentralized. "Observing network or system activity was cumbersome and time consuming. If you wanted to check a subset of logs, you went directly to the server in question. It was clear we needed a more centralized and streamlined approach to security."

As value was a top priority, Whitworth searched for a solution with minimal outlay on licences and external support. "The open-source version of Elasticsearch was ideal. It gave us the opportunity to prove the usefulness of the technology and there was a large wealth of existing resources from the wider Elastic community available to assist us on our journey," he says.

Whitworth and his colleagues began adding data to Elastic from existing infrastructure components including switch logs, firewall logs, and intrusion detection systems. To visualize the data, they built Kibana dashboards designed to meet their requirements and quickly highlight data that needed further investigation. From a flexibility perspective, Whitworth says: "The beauty of Elastic is that you can add a subset of logs whenever necessary. It's like adding a blade to a Swiss army knife—we can add Microsoft Office 365 logs, supercomputer logs, pretty much anything we need."

The turning point for Cranfield's Elastic deployment came when it wanted to accelerate compliance with its business partners. "When partnering with organizations we rightly have to complete due diligence and answer detailed follow-up questions to ensure that partners are comfortable with how we protect their data and information. We need a mature SIEM system to help meet their expectations," says Whitworth.

The Cranfield team researched the market for a SIEM solution and ultimately decided to upgrade to Elastic Security on Elastic Cloud, to take advantage of one-click upgrades without the worry of wondering whether it would be successful, reduce the burden of an on-premise solution, and to benefit from the support of the security team at Elastic.

Cranfield migrated to Elastic Cloud running on Microsoft Azure. "Elastic Cloud on Microsoft Azure offers us a fast, scalable, and unified solution," says Whitworth. "We were able to take all our existing log management and put a SIEM layer on top very quickly. It's fast, flexible, and will quickly give us access to answers we need when responding to issues going forward."

Going ‘cloud-first' brought other benefits. "There's a cost to running systems on site including energy for cooling," says Whitworth. "Like other academic organizations, we are focused on reducing our carbon footprint. Moving to the cloud means that we lower expenditure while contributing to our sustainability goals."

Cloud-based IT also reduces the pressure on Whitworth and his team. "Our time is precious," says Whitworth. "By moving to the cloud, we no longer need to worry about day-to-day security and observability system maintenance. It means we can focus on improving the visibility of our IT infrastructure and enhancing our overall cybersecurity."

With Elastic Security, Cranfield has a clear picture of its threat landscape that protects against cyber-attacks including ransomware incidents, zero-day attacks and brute force attacks. "With Elastic, we can detect signals that exhibit threatening behaviour and identify and fix the root cause of an issue before it becomes a risk to the organization," adds Whitworth.

Whitworth and his team also use Kibana dashboards to visualize and investigate anomalies detected in networks and applications used by the Cranfield IT team. They are also looking at the potential to create dashboards for other departments so that they can monitor their own systems.

Elastic Security also supports Cranfield's due diligence activities when establishing relationships with new partners and contributes towards compliance with industry standards. "Elastic Security helps keeps Cranfield University's security infrastructure aligned with business partner requirements and helps maintain the UK government's Cyber Essentials scheme certification."

In the future, Whitworth is looking forward to adding machine learning features to Elastic Security that correlate metadata, determine outliers, and identify abnormal behaviour. He can also see further possibilities to extend Elastic Security and Kibana dashboards to other parts of the organization, which can use information about their systems for their own security and compliance initiatives.