How the University of St Andrews cut vulnerability management time by 10h a week with TheHive

Founded in the 15th century, St Andrews is Scotland’s first University and the third oldest in the English-speaking world. Teaching began in the community of St Andrews in 1410, and the University was formally constituted by the issue of a papal bull in 1413.

With over 10,000 students from nearly 200 countries, the University’s IT infrastructure is vast and complex, requiring a robust cybersecurity strategy to protect its digital assets.

St Andrews has been heavily relying on TheHive for more than 4 years.

It helps the team have better alert visibility, conveniently investigate suspicious cases and quickly respond to incidents.

In today’s success story, we will focus on the University’s recent implementation of a new workflow. Its purpose? Automating vulnerability management to reduce manual effort and risk exposure.

Now, with TheHive’s integration with MISP, CVE data ingestion is fully automated.

Here’s how the workflow operates today:

1. Fetching CVE data: Every 24 hours, a custom program written by the team runs in the background to fetch the CVE data from MISP. It then creates alerts in TheHive using its API.
2. Alert creation and analysis: Each alert provides key details, helping the team quickly assess whether a vulnerability affects the University systems and requires action.

3. Email notifications: Additionally, the alerts are sent as emails. This allows the recipients to get a quick alert overview with the CVE numbers, names and applications. The emails also prove the alerts are properly sent to TheHive.​

4. Escalation to vulnerability notification: If an alert reveals a potential risk for the network, the team can use a special playbook to turn it into a vulnerability notification. This can then be used to send the relevant information to system owners who can remediate/upgrade if needed.​

• Eliminates manual CVE tracking, reducing human error
• Provides immediate alerts via email with CVE details, to help quickly understand potential risks
• Enables rapid triage and escalation using TheHive’s case management capabilities

The University’s SOC receives 150-300 alerts from MISP in TheHive daily.

Once an alert enters TheHive, the SOC team evaluates its relevance:

• False positives: About 50% of incoming CVE alerts are deemed irrelevant and dismissed.
• Relevant but non-critical: These are logged for awareness but require no immediate action.
• High-risk vulnerabilities: About 5-10% of CVEs require urgent attention.

All of this is always visible, with TheHive acting as a single pane of glass.

To investigate alerts and react to true positives, the team uses the extensive case management capabilities of TheHive. The platform helps prioritize vulnerabilities, display data in an accessible and customizable way, keep the team posted through notifications, and preserve all gained knowledge for future use through convenient reporting.

It also enables collaboration, so all the required SOC members are on the same page and can combine their efforts.

The University of St Andrews is also developing additional security workflows using TheHive. One such initiative involves detecting typo-squatted domains to protect the University’s brand from phishing threats.

By integrating TheHive with DNS monitoring tools, they can automatically detect and assess potentially malicious domains mimicking their official website.

With TheHive, St Andrews’s SOC has significantly improved efficiency in cybersecurity operations, ensuring a proactive approach to risk management.