OmniSOC, which is housed at Indiana University, provides valuable continuous monitoring and security resources to other universities that benefit greatly from the shared services model.

Feb 24 2020

Universities Speed Up Threat Detection with Security Operations Centers

OmniSOC and similar partnerships help higher education improve threat monitoring and response.

Since the early 1990s, IT security professionals from schools in the Big Ten Academic Alliance have been meeting to share ideas. Early discussions around securing mainframes have evolved into quarterly meetings exploring cybersecurity policies, processes, tools and incidents.

“We had those relationships established, but we didn’t have anything operationally focused across the institutions,” says Tom Davis, founding executive director and CISO at OmniSOC, a security operations center housed at Indiana University. “We’re all doing similar things, maybe in slightly different ways using slightly different tools, but we’re facing the same kinds of threats.”

OmniSOC, launched in 2017 by five of the Big Ten members — IU, Rutgers University, Purdue University, Northwestern University and the University of Nebraska–Lincoln — is designed to fill that operational gap. Today, it conducts constant network security monitoring and defense across all five campuses.

As security threats continue to be ­pervasive, more institutions are taking advantage of SOCs — both SOC as a Service offerings and homegrown ­partnerships — dedicated to monitoring network traffic for anomalies and mitigating threats.

“That shared model is becoming more common because building, staffing, maintaining, training — all of the things that go into having a functional SOC — are expensive and time-consuming,” says Brian Kelly, director of EDUCAUSE’s cybersecurity program. “But not having a SOC or a SOC-like service on campus is just not a workable strategy anymore.”

Shared Resources Amplify Higher Ed Security

On average, attackers are able to spend six to eight months inside a network before anyone discovers the breach. SOCs are likely to spot that malicious activity sooner, says Kelly. “They provide the ability to detect that earlier in the cyber kill chain lifecycle.”

The infrastructure behind a SOC can be costly, but that’s just the beginning, Kelly adds. Institutions need large-conduit network activity to gather the data to be analyzed, storage to house the logs generated by the ever-increasing number of devices on campus networks and skilled analysts who can detect the different types of attacks and know how to respond to them. Plus, they need the compute power to handle all of that.

“We used to talk about looking for a needle in a haystack,” Kelly says. “Now you’re looking for a needle in a stack of needles.”

To power that search, OmniSOC uses Elastic security information and event management, which has some machine learning capabilities, for a back-end security analysis engine.

“As you can imagine, with the quantity of data that we’re receiving, it’s difficult for a team of five security professionals to analyze all of that. So, we’re going to have to look at machine learning and figure out how we can help it at least identify some anomalies that we can use our security engineering talent to dig a little deeper into,” David says.

The University of Texas at Austin operates a successful SOC as a Service, CyberPosse, that serves campuses in the UT system as well as 950 international clients (including other colleges and state and local government agencies).

The State University of New York SOC, open to the 64 campuses in its system, provides software, tools and threat and log monitoring through a third-party vendor, along with services such as anti-phishing campaigns and vulnerability assessments.

Yet the value of shared SOCs extends beyond services, says Bill Lansbury, associate vice president of IT and enterprise infrastructure at Rutgers. OmniSOC members, for instance, have access to partners’ security tools and expertise. The ROI is greater than performing the same tasks in-house, he adds.

“For us to do what we’re getting out of OmniSOC, we would need to have five to seven additional full-time staffers, not to mention the training and professional development,” says Rick Haugerud, assistant vice president for information security and CISO for the University of Nebraska-Lincoln. “We’re just not in an environment where we can get that.”

CISO Tom Davis

Shared resources like OmniSOC help ­colleges augment their cybersecurity staff, says Founding Executive Director and CISO Tom Davis. Photo: Emily Ann Sterneman/Indiana University

SOCs Help Colleges Respond to Breaches

It didn’t take long for OmniSOC to prove its worth. Within 24 hours of its launch, it identified a compromised host at one of its partner institutions.

“It wasn’t a serious breach, but it could have posed a threat to other hosts on the network,” says Davis. IU became OmniSOC’s home institution because it was already home to the Global Research Network Operations Center, which manages networks around the world. GlobalNOC, which has locations on IU’s Bloomington and Indianapolis campuses, gives OmniSOC redundancy and access to round-the-clock services.

Partner institutions were able to use the security infrastructure they already had in place, including firewalls and intrusion detection systems. They just added appliances (deployed and managed by OmniSOC) to send data securely to OmniSOC, which collects and normalizes that data using the Elastic SIEM system. The use of existing infrastructure can make SOCs feasible for institutions that aren’t interested in building out an entire new system.

In addition to Davis, OmniSOC’s 16 employees are divided among three teams: security engineers who handle threat-hunting analysis, a dedicated security platform engineering team that gathers and normalizes data from partner institutions, and a six-person 24/7 service desk. The two latter teams are organizationally part of the GlobalNOC, but functionally they report to Davis.

“There’s no way you could run a 24/7 operation just on six full-time employees,” says Davis. “We’ve been able to leverage the existing GlobalNOC service desk team to augment those needs after hours and on weekends.”

Security as a Service Fuels Continuous Monitoring

While all of the partner institutions had their own SOCs in place before forming OmniSOC, their staffs had competing demands.

“It’s very common in higher ed for security teams to be overtasked,” says Davis. So, even if an institution has the best intrusion detection system, security personnel can’t spend all their time looking at the resulting data.

That’s where Security as a Service can be useful. OmniSOC, for example, receives data from each partner institution to provide continuous monitoring. If an engineer spots an anomaly in traffic at one of the institutions, he or she flags it and escalates a ticket to that university.

In one case, OmniSOC detected unusual activity on Rutgers’ network: an IP camera receiving exploit instructions from another country. Rutgers’ incident-response team contacted the camera’s owner, and a simple firmware update resolved the problem, says Scott Borbely, security operations manager at Rutgers. Those extra eyes can be most beneficial after hours, says Haugerud.

“Alerts get that first level of ‘this is not normal’ from OmniSOC,” whereas before, alerts might have sat idle from 10 p.m. until 9 or 10 the next morning, he says. “It all ties back into that concept of improved detection: How do we identify and start to respond in hours versus days or weeks?”

OmniSOC also has an advantage because it draws data from five institutions using different security tools. So, for instance, if one intrusion detection system finds suspicious behavior that the other four universities missed, the OmniSOC team notifies everyone of the potential threat.

“It’s really an extension of our existing resources,” says Lansbury. “It’s one team working for all the members of OmniSOC. If something happens at Purdue, we immediately get made aware of it so we can protect against it. We don’t have to wait for it to get to us.”

Emily Ann Sterneman/Indiana University