Strategic Recovery: Oxford Computer Group’s Impactful Role in Reshaping University Security with Microsoft Sentinel

In the aftermath of a significant security breach, Oxford Computer Group was a guiding force in revamping a higher education institution’s security framework.

The institution, a prominent American public university, faced the challenge of securing remote learning and working environments for its students and staff amidst the surge in online activities (hundreds of logins to multiple applications by the minute) in 2020, only to be part of a large global security breach.

To prevent future breaches, the university needed to quickly implement a robust Security Information and Event Management (SIEM) solution. SIEM solutions aggregate and analyze activity from many different resources across the entire IT infrastructure.

The Challenge:

Before the security breach, the university was transitioning its security infrastructure, intending to acquire Microsoft Defender for Cloud and migrate its Splunk SIEM to Microsoft Sentinel. However, the breach expedited this timeline, compelling the institution to rapidly deploy Defender, Log Analytics agents, Microsoft Sentinel, and Data Connectors.

The deployment involved the creation of two Log Analytics workspaces, each assigned distinct roles and responsibilities. Unfortunately, this accelerated deployment lacked a comprehensive data governance plan, resulting in architectural and log ingestion challenges.

Post-deployment, the university grappled with several issues, including the inability to access servers or logs through the Microsoft Sentinel dashboard. Discrepancies in data retention settings and concerns about data ingestion further complicated the landscape, with ingestion exceeding 200 GB daily on one workspace and 50 GB on another. The client expressed a desire to cap data ingestion to mitigate costs and address syslog logs causing higher-than-desired billable ingestion.

Sentinel setup, offering recommendations and strategic guidance. The assessment revealed that firewall syslogs were a major contributor to excessive ingestion on one workspace, prompting the implementation of Syslog Log Analytic Agent configurations and firewall settings modifications. Configuration adjustments ensured consistency between the two workspaces, and, to unlock the full potential of Microsoft Sentinel’s Machine Learning and AI capabilities, the decision was made to consolidate all logs and data connectors into a single workspace.

Custom alerting was enabled through the reconfiguration of custom Playbooks, and steps were taken to address CEF Log Forwarders pointing to specific agents. Removal of data ingestion caps and transitioning one workspace to cold storage were pivotal decisions. Microsoft’s sales team played a crucial role in recommending pricing tiers aligned with the institution’s ingestion needs at the time of engagement.

The Result:

Following Oxford Computer Group and Microsoft’s collaborative efforts, the university significantly reduced deployment errors and subscription billing inefficiencies. The benefits included a consolidated view of logs in a single workspace, streamlined dashboards for Microsoft Sentinel and Defender, enhanced alert functionality, and cost reductions achieved by fine-tuning ingestion settings and subscription types.

Conclusion:

As the university continues to fine-tune its logs and data connectors, the focus has moved toward a comprehensive Microsoft Sentinel deployment. The ongoing process involves building a data governance plan encompassing retention policy, data usage understanding, logging needs, and defining access permissions.

Lessons learned include understanding the critical role of a robust data governance policy and an IT Infrastructure Library (ITIL) structure in shaping the planning and deployment stages of any SIEM implementation. Establishing a solid foundation is crucial to fostering collaborative efforts within IT teams, eliminating deployment errors, and addressing billable ingestion concerns from the project’s inception. This transformative journey positions the university to navigate future security challenges with resilience and foresight.

If you would like to find out more, contact us now.

(Article originally posted on Oxford Computer Group USA website).