A new tool from Splunk aims to equip higher ed institutions with a faster way to identify and respond to key indicators of ransomware.
The solution, Splunk Insights for Ransomware, is designed to help organizations with lean or understaffed IT departments detect, investigate and respond in real time to ransomware threats, according to company officials.
Ransomware attacks — like the spread of Petya last month and WannaCry, which broke out in May and affected at least a handful of universities — have become an increasingly common and more complex threat at universities. Recent cases have highlighted the need for institutions to make smarter, swifter cybersecurity responses.
But since college and university IT teams are typically smaller than other types of organizations, and “resource strapped,” said Jae Lee, a product marketing director in Splunk’s security division, they may not have the time or resources to manage security hygiene functions on a daily basis. Over time, that can lead to vulnerabilities in the IT infrastructure.
Splunk Insights for Ransomware intends to address that need by offering a low-cost solution and centralized platform, making it “a good fit for universities,” Lee said.
The new offering helps lean IT departments “gain near real-time access to security posture specific to ransomware; enable streamlined analysis and investigation to verify whether there are real threats, then prioritize and remediate the most critical ransomware threats, all from a single location,” said Lee. It also helps IT departments “gain deeper analysis based on the customer’s environment, leveraging Splunk’s broad ecosystem of security and IT technologies and products.”
The new tool builds on Splunk’s larger array of analytics capabilities, which are already used by more than 700 higher ed institutions across the globe.
Some universities have already been applying Splunk Enterprise capabilities to protect their campuses against ransomware, ahead of the product’s release. Among them is Northwestern University, which utilizes a combination of Splunk products to detect and defend itself against ransomware.
Relative to other universities, including its Big 10 peers, Northwestern’s IT department is not especially small, but “we could always use more help,” said Tom Murphy, the chief information security officer at the university, which started using Splunk’s enterprise solutions in 2014. A year later, Northwestern began using Splunk’s platform to analyze data associated with security incidents.
Splunk’s ransomware tool streamlines and expedites the process of detecting, reporting and remedying system abnormalities that show signs of a ransomware threat. That can be an enormous time saver for universities like Northwestern that have both a centralized IT team and distributed IT support staffs across different programs.
“For that one big picture — to perform analytics [and look for] signs that ransomware is knocking on our door — we have to pull that together from a lot of different places,” Murphy told EdScoop. “If we had to do that manually … it would take quite a bit of effort.”
And in the chaos of an attack reported nationally or even globally, there is no time to spare. Murphy praised Splunk’s tools for providing “an immediate return on investment when we have to do that analysis on short notice.”
“In the case of something like WannaCry, where there’s often a great deal of confusion announcing vulnerabilities or successful cyberattacks, it’s important for us — the security team — to have answers,” said Mary Carp, a data security analyst at Northwestern.
In such a case, Carp’s team can gather indicators of compromise from various backchannels and intelligence feeds, then plug those indicators into their Splunk programs to determine if the university was exposed.
“It’s an amazing time saver,” she said.
“There’s just an unholy amount of noise” to cut through to identify anomalies in the systems, Carp added. Splunk “is doing a lot of the legwork in determining what’s expected and what’s strange.”
Although Northwestern hasn’t opted to acquire Splunk’s pre-packaged “Insights for Ransomware” solution, its IT department has fine-tuned Splunk’s enterprise software tools to stay ahead of cyber threats, including ransomware.
“The key to combating ransomware is to find potential ransomware activity early and contain any threats quickly,” Lee said.