[ams6110]

Because most universities have pretty wide-open networks with high bandwidth, they do monitor for illegal, commercial, or malware activity on their networks. They don't want to get blacklisted as spammers among other things. They are also highly concerned about possible exposure of sensitive student personal and research data and some have started auto-encrypting emails that appear to contain such.

[wyager]

Why do they keep old logs if they're just monitoring for illegal/commercial/malware stuff?

And if they were very concerned with exposure of sensitive data, they wouldn't be logging it.

[ams6110]

They keep the logs so they can use them in after-the-fact investigations, and for research.

[wyager]

>and for research.

That's not the same thing as "monitoring for illegal/commercial/malware activity".

[shawnreilly]

In some cases, research does relate to identifying Security Threats. This mostly relates to layer 7, which is much more complex than ports and protocol based detection. The idea is; if you don't know what you're looking for (presumably a 0-day or unknown threat), then how would one find it? The answer is, research (aka analyze) the data. This ranges from Flow Data (which can date back months/years) to Packet Captures, to even Real Time Deep Packet Inspection (all relating to SIEM Solutions). In these scenarios, you would be looking for the needle in the haystack, but the needle is not clearly defined. You would have to work to identify and define it. So research does relate to identifying illegal/commercial/malware activity. Organizations that understand this are working towards implementing (or have already implemented) real time adaptive security models to mitigate these threats. This will allow them to not only identify and attempt to stop unknown Security Incidents, but also effectively investigate Incidents (forensics).