MSSP Case Study: Education Institute Secures Campus with 24/7 SOC Service
About the Customer
The client is a prominent international educational institution. Their campus network supports thousands of students and staff, managing a high volume of sensitive personal data and critical operational systems.
| Category | Details |
|---|---|
| Industry | Education |
| Challenge | Gaining 24/7/365 visibility into internal network activity, identifying anomalous user behavior, and detecting potential insider or external threats before they escalate. |
| Solutions Used | 24/7 i-SOC, Managed Security Service (MSSP), SIEM & Managed Detection & Response (MDR) |
The Challenge
The client's internal IT team faced a significant challenge in monitoring their complex network 24/7. Without a dedicated Security Operations Center (SOC), they had limited visibility into real-time network traffic and user behavior. This "black box" environment meant that:
Anomalous activity, such as unusual logins or access patterns, could go undetected for long periods.
Potential insider threats, whether accidental or malicious, posed a significant risk to sensitive student and financial data.
Misconfigured systems or services could create security gaps or generate high volumes of "noise," making it impossible to identify genuine threats.
Escalation of a minor issue into a major breach was a primary concern, as the IT team lacked the 24/7 resources to triage every alert.
The AKATI Sekurity Solution
The institution partnered with AKATI Sekurity to deploy our 24/7/365 i-SOC MSSP service. This engagement provided an immediate, expert-led Managed Detection and Response (MDR) capability.
Our i-SOC team onboarded the school's critical log sources, including network devices and endpoints, into our advanced SIEM platform. This enabled our SOC analysts to provide Level 1 monitoring, researching, and triaging all events. Instead of just forwarding raw alerts, our i-SOC acts as a filter, escalating only validated, actionable anomalies to the client's IT team with clear, concise remedial instructions.
Quarterly Threat & Triage Summary
Our SOC's primary function is to analyze all events and classify them against the Cyber Kill Chain. This ensures that genuine threats are prioritized and non-critical "noise" is handled appropriately. Throughout the quarter, all detected events were successfully triaged, with zero critical incidents or breaches identified.
The monitoring successfully identified and neutralized numerous non-critical anomalies, primarily in the "Persistent Foothold" and "Propagation" stages, allowing the client to fix hygiene issues before they could be exploited.
Cyber Kill Chain Alert Summary
Monthly Triage & Escalation Metrics
The following metrics represent the anonymized, vague summary of our i-SOC's activity over a single quarter, demonstrating the high volume of analysis performed to deliver high-fidelity, actionable alerts.
| Reporting Period | Total Events Analyzed | Non-Critical Anomalies Triaged | Critical Incidents Escalated |
|---|---|---|---|
| Month 1 (July) | > 75,000 | Dozens | 0 |
| Month 2 (August) | > 100,000 | Dozens | 0 |
| Month 3 (Sept) | > 80,000 | Dozens | 0 |
Discovery: Sample Proactive Detections
The true value of the MSSP service is in detecting and providing context for anomalies that automated systems alone would miss. Our SOC team identified, researched, and escalated numerous events for client-side validation.
| Anomaly Category | Description & Findings | SOC Analyst Recommendations |
|---|---|---|
| User Asset Access Anomaly | Detected multiple instances of user accounts accessing internal servers and assets after long dormancy periods (e.g., 20-60+ days). This behavior deviates from normal patterns and could signify unauthorized access. | SOC analysts escalated findings to client IT team for validation of dormant account activity. Recommended immediate verification of user access rights and correlation with current role assignments to mitigate potential unauthorized access risk. |
| Internal Login Failure Anomaly | Identified high-volume failed login attempts (e.g., 90+ attempts in one period) from a single internal account. This indicated a high probability of a misconfigured service or script with hardcoded, expired credentials. | SOC identified credential-based authentication failure patterns consistent with service account misconfiguration. Recommended audit of automated processes and service accounts to remediate hardcoded credentials, preventing account lockout and reducing false-positive alert volume. |
| Password Reset Anomaly | Flagged unusual patterns of password resets (e.g., 10-15 resets in 24h) by both user and system accounts. This anomalous behavior required validation to rule out privilege misuse or automation errors. | SOC flagged high-frequency password reset activity for security review. Recommended validation of account management processes and implementation of password reset controls to prevent potential privilege escalation or automated system errors. |
| Sensor Status Anomaly | Proactively monitored the health of data ingestion sensors, noting minor, periodic disconnections. This allowed for network troubleshooting before it could lead to a visibility gap. | SOC proactively monitored telemetry health and identified intermittent sensor connectivity issues. Provided detailed logging data to support network infrastructure investigation, ensuring continuous security monitoring coverage and preventing detection blind spots. |
Conclusion
Visibility is the foundation of effective security. AKATI Sekurity's i-SOC MSSP engagement transformed the client's security posture from reactive to proactive, providing 24/7 expert oversight. By analyzing thousands of events to identify and escalate only the most relevant anomalies, our i-SOC frees the institution's internal IT team from alert fatigue. This allows them to focus their limited resources on validated tasks, dramatically improving cyber hygiene and ensuring the campus network remains secure.
