Skip to content

Endpoint Cybersecurity for Higher Education: Tackling Today’s Two Biggest Threats

Schools must improve their endpoint cybersecurity to defend against their biggest threats, vulnerabilities and sources of risk. Here’s how.


In higher education, IT groups have a single mission — they must provide a safe, secure and stable environment for their students and their staff. Over the past 12 months, that mission has become difficult to perform.

Institutions have sent their students and staff home, they have created online learning models from scratch, and they have become more and more reliant on new and often vulnerable technologies.

These changes have created a suite of challenges that higher education institutions are struggling with — and which we wrote this series of articles to help you overcome.

In this series, we’ll explore the three biggest challenges that higher education institutions face today, how you can overcome those challenges, and the role that Tanium can play in the process.

In this first article, we’ll discuss the challenge of new cybersecurity threats.

To do so, we’ll outline:

  • The primary cybersecurity threats institutions now face.
  • How institutions can improve their endpoint cybersecurity to defend themselves against these threats.
  • How institutions can use Tanium to strengthen their defenses.

The two main cybersecurity threats higher education institutions now face

Higher education’s threat landscape has changed, and institutions must adapt their defenses to address it.

Over the past 12 months the education sector has been a major target for cyber security attacks. At times, attacks against education grew faster than attacks against any other sector (30% vs 6.5%) while 62.8% of malware encounters in October 2020 were reported within the education sector alone.

During this time, higher education institutions have been targeted with two primary threats.

Advanced Ransomware: Institutions have experienced an increase in attacks from profit-driven Advanced Persistent Threat (APT) groups, and many of these attacks have been ransomware campaigns. The higher education sector experienced 100% more ransomware attacks in 2020 compared with 2019, and the average ransom demand reached $447,000.

Nation-State Sponsored Attacks: Institutions have also experienced an increase in attacks from nation-state sponsored threat groups that seek research data. Historically, these cyber-espionage attacks often sought information about military research conducted at universities, but over the past year threat groups have also sought COVID-19 vaccine research data.

Both threats use complex, multi-stage attack patterns, and take advantage of the increased endpoint vulnerabilities that higher education institutions unwittingly opened in their overnight move to remote operations.

A typical attack pattern for both threats will follow these steps.

  1. The attacker scans the organization’s network for vulnerabilities.
  2. They launch standard attacks like phishing or exploit any known vulnerabilities they find such as unpatched assets.
  3. They penetrate the institution’s network and move laterally through vulnerable systems.
  4. They develop a foothold in the environment, gather intelligence on critical systems, and exfiltrate as much sensitive data as they can.
  5. If the attack includes ransomware, they will eventually lock up systems and demand a ransom.

To defend against these threats, institutions must develop an approach to endpoint cybersecurity that is just as complex and multi-stage as the attack patterns themselves, and which emphasizes rapidly closing known vulnerabilities.

Here’s what that looks like.

How institutions can improve their endpoint cybersecurity to defend against these two threats

To defend against these threats, higher education institutions must be able to:

  1. Develop an accurate picture of assets in the network, the known vulnerabilities on those assets, and the measurable risk each carries.
  2. Remove the known vulnerabilities on assets by constantly patching, updating and properly configuring them.
  3. Proactively hunt for indicators of compromise to in-progress attacks before they develop too far.
  4. Investigate discovered attacks to identify their root cause, their lateral spread, and the assets and pieces of data the attacker touched.
  5. Remediate attacks, evict attackers, and regain control of systems without significant data loss.

To perform these steps and defend against these attacks, institutions must focus on developing a few core capabilities.

Endpoint Visibility. Institutions must be able to collect real-time data on the status and behavior of their endpoints, the applications on those endpoints, and the users deploying those endpoints. They must be able to detect malicious actors before they exfiltrate data or lock systems, and maintain visibility throughout an attack to drive investigation and remediation.

Endpoint Control. Institutions must be able to perform fundamental security controls such as patching, updating and configuring endpoints. With these capabilities, institutions can raise the barrier to entry for malicious actors, and also rapidly respond to zero-day threats and in-progress security incidents to confidently block or evict attackers.

Institutions must be able to apply this visibility and control in near-real-time across their diverse, distributed and dynamic endpoints. To do so, they often need to reconsider their legacy endpoint management and security tools. Most legacy tools were developed to apply visibility and control to on-premises endpoints, and often fail to manage and defend today’s remote networks.

If an institution is unable to maintain visibility, control, and effective defenses within its new networks, then it should consider replacing its legacy tools with new and updated endpoint management and security solutions that were designed specifically for modern networks.

Solutions like Tanium.

How institutions can use Tanium to strengthen their endpoint cybersecurity

With Tanium, higher education institutions can quickly secure their assets against these threat patterns and perform each step of an effective defense.

With Tanium, institutions can:

  1. Create a comprehensive, real-time inventory of endpoints that includes their software, their vulnerabilities, and their user behavior.
  2. Patch, update, configure, or otherwise apply controls to hundreds of thousands of endpoints in hours or days, not weeks or months.
  3. Perform either continuous scans or real-time spot searches for specific indicators of compromise across endpoints.
  4. Define the source of a discovered attack, map its attack chain, and identify assets and data the attack compromised.
  5. Harden assets in real-time against the attack pattern to stop its spread, to evict the attacker, and to prevent additional incidents.

Tanium gives institutions the core capabilities they need to perform each of these steps and defend against today’s biggest attack patterns.

Endpoint Visibility With Tanium. When colleges and universities first launch Tanium in their environment, they typically find 10 – 20% more assets than they knew they had. Tanium then creates visibility into the applications, users, access rights, configurations, and known vulnerabilities on each of those assets — as well as the measurable risk that each asset generates.

Endpoint Control With Tanium. Institutions of higher learning will commonly achieve a validated 99% compliance with common controls — such as patching — within 24 hours of installation. From there, Tanium can rapidly apply new controls to assets to maintain near-perfect hygiene.

Tanium products are designed to deliver these capabilities across modern networks.

Tanium leverages a modern, distributed architecture to establish scalable, real-time visibility and control across remote endpoints without generating significant network strain. Tanium consolidates the core capabilities within a single platform operating from a single instance, agent, and pane of glass.

With Tanium, one higher education institution was able to:

Discover hundreds of unknown assets in its network, and hundreds of thousands of open vulnerabilities.

Reduce its missing critical patches from 38,000 to fewer than 300 and reduce its missing updates from hundreds of thousands to fewer than 1,000.

Remediate multiple zero-day threats across its entire asset networks within minutes of discovering them.

With Tanium, institutions can improve the fundamental security of their asset networks and effectively defend against ransomware and nation-state sponsored attacks, as well as whatever threats come next.

Overcome your institution’s challenges with Tanium

In the next part of our series, we’ll explore the second challenge that institutions face — how to manage their fragmented, rapidly changing networks. In part three, we’ll discuss how institutions can reduce their costs and deliver efficient IT functions with better client management.

Learn how to take control of your institution’s IT environment and create a real-time picture of your endpoints with Tanium’s Client Management solution.

Doug Thompson

Doug Thompson is Tanium’s Chief Education Architect. A conference speaker, podcast host, and storyteller, he architects solutions that keep our schools’ sensitive data secure.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.