University of Nottingham Uncovers a Revitalised Risk & Threat Management System Through HP

The University of Nottingham is one of the UK’s leading academic establishments with an international footprint. In addition to campuses in Nottingham, it has major facilities in China and Malaysia.

It has just under 40,000 students worldwide and in 2010 was ranked 9th in the UK and 26th in Europe by the established world rankings index compiled by Shanghai Jiao Tong University. The University generates £500m (€591m) a year.

Against this background, the University is fully committed to providing world-class IT services to its students and staff. Students and staff are regarded as“customers” who demand always-on IT support and a secure working environment.

This is a technological challenge for the Information Services department, who must provide access to all key university systems from any location, at any time, on any device – all in a highly secure manner.

Information Services had established an information security programme but were struggling to validate its efficiency and questioning whether the right resources were being allocated in the right programmes and processes. At the same time, continued security challenges, such as the explosion of mobile device use, were adding to the complexity of their situation.

Objective
Align security initiatives with long-term goals while adapting to increasingly risk-laden information security environments.

Approach
Collected qualitative process information and vast amounts of quantitative security data to guide the proper alignment of information security investments to the University’s business goals and objectives.

IT improvements

• Established a scientifically-precise, evidence-based threat and risk analysis to better target security investments
• Ensured existing IT investments and resources were well-utilized in the most vulnerable areas
• Enabled the group to articulate its methods to anticipate and mitigate attacks standing far above other academic organizations

Business benefits

• Enabled a business-aligned view of information security, rather than just a technical view
• Re-allocated security investments and identified where extra investment could be justified in terms of additional business value

“We wouldn’t have got this intelligence without HP on board. What this has done is force us to re-evaluate exactly how all the security pieces fit together. We now have a much more detailed model of how the threat management solutions work - based on real data. We have a real understanding of the risks that the University really faces.” Paul Kennedy, security and compliance group leader, Information Services, University of Nottingham

“We are seeing more students and staff with smart phones and tablets that want to connect to the main campus network. This is new,” says Kennedy.

The ability to confidently re-deploy IT resources based on risk analysis
By commissioning the HP Security Analytics service, the University was able to accurately track the source and mode of attacks against its IT services. Ultimately, this enabled the University to re-deploy resources to mitigate the most pressing risks, thus enabling it to focus on its business goals in a more confident manner.

In early 2011, HP consultants were brought in to help conduct interviews with key stakeholders, collect evidence of security practice and thus develop the initial assessment. They were accompanied by analysts from HP Labs to ensure information collected could be leveraged in the HP advanced analytics systems.

Key to the success of the consultation and report process was analysis of the business benefits, security controls and centralized policy benefits.

“We are committed to giving our clients and partners actionable security intelligence, helping them change how they address the new and emerging security threats they face,” comments Andrzej Kawalec, CTO, HP Enterprise Security Services.

HP used existing research databases to create generic figures about long term vulnerability and profiles.The details of policies, processes and procedures were collated into an initial model for the University.

After many discussions over a period of a few weeks, the model was refined,with real-time data from the campus network inputted and streamed into the analytics engine.A final report was generated for the Information Services senior management team and the University management board.

“We got to the point where we had mature policies and had implemented a number of security point solutions to try and enforce them. We tried to use some data from the campus network to understand what was happening and make better use of our point solutions.

However, we didn’t really have a holistic view of how we were doing overall against our security policies,” says Kennedy.

The result was that the University now had a model that explained how threat management actually works in its environment. The model is populated with data that represents real activity on the campus network, as well as other information that HP collected from the research.

It is a model that allows Information Services to accurately see what is happening and make decisions based on that data.

Diligence of HP Security Analytics confirms effectiveness of existing security infrastructure
One unexpected but welcome result revolved around the web proxy that had been introduced three years ago to control web access. It was actually doing a very good job acting as a first line of defense. But it also showed for the first time the exact proportion of attacks that were coming in via the web.

The reporting demonstrated it was kicking in much earlier than anti-virus. This was a revelation as Information Services had always assumed patching was doing most of the work and needed extra investment.

Kennedy comments: “In fact the patching solution is probably good enough. Spending any further money on it would probably be wasted. We’re probably doing as
well as it’s possible to do in a University environment with patching.”

Overall, HP’s approach and use of its Security Analytics Service means that the University now has a tool that is configured around its own business operation, security policies and ways of working rather than a generic industry standard or model. It has an engine which does the mathematics which, when rigorously applied, demonstrate what may happen if the University performs a certain action.

Kawalec adds: “Using Security Analytics means that the Information Services team can get a mathematically and scientifically accurate risk assessment but, perhaps even more importantly, can use this information to deliver reports to the University board in the concise and meaningful business language they demand.

If the University is to meet the unprecedented economic and complex security challenges of this decade, then the importance of such an approach cannot be stressed enough.”

HP was able to have a business and risk conversation by focusing in on the nuts and bolts of the actual business processes and asking the question, ‘what happens precisely at each stage?’ For the University, there is now a much deeper appreciation of what’s happening and a much better indication of the risks it is actually facing.

HP delivered results that increased trust and proved that Information Services was integral to the University business
The University and HP will continue to work together as Information Services implement recommendations from the process, analyses the impact and refines processes accordingly for further security and business benefits.

“We now have a much more detailed model of how the University’s threat management solutions work. The types of results that we’re getting are based on real data and the fact that we’ve been able to analyse that, run ‘what if’ scenarios and we can see that by making these particular changes we’re going to get better results and we’re going to get lower risk at the University.

The University Board clearly view that as a very positive sign and a sign of increased due-diligence, so we will be trusted more in the future based on the fact that we’ve done this level of work in this time frame,” says Kennedy.