Pima Community College Secures Campuses with Cisco

Baselining the normal

Pima Community College is committed to training everyone who strives to achieve better lives for themselves. "We focus on adult workforce education," says Jack Satterfield, chief technology officer at Pima Community College.

As a higher education institution, Pima’s security needs are diverse. "Higher education is an inherently unique environment because every day we face the dichotomy between open access for students and teachers, whose work requires broad access to the internet, and our back-end systems, where we need to keep things a bit tighter and similar to a corporate environment," says Scott McGowan, security architect at Pima Community College. "We have everything from public internet access, where anyone can walk in off the street and use a system, to our most trusted administrators and financial services that are on the back end. We run the full spectrum."

Pima’s network uses multiple domains and directory services to segregate the public-facing infrastructure from internal resources for staff and faculty. A significant percent of Pima’s 2500-member staff and faculty are part-time adjuncts who often work remotely. The students can also take classes from anywhere. "For example, Pima has an agreement with the local Davis-Monthan Air Force Base and the U.S. Air Force to train paramedics. The trainees may get deployed in a foreign country and need to access their Pima classes from there," explains Satterfield. "After COVID-19 struck, everything became hybrid. Now we offer a mixture of hybrid, in-class, and fully remote classes."

Before Cisco, Pima lacked a consistent network infrastructure and a coherent security architecture. Resource inventory was lacking, devices weren’t accounted for, and many resources such as classrooms were outside the security surveillance radar. "The challenge was that nobody knew what we had and what normal was supposed to look like on this network. We couldn’t do measurements because we didn’t know what we had," says McGowan. Satterfield adds, "There was no DNS [Domain Name System] protection or EDR [endpoint detection and response] in place, and the firewall rules were not fully protecting our environment. We identified those right away."

Pima's network, server, and storage hardware came from various vendors. "We had five different switch manufacturers, different types of servers, and every type of endpoint computing platform you could think of. It was impossible to do security alerting in that environment because alerts require anomalies. When everything you see all day long is an anomaly, it's hard to identify which alerts need action," explains McGowan.

"With Cisco, we wanted to accomplish a two-pronged approach: redesigning our network infrastructure and securing it at the same time," says Satterfield. Pima's security journey started with Cisco SecureX integrated with Cisco Secure Endpoint, Cisco Umbrella, and Cisco Malware Analytics. And within months, Pima began to see the results.

Hardening security

The first step in Pima's security journey was establishing a baseline for normal behavior. "Deploying Cisco Secure Endpoint went a huge way toward generating real-time communication between SecureX and the endpoints out there," says McGowan. "And very soon, we could discover what that baseline looked like for the environment."

Initially, the scans found hundreds of preexisting infections. "We kept finding infections that were present on machines but had escaped our previous security product. Or even if we were alerted about them, nobody had seen them," McGowan continues. "After adopting Cisco Secure, alerts in subsequent scans tapered down from hundreds to just a few. Secure Endpoint's powerful EDR capabilities provided accurate telemetry for the devices and, in one case, detected an artifact of a ransomware infection simply based on the encrypted file for that ransomware."

Pima's attack surface is vast and dynamic. Unlike corporations, Pima has little control over how students use the devices the college lends them. "The potential for unintentional malicious use of those devices is extremely high," remarks McGowan. "Now every device has had EDR deployed on it. And everything that was infected has been either retired or reimaged."

For threat hunting, Pima receives valuable insights from the Cisco Talos Intelligence Group. Additionally, Pima uses Orbital with Secure Endpoint to run queries for threat hunting. "Orbital is deployed throughout the environment where it's supported. For threat hunting, we use either out-of-the-box Orbital queries or custom queries in some cases," explains McGowan. "We get a lot with Umbrella and Secure Endpoint because you can run a correlation on endpoint events and DNS requests. The majority of malware we're seeing, and the majority of malware that exists these days, is DNS-based."

SecureX integration with Umbrella, Secure Endpoint, Malware Analytics, and third-party tools enables an integrated and layered architecture. Pima uses Umbrella as the primary DNS resolver. "Everything on the campuses goes to Umbrella, enriched by events that come from Secure Endpoint and Malware Analytics. SecureX integration allows us to directly block a domain discovered by Malware Analytics without ever having to visit Umbrella," McGowan says. "And when I have a hypothesis for an investigation, I try to structure it through the Cisco Threat Response capability of SecureX, which, along with Casebook, has been great for organizing how to conduct those incident responses."

Leveraging Orbital and SecureX device insights, Pima can dynamically update resource inventory directly from Secure Endpoint using automation, which is a big step ahead of its previous manual static inventory management. "It's great that SecureX device insights take that inventory directly from Secure Endpoint," says McGowan, "Orbital's OS query capability on all the endpoints has been a huge benefit to us, especially because some of our issues were related to inventory."

Doing more with less

Thanks to Cisco, Pima's security posture is now more robust and predictable. "The security alerts have reduced from 300 alerts a day to just two or three," McGowan says. "Having the baseline allows us to see what the new incidents are. We can analyze and address them timely and appropriately."

Pima's dynamic attack surface has many moving parts. Integrated visibility into endpoints and events is crucial. "SecureX gives us visibility on and off the network, which we didn't have before," Satterfield remarks. The ease of operation of SecureX and Secure Endpoint enables Pima's small security team to accomplish more tasks. "In general terms, we deployed the entire Secure Endpoint suite with a team of only two people," says McGowan. "And with only a few security analysts, threat hunting wouldn't happen if it weren't done through SecureX and Orbital." Satterfield adds, "SecureX offers integration, orchestration, and consistency to the data through one central location. It enables us to do more with less."

Threat analysis has also accelerated significantly. Pima's legacy anti-malware solution lacked file fetch capabilities. McGowan explains: "If you need to analyze a file, you need access to that device. When the device was not on campus, we had to work with the campus IT service desk to get our hands on the device to fetch the file. That process in itself used to be at least an hour. After that, the file needed to be securely transferred to my sandbox without it touching the corporate network, which is difficult in its own right. Then I had to manually do the detonation myself. So, at a minimum, it used to be a two-hour process. From Secure Endpoint, we can now fetch the file within a minute and send it to Malware Analytics. The sandbox runs for five minutes, and our result is ready in six minutes."

The journey with Cisco Secure has only begun for Pima. "We've still got a long way to go; there are other pieces we are still adding in," Satterfield says. "One exciting piece was Kenna [Security] coming on board with Cisco, adding risk-based vulnerability management."

Satterfield concludes, "We are integrating Cisco ISE and multi-factor authentication by [Cisco] Duo. Secure Access Service Edge (SASE) capabilities and network detection and response with Cisco Secure Network Analytics [formerly Stealthwatch] are on the roadmap. We're building those layers to achieve a true defense-in-depth architecture."