July 31, 2012, 2:15 PM — The University of Texas at Austin, the flagship of the University of Texas System, is a prime example of the scope of the challenge. Its 350-acre campus features nearly 200 buildings, all linked by a 10 gigabit fiber optic backbone. At any one time, up to 120,000 individual devicesÂ—ranging from servers to switches, wireless access points, desktops, laptops, tablets, smart phones and security camerasÂ—may be connected to its network.
"As with other universities, we have tens of thousands of users representing an even larger population of networked devices," says Cam Beasley, chief information security officer (CISO) of the University of Texas at Austin. "We have a constant need to identify anomalous user account behavior, detect, locate and quarantine compromised systems in real-time, and correlate events across multiple logging environments to more fully understand potential problems or threats."
UT Austin's Information Security Office (ISO) analysts used to rely primarily on intrusion detection/prevention system (IDS/IPS) appliances and custom developed software tools to monitor the problem. But it was slow and unwieldy; moreover, it didn't fully leverage the goldmine of data ISO had in the form of its log data.
"We wanted to plug into the many different servers and devices downstream that were coming under attack to correlate our network information with actual system log data," Beasley explains. "We didn't want a big, heavy SIEM [security information and event management] product because we hadn't had much luck with them in the past. We needed a more flexible system that we could adapt to our unique needs."
Jason Pufahl, CISO of the University of Connecticut, faced a similar problem.
"Ultimately, every time we needed to do any kind of data mining, it was half a dozen sources using a variety of different tools," he says. "It could only be done by one or two different people [who had the skills to do it]."
Big Data Analytics Helps Universities Mine Log Data
Like more than 275 universities around the world, UT Austin and UConn turned to Splunk.
"Universities have some of the most complex IT infrastructures in the world, and this makes them extremely vulnerable," says Mark Seward, senior director of security and compliance marketing at Splunk. "It's the ultimate BYOD situation. Security threats are constantly evolving. Splunk collects massive amounts of data and helps users detect unknown and persistent threats."