Cyber security threat monitoring

Two men chatting to each other in an office.

Expert-led security monitoring, combining our expertise with Splunk technology to detect and combat threats while simplifying security management.

24/7 expert security monitoring for education and research

Our cyber security threat monitoring (CSTM) service delivers comprehensive 24/7 monitoring through advanced log consolidation and expert-driven threat analysis. We meticulously aggregate and analyse security logs from multiple sources and provide precise threat categorisation.

Our dedicated team of cyber security analysts carefully reviews each alert, dramatically reducing false positives and ensuring that your internal teams are empowered with actionable intelligence to investigate critical alerts.

Alert management and escalation

Receive timely, detailed alerts for suspicious activities, including privileged account login attempts from unusual locations, unusual authentication patterns, and potentially malicious system changes.

All CSTM customers have direct access during work hours to our CSIRT expertise for guidance and support, ensuring rapid and coordinated threat mitigation.

Detection methodology

  • Notable generating rules: sophisticated algorithms trigger timely alerts when clear threats are detected, such as successful brute force attacks or known malicious activities
  • Risk generating rules: advanced system builds cumulative risk scores by tracking potentially suspicious activities across your environment until they reach the investigation threshold

Both approaches work in tandem to provide layered protection that catches both obvious attacks and more subtle threat patterns.

Protection domains

  • Access: continuous monitoring of login attempts, detection of impossible travel scenarios, and prevention of brute force attacks — forming a strong first line of defence against unauthorised access
  • Endpoint: advanced detection of security log clearance, suspicious PowerShell command execution, system reconnaissance activities, and shadow copy tampering—identifying attackers attempting to establish persistence
  • Identity: proactive security for privileged accounts by flagging potential account takeovers, unauthorised group membership changes, and suspicious MFA modifications — preventing privilege escalation before damage occurs

Integration and development

Seamlessly integrates with your existing security infrastructure, including antivirus solutions and endpoint detection services, while aggregating all relevant logs in an intuitive centralised dashboard.

Purpose-built for education and research environments in partnership with Splunk, featuring customised filters that minimise alert fatigue while maintaining security effectiveness. Continuously refined to address emerging threats and attack vectors through regular updates to detection rules and monitoring capabilities.

Service benefits

Proactive security and expert support

  • Early threat detection with timely, expert-led alerts
  • 24/7 monitoring of security events across your infrastructure
  • Rule-based alerting
  • Ability to escalate to Jisc's CSIRT for rapid incident guidance
  • Advanced threat intelligence and more efficient response enablement
  • Consolidated log analysis from multiple sources for deeper insights
  • Advanced threat intelligence from live traffic analysis
  • Severity-based alert categorisation for prioritised action
  • Analyst review of all alerts to reduce false positives
  • Efficient response enablement for internal teams

The Janet Network advantage

  • Unique oversight of the Janet Network for enhanced threat detection
  • Advanced threat intelligence from live traffic analysis
  • Innovative containment options – full, partial, or scheduled blocking. For instance, partial containment ensures that essential business, security, and recovery systems remain operational, accelerating recovery significantly

Tailored for education and research

  • Purpose-built for education and research
  • Developed with Splunk and sector members
  • Addresses sector-specific security challenges

Seamless and scalable security management

  • Cloud-based SIEM solution for scalable threat monitoring
  • Continuous service improvement based on user feedback
  • Adaptable to emerging threats and evolving sector needs
  • Works with existing security tools (antivirus, endpoint detection)
  • Single dashboard for all security logs with prioritised event highlighting
  • Filterable detection rules to reduce noise and improve efficiency

"I highly recommend Jisc for their proactive and reliable support. We benefitted from 24/7 expert monitoring, knowing that any critical security issues will be swiftly managed."

Andy Seymour, ICT services manager, Northampton College

Service eligibility

Designed for education and research institutions looking to enhance their security posture with a comprehensive and scalable SIEM solution to bolster their Jisc membership.

Pre-requisites include a Janet IP connection. An EDR solution is highly recommended but not mandatory.

Cyber security threat monitoring vs security operations centre (SOC)

Cyber security threat monitoring (CTSM), in combination with your Jisc membership, provides continuous expert monitoring, triage, and alerting of potential malicious activity across your IT environment, and support via Jisc CSIRT should you require it— empowering your internal team to respond faster and with more peace of mind.

If you would prefer an end-to-end managed service, where threats are not only detected but also contained and mitigated on your behalf in accordance with pre-defined criteria, the Jisc security operations centre (SOC) would better suit your needs and further reduce the burden on your internal operations.

Crown Commercial Service Supplier logo

Jisc is an approved supplier on the Crown Commercial Services G-Cloud framework and Cyber Security 3 dynamic purchasing system (DPS).

Visit the Crown Commercial Services website for more information and guidance on how to purchase G-Cloud 14 and Cyber Security Services 3.

Service levels

Hours of service

Working hours: 8:00-18:00, Monday to Friday (excluding public holidays)

Non-working hours: automated alerting is provided outside of working hours

Response times by urgency level

Critical urgency

  • Contact method: phone call and email
  • Response time:
    • During working hours: one hour response via email
    • Outside working hours: two hour response with one phone call and email

High urgency

  • Contact method: email
  • Response time:
    • During working hours: one hour response
    • Outside working hours: automated notification only

Medium urgency

  • Contact method: email
  • Response time:
    • During working hours: two hour response
    • Outside working hours: triaged next working day

Low urgency

  • Contact method: email
  • Response time:
    • During working hours: scheduled report notification
    • Outside working hours: scheduled report notification

Out-of-hours (OOH) protocol

  • OOH alerts are processed by automation
  • Alerts are escalated to designated OOH contacts within the defined SLA timeframes
  • A follow-up phone call for high-confidence critical alerts is made for immediate awareness
  • All OOH alerts are reviewed by an analyst on the next working day for thorough analysis and validation

Our project partners

Logo for Splunk, a Cisco company.

ISO certification

This service is included within the scope of our ISO9001 and ISO27001 certificates.

Read more about International Organisation for Standardisation (ISO) standards and view Jisc certificates.

ISO 9001-2015 UKAS logo

ISO/IEC 27001 logo