Shared Resources Amplify Higher Ed Security
On average, attackers are able to spend six to eight months inside a network before anyone discovers the breach. SOCs are likely to spot that malicious activity sooner, says Kelly. “They provide the ability to detect that earlier in the cyber kill chain lifecycle.”
The infrastructure behind a SOC can be costly, but that’s just the beginning, Kelly adds. Institutions need large-conduit network activity to gather the data to be analyzed, storage to house the logs generated by the ever-increasing number of devices on campus networks and skilled analysts who can detect the different types of attacks and know how to respond to them. Plus, they need the compute power to handle all of that.
“We used to talk about looking for a needle in a haystack,” Kelly says. “Now you’re looking for a needle in a stack of needles.”
To power that search, OmniSOC uses Elastic security information and event management, which has some machine learning capabilities, for a back-end security analysis engine.
“As you can imagine, with the quantity of data that we’re receiving, it’s difficult for a team of five security professionals to analyze all of that. So, we’re going to have to look at machine learning and figure out how we can help it at least identify some anomalies that we can use our security engineering talent to dig a little deeper into,” David says.
The University of Texas at Austin operates a successful SOC as a Service, CyberPosse, that serves campuses in the UT system as well as 950 international clients (including other colleges and state and local government agencies).
The State University of New York SOC, open to the 64 campuses in its system, provides software, tools and threat and log monitoring through a third-party vendor, along with services such as anti-phishing campaigns and vulnerability assessments.
Yet the value of shared SOCs extends beyond services, says Bill Lansbury, associate vice president of IT and enterprise infrastructure at Rutgers. OmniSOC members, for instance, have access to partners’ security tools and expertise. The ROI is greater than performing the same tasks in-house, he adds.
“For us to do what we’re getting out of OmniSOC, we would need to have five to seven additional full-time staffers, not to mention the training and professional development,” says Rick Haugerud, assistant vice president for information security and CISO for the University of Nebraska-Lincoln. “We’re just not in an environment where we can get that.”