Monitoring, Detection, and Response (MDR)

100%

Status

Completed [Completed]

100% complete, updated on Fri 2/17/23 9:37 AM by Steve Ardern

Changed Status from In Process to Completed.
Project being closed as completed.

Details

Dates
Wed 5/25/22 - Fri 2/17/23

Acct/Dept

Information Technology

Service

Information Security / Cybersecurity Suggestion, Inquiry, or Request

Type

Software / Hardware / Software Deployment

Health

Green - On track

Portfolio(s)

ITS Projects (Dominick Gonzalez Rodriguez)

Classification

Run

Requirements

The below Security Requirements were taken from the original RFP for the MDR service:
Mines will provide security logs from both the enterprise and public clouds to the MDR service for correlation and monitoring. The scope of these logs contain data involving general system logs, network, and security appliance traffic. Therefore, the service must meet the following requirements:
• Shall not share attributed information with other clients.
Security Log Volumes
• Logs must be retained for a minimum of six (6) months
• Logs must be ingested and monitored live
• Anticipate 400 GB per day of enterprise logs. Log types include:
o 2 GB/day of core networking logs (contains DHCP logs)
o 250 GB/day of firewall logs
o 100 GB/day of Linux and Windows machine data
o 50 GB/day of Microsoft Defender logs

Created

Wed 5/25/22 2:42 PM

Modified

Wed 1/24/24 7:58 AM

Closed

Fri 2/17/23 9:37 AM

New Project Request

Point of Contact

This can either be the project manager or the person who knows the most about the project. Note that the project manager is assigned after the project is created.

Steve Ardern

How can we help you?

Please provide details regarding your request? Do you have a solution defined or do you need support identifying a solution?

Approved project. Software has been selected and is being implemented.

Provide the background of this request.

What events or discussions preceded this request? Have there been previous efforts related to this request? Are you working with a vendor already? What are the benefits of this initiative?

Mines primary objective for this project is to implement a 24 hour, 7 days a week cybersecurity Monitoring, Detection, and Response (“MDR”) service. This service, provided by Arctic Wolf (AW), will be working in conjunction with the Mines Security Operations Center (SOC) and Security teams to protect the Mines campus from cyber threats. Arctic Wolf will focus on monitoring and detecting threats present in the Mines environment and alert the Mines SOC or Security teams of any validated security incidents.

Today, cybersecurity monitoring is performed by the SOC which is primarily staffed by students. Depending on SOC scheduling there are daily periods where there is no cybersecurity monitoring. With the new MDR solution, monitoring will become more complete, automated and will be 24x7x365.

By detecting malicious events before harm can be done, Mines can avoid the risks associated with a significant, preventable cybersecurity event. An effective MDR solution is critical to combat the ever-increasing specter of cybersecurity threats. Institutes of higher education are no exception.
-In 2019, a vulnerable web application at Georgia Institute of Technology exposed the personally identifiable data of 1.3M students, applicants, and staff, both past and current. The university had a different breach later in the year when a staff member accidentally sent student data to 1,100 other students.
-In 2020 University of California San Francisco (UCSF) fell victim to a ransomware attack spending $1.1M to recover crucial COVID-19 research data at the height of the pandemic.
-In 2020 University of Utah fell victim to a ransomware attack spending $0.5M to recover personally identifiable employee data and passwords.

Avoidance of these types of scenarios are the motivating factor for enhancing Colorado School of Mines’ IT security posture. By providing round-the-clock monitoring via Artic Wolf, ITS will protect the Mines IT environment in real time and take that data to routinely enhance our security posture.

What is the desired completion date?

Please note that projects will be completed based on resource availability and prioritization.

12/31/2022

What are the factors driving the desired completion date?

Are there campus activities, legal requirements, dependent efforts or goals that are driving a date?

05/16 – 05/27/22 Initiating & Planning: Project Plan and Kickoff
05/23 – 08/01/22 Implementation: Monitor Internet Traffic and Core Infrastructure. Automated deployment of Artic Wolf requirements to ITS managed servers and desktops
08/01 – 10/30/22 Operationalize: 90 day hardening period where alerts and escalation process are fine tuned. Complete deployment of Artic Wolf requirements to non-ITS managed servers and desktops and ITS managed devices that require manual intervention.
10/30 – 11/30/22 Close-Out: Decomission Graylog. Transition to ongoing operations.

Provide the executive leader(s) who will champion this initiative?

These individuals support the success of this effort, such as removing obstacles, sending strategic communication and promoting necessary policy changes.

Andrew Moore, Philip Romig III

What team members have been identified to help drive this initiative?

Please note that involvement of department team members is critical to the success of this inititive.

Steve Ardern (technical owner), Jill Weisbrod (project manager), Phil Romig (sponsor)

Any additional information about this request that you would like to include?

Who does this project help? What happens if this project is not completed?

N/A

Description

Manager