Located in Whitehorse, Yukon University is the only university in Canada’s northern Territories. With a strong focus on northern research and innovation, the university is a leader in addressing forward-looking challenges such as climate change and sustainable energy solutions. Despite its remote location, Yukon University is not immune to cyber threats as malicious actors can easily extend their reach far across the digital landscape. This underscores the need for skilled cybersecurity experts to be properly equipped to combat these threats and protect the university, its students and valuable research data—no matter where you are.
One such expert is Victor Hopkins-LeCheminant, a cybersecurity specialist at Yukon University since 2019. His role includes working with the Security Information and Event Management (SIEM) system, specifically FORTISIEM, to identify and address security issues with tools such as Sophos. Victor’s day-to-day includes monitoring Microsoft 365 logs, managing high-risk users, as well as collaborating with his team to enhance the university’s overall cybersecurity posture.
Challenges with existing security infrastructure
Yukon University uses the FortiSIEM system, which is effective in compiling information and can do some basic correlation tasks. While FortiSIEM has many capabilities, like many other enterprise-level solutions, the system’s licensing costs were prohibitively expensive, limiting the university’s ability to benefit from this extended coverage.
Victor added:
“We had basically no visibility into our workstation setups other than what Sophos might identify, because the pricing of licensing was so expensive on the SIEM—we couldn’t afford it. So, with the advent of the CIRA XDR pilot, it was a Hallelujah moment and we joined.”
Enhanced threat hunting capabilities
With CIRA XDR, Victor saw significant improvements in threat hunting capabilities. Previously, Yukon University faced challenges in identifying specific accounts responsible for actions, like file deletions from SharePoint, especially when users were not logged in at the time of the incident. Although the team initially had access to SharePoint and other Microsoft 365 logs through their SIEM (FortiSIEM), the sync stopped and could not be re-established, resulting in the loss of that visibility. The lack of comprehensive logging made it difficult to pinpoint the source of the behaviour. CIRA XDR addresses these gaps by using a different methodology to monitor audit logs, allowing the team to access this information again with greater ease and investigate suspicious activities more effectively.
CIRA XDR’s ability to audit processes starting and stopping was highlighted as especially beneficial. This allows the team to measure the duration of processes and identify any anomalies, enhancing their threat hunting capabilities.
“We can now clearly see if something is happening in real time. If we’ve identified a malicious process, we can also tell whether it has an exit event or if it’s still running. That helps us gauge the situation—should our hair catch fire, or do we just keep an eye on it? It’s extremely helpful to have that ability now.”
Integration of email communication monitoring
According to Victor, integrating email communication monitoring with CIRA XDR has been a game-changer. Leveraging his skills, he refined a PowerShell script to capture email flow information, which is generally not available unless specifically retrieved. This enabled the team to better track phishing attempts by identifying all recipients of suspicious emails. The integration with Microsoft 365 audit logs further enhanced the university’s ability to correlate email activity with firewall logs, giving a much more comprehensive view of potential threats.
“It was very much an out-of-the-box experience. It went amazingly and within a very short time—you know, minutes—we were looking at Microsoft 365 logs in CIRA XDR. So fantastic.”
This seamless integration with Microsoft 365 audit logs has greatly improved Yukon University’s ability to correlate email activity with firewall logs. Now, the security team has a comprehensive view of potential threats across their attack surface, and the university’s ability to monitor and respond to security incidents has been significantly improved. By correlating weak signals across various sources, CIRA XDR can easily detect more actionable threats.
Custom dashboards for enhanced visibility
The value of the customizable dashboards was also underscored by Victor. By creating various views in the dashboard section, he was able to save and quickly access specific filters and data structures. These views gave him insights into different levels of their security ecosystem, such as Azure AD logins, and allowed him to filter based on data such as geolocation.
“You give it a name and now I can easily look directly into things like what does our log on to Azure AD situation look like? And I can pull that up.”
Working with the CIRA team
Victor praised the support and onboarding experience with the CIRA team, describing them as enthusiastically engaged and very knowledgeable.
“The team was always enthusiastic about solving problems and were so patient putting up with—I’ll just say, a few questions on my part—over time. They were very helpful, and I greatly appreciated that. And that kind of enthusiasm is transferable. There are many competent teams, but their excitement and enthusiasm encourages you to see the possibilities of the platform and opportunities for improved cybersecurity.”
Community-driven approach and collaboration
The community-driven approach of the CIRA XDR solution has been very valuable to Victor, who operates as a team of one but collaborates closely with his colleagues. The ability to see trends and threats encountered by other institutions, such as phishing campaigns in different regions, adds valuable context and helps the university stay ahead of potential threats.
The shared experiences and collective efforts in cybersecurity foster a supportive environment where institutions can learn from each other and enhance their security measures.
Victor spoke to its importance:
“I came from a municipal environment and the sort of national collaboration that’s happening in the education space and XDR is amazing. It’s not just that there’s collaboration—but the idea of collaboration, the spirit of collaboration—is embraced by everyone.”
The takeaway
Victor’s journey with CIRA XDR at Yukon University showcases the transformative impact of adopting advanced cybersecurity measures to protect your organization. CIRA XDR has addressed critical gaps in the institution’s existing security infrastructure, providing teams with enhanced threat hunting capabilities, seamless integration with their tech stack and customizable dashboards for improved visibility and monitoring. The community-driven approach has fostered collaboration and will continue to strengthen their security posture. Working together with CIRA, Victor and Yukon University have significantly improved their ability to detect and respond to threats, ensuring a safer environment for its research and academic activities.
