Oregon State University protects vital research and sensitive data with Microsoft Sentinel and Microsoft Defender

“It was a wakeup call for all of us here at Oregon State University to expand our security posture,” says David McMorries, Chief Information Security Officer at Oregon State University. “We want to have an environment where science, learning, and research can be done safely in a cyber environment. As much of the institution's operations are dependent upon information technology, we must provide an environment that is functional, available, and secure.”

The cybersecurity program at OSU navigates a delicate balance. It must foster an open environment conducive to collaboration with other institutions and researchers while simultaneously ensuring that all their research remains secure and compliant with relevant standards. These were just some of the considerations that OSU needed to keep in mind when assessing comprehensive cybersecurity tools and strategies to secure the work of researchers as well as the sensitive data of students and faculty.

Microsoft Sentinel and Microsoft Defender offer protection in every direction

After researching tools that could bolster Oregon State University’s security posture and the scale of protection needed, they ultimately opted for Microsoft solutions. OSU integrated Microsoft 365 A5 licensing and committed to a Zero Trust approach to cybersecurity by widely deploying Microsoft Sentinel and Microsoft Defender. A key factor in this decision was the provision of a dedicated support engineer from Microsoft, who mentored the SOC team. OSU estimates that they achieved five years of maturity in roughly two years due to the rollout of the security capabilities technology and Microsoft support and consulting that helped them maximize the use of that tooling.

Microsoft partnered with OSU to help them work through the tools and strategies that could rapidly improve their cybersecurity posture. These tools helped OSU significantly advance their security capabilities to coordinate defense across their entire digital estate. Microsoft Sentinel and Defender provide OSU the power to detect advanced threats with real-time monitoring and alerts, investigate and respond at the incident level, disrupt in-progress attacks, and simplify compliance and reporting.

With Microsoft Sentinel and Defender—and the expertise to make the most of these powerful cybersecurity solutions—OSU can ensure that their security posture remains intact. “What the SOC offers today is a comprehensive detect and respond capability that refers to the NIST Cybersecurity Framework and meets the requirements of our institution,” explains McMorries. “We once had the ability to detect incidents in the timescale of weeks. Now, we detect things in a matter of minutes.”

When OSU first implemented Microsoft Sentinel, the institution had thousands of open incidents. As of last year, they managed to reduce their daily open incident count to approximately 30. Microsoft Sentinel's ability to consolidate logs from various sources enables OSU to swiftly identify unusual logins and scrutinize specific accounts for irregular activities using Microsoft Entra ID. OSU also utilizes custom workbooks and Defender to investigate and address security threats effectively. This builds a strong picture of what is going on and what steps should be taken.

Microsoft Sentinel is the main pane of glass that Oregon State University uses to respond to threats. Compared to what they had before, Microsoft Sentinel is “revolutionary.” The university now efficiently manages phishing attacks using Microsoft Office 365's security portal, allowing for quick identification and quarantine, a stark contrast to their older manual ticketing process.

Taking protection to the next level with Microsoft Copilot for Security

As part of OSU’s commitment to innovative security protocols, they continue to both deepen and expand their cybersecurity posture. This is why they are currently using Copilot for Security, an AI cybersecurity product that enables security professionals to assess and respond to cyberthreats quickly. This initiative's goal is to elevate OSU's proactive security measures, enabling analysts to focus on tasks that add greater value to the institution.

Working alongside Microsoft Sentinel and Defender, Copilot will increase automation, lower operational costs, and improve operational efficiency, all in the hope of driving their incident ticket count down to zero. Copilot also enables faster and more efficient query generation, allowing OSU's security analysts to concentrate on high-priority incidents.

“The types of threats that we're seeing, the types of events that are occurring in higher education, are much more aggressive by cyber adversaries,” says McMorries. “And since we've deployed Microsoft Defender and Microsoft Sentinel, we've seen a dramatic ability to detect these sorts of events and prevent many of them before they influence our institution. So, the investment that's been made in our tooling and in our people has really paid off.”

As SOC manager at OSU, Emily Longman is excited about leveraging Copilot to help her automate more processes and address vulnerabilities. She plans to refine detection processes and automations to allow both students and analysts to focus their time on more complex tasks, enhancing analytical depth and overall environmental security.

“Microsoft Copilot for Security will boost our automation capabilities and help our analysts (who are college students) learn how to quickly write more KQL (Kusto Query Language)—such as threat hunting with more advanced hunting queries—and more workbooks,” she says.

The enthusiasm extends to the students involved in the SOC, who are eager to engage with Copilot for Security. Many academic curricula at OSU, like many other learning institutions, do not typically include AI technology tools, so the students working for OSU’s SOC are excited to seize this opportunity. Since OSU's primary mission is to educate the next generation’s workforce, students will learn firsthand how Copilot works. Exposing student employees to an innovative security tool represents a valuable learning opportunity while also helping to make the SOC more effective and efficient.

“Microsoft Copilot for Security will be a tremendous teaching tool for the students that work in OSU’s SOC,” says Longman. “It will also enhance our ability to secure the innovative research that OSU is doing. Now we can find better solutions that are more secure for those researchers while giving our students the skills they need to succeed in the modern workforce and really push the limits of human knowledge and research here at OSU.”

McMorries is also confident that this powerful AI-driven tool not only addresses OSU’s current needs but provides many exciting new capabilities for the future.

“How do we best protect OSU’s systems data so that students, faculty, and researchers feel safe in our cloud-based network infrastructure?” McMorries asks. “We can't perform research, we can't support students, and students can't learn if the systems here at Oregon State University aren’t secure and available.”

“We’ve made a huge improvement by improving insights into and automating responses to security incidents in our SOC using Microsoft Sentinel, with Microsoft Defender providing the Zero Trust we require on all devices connected to our network. And with Microsoft Copilot for Security, we have leveraged AI to improve our security team's response to threats. The Security Operations Center has made great strides over the last several years. I am excited to see how Microsoft Copilot for Security can get them to that next level.”

At OSU, a commitment to open, collaborative research coexists with the imperative to protect sensitive data and maintain the institution’s overall reputation. This delicate balance requires a cybersecurity approach that is both robust and responsive. With Microsoft security tools working in concert, OSU has fortified its cybersecurity infrastructure, ensuring a safer and more secure environment.