Situational awareness for the university IT security team starts with the millions of logs generated in the network infrastructure by users, network devices, servers, applications and a multitude of other sources. The logs are the key source of security information that enables the university IT security team to detect potential cyberthreats and breaches and take appropriate action.
“When I started, we dealt with logs in multiple ways across different teams. Various systems, mostly text files, all siloed inside in the different teams, with various retention periods. When it came to investigation, I would manually have to request logs in numerous formats and then stitch them together,” says John Couzins.
For John and his IT security team, getting all log data into one place with the same retention policies,
providing correlation between log sources and enrichment of log data, and also giving individual system owners access their own logs, became a key project.
While log management was the starting point, the advanced analytics and correlation tools available in a security information event management (SIEM) solution made Lancaster look in that direction. The project was intended to provide a tool for troubleshooting and increasing operational efficiency while providing the IT security team with a solution for cybersecurity analytics and investigation.