Norwegian University of Science and Technology

Available Languages

Updated:October 12, 2022

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Updated:October 12, 2022

Table of Contents



Renowned as a center for technological education, research, and innovation, the Norwegian University of Science and Technology (NTNU) serves 42,000 students and 9,000 staff and faculty. Security, in turn, must meet the needs of a diverse community of stakeholders.

Executive Summary

Customer Name: Norwegian University of Science and Technology

Industry: Higher education

Location: Trondheim, Gjøvik, and Ålesund, Norway

Number of Users: 42,000 students and 9000 staff and faculty


  Large footprint including 110,000 endpoints connecting to the network daily
  Unique environment with different stakeholders and needs
  Inconsistent visibility because staff and students are located around the world



  Gained unified visibility regardless of user and device location
  Improved advanced threat detection and response capabilities
  Reduced investigation and remediation time by 83%
A group of people dancingDescription automatically generated with low confidence

A unique environment

As Norway’s largest university, the Norwegian University of Science and Technology (NTNU) offers a breadth of graduate and undergraduate degrees, along with hundreds of innovation and research programs, at three campuses. The university has an international focus, so many of the students and employees are dispersed around the world. On any given day, NTNU has as many as 110,000 endpoints connecting to its network on campus and through Cisco VPN.

“We have all sorts of things in our network. If you can think of it, it’s probably connected to our network somewhere—high-performance computing clusters, a robot swimming by itself out in the sea, a satellite in space, and nanotechnology, to name a few,” explains Christoffer Vargtass Hallstensen, NTNU head of the Security Operations Center (SOC). “We also have health researchers as well as academics who need the freedom to do what they want to do whenever they want to do it. All these aspects pose some real security challenges for us.”

Among the biggest challenges for the 10-person security team was the lack of consistent visibility into cybersecurity incidents regardless of the endpoint’s location. The team was especially concerned about its limited ability to detect unknown, hidden, and stealthy threats. “We needed an endpoint solution that could work with our user base distributed all over the world at any time and enable the SOC to handle incidents wherever the user might be,” Hallstensen says.

The diversity of its stakeholders means NTNU’s security approach must accommodate different needs, such as the flexibility for the academics and researchers to stand up infrastructure for projects and access websites that may pose a higher risk.

To meet all these objectives, NTNU sought a partner who could not only deliver a robust security solution but also provide deep expertise and a roadmap for continuous product improvements based on customer feedback. “We didn’t want a vendor. We didn’t want a product. We wanted a partner to help us attack this large problem of cybersecurity,” Hallstensen says.

“We didn’t want a vendor. We didn’t want a product. We wanted a partner to help us attack this large problem of cybersecurity.”

Christoffer Vargtass Hallstensen

Head of the Security Operations Center and Cisco Cybersecurity Insider Advocate

Faster mitigation

NTNU weighed a variety of options for endpoint security and evaluated several vendors. Cisco Secure stood out both for its strong security foundation and consistent product enhancements. Other draws included Cisco’s API-centric approach that enables NTNU to use its existing products and threat intelligence, as well as Cisco’s strong foundation in open-source tooling that NTNU was familiar with.

“One of the main reasons we chose Cisco Secure Endpoint was flexibility,” Hallstensen explains. “For example, we can write our own antivirus signatures for viruses and malware that don’t exist or just use simple detection hashes, and we can Iook at threats in our environment using a sandbox. This is important to us because we don’t know what the challenge will be tomorrow. We know what we have been handling up until now, but tomorrow, next week, or next month, it can be something different.”

Secure Endpoint’s cloud-delivered endpoint protection, along with advanced endpoint detection and response, has enabled the security team to rapidly detect, contain, and remediate advanced threats. Additionally, Secure Endpoint’s Orbital Advanced Search capabilities simplify security investigations and threat hunting by providing more than a hundred available queries, allowing teams to run complex queries on all endpoints or any of them. Hallstensen recalls a recent incident when attackers attempted to infect an NTNU device with ransomware from a known group. One of the analysts spotted a suspicious PowerShell command while going through the Secure Endpoint alerts and began investigating. The analyst used Secure Endpoint’s device trajectory feature, which tracks a malicious file from the endpoint and shows the origin of the threat, plus when and how the file infiltrated that endpoint.

“The analyst discovered that attackers were downloading a file and trying to run local credential dumps. He simply right clicked and blocked that tool from running and started cleaning up the device,” Hallstensen says. “Without Secure Endpoint, it would have taken at least two days to get the device back up if the attack had been successful.”

Along with preventing attacks and automatically blocking threats, the solution has freed up quite a bit of time on investigation and remediation, Hallstensen says. “We use Secure Endpoint within the broader scope of our security platform, analytics of events and alerts, and tying them together in context,” he adds. “So we’re using more of our time on threat intelligence and getting data together instead.”

Doing more with less

Secure Endpoint offers cloud-based prevention capabilities such as looking up file reputation, quickly delivering a verdict, and automatically blocking malicious activity based on policy settings. The cloud-based features were especially valuable for the SOC team due to their flexibility and capabilities, which on-premises solutions don’t provide. “Checking out an indicator of compromise on all endpoints took a lot of work before. Now, it’s a matter of seconds to get an answer and understand if it’s something we should worry about,” Hallstensen says.

One of the results of Secure Endpoint’s deployment for NTNU was the decoupling of SOC operations from IT operations. This ensures that each team can do its job effectively without being affected by each other’s incidents. Just as important, according to Hallstensen, was the elimination of manual labor and the ability to get enriched context when investigating incidents. “Secure Endpoint delivers better detection, faster analytics and correlations, and a faster response to threats that are not yet known to the global security community,” he says. “For security teams, Secure Endpoint is a really great product and one of the best on the market.”

In addition to Secure Endpoint, the university deployed Cisco Umbrella for DNS security and connected both solutions with Cisco SecureX, a cloud-native platform that provides built-in extended detection and response (XDR). SecureX integrates both Cisco and third-party solutions to simplify security and improve threat response effectiveness. Overall, Hallstensen estimates that SecureX and Secure Endpoint have reduced the security team’s investigation time by about 83%. “SecureX saves us so much time. Things that took us 30 minutes before now take about five minutes,” he says. “It’s really easy to get data from where you need it into your tools and start working with them.”

While NTNU has achieved its objectives such as gaining consistent visibility, its partnership with Cisco has delivered much more—including a shift to a more proactive security approach and an elevated SOC maturity. And most importantly, the security team can deliver on its mission to provide a secure environment for the entire NTNU community. “Cisco enables us to provide protection anywhere the users are, no matter what they’re doing,” Hallstensen concludes. “With Cisco Secure, we can do more with less people so that the university can spend its resources on support for research and students.”

“Secure Endpoint delivers better detection, faster analytics and correlations, and a faster response to threats that are not yet known to the global security community.”

Christoffer Vargtass Hallstensen

Head of the Security Operations Center, and Cisco Cybersecurity Insider Advocate

Added value from the Cisco Secure community and partnership

Cisco’s support for customers extends to education and professional development, including a networking community called Cisco Insider Advocacy. Through Cisco Insider, customers can connect both with Cisco internal experts and with peers from other organizations. They can also ask the community about their experience with specific Cisco solutions or security problems. The professionals who participate in the program often face the same challenges as Hallstensen, and they freely share their experiences and solutions with each other.

Just as important for NTNU is to have a security partner that is continuously innovating and looking to the future.

“Cisco´s approach to security as a platform of integrations, with Cisco products, in-house developed tools and third-party vendors, lay the foundation for highly adaptable security operations. Let's just call it security platform building blocks, powered with Cisco Talos global threat intelligence and enhanced with local threat intelligence and context.”

Christoffer Vargtass Hallstensen

Head of the Security Operations Center, and Cisco Cybersecurity Insider Advocate

Learn more

Learn more about Cisco Secure Endpoint’s cloud-delivered security capabilities and benefits.




Learn more