How 5 universities stretch security capabilities, budgets with shared SOC

Higher education faces a lot of the same threats as other sectors: phishing, zero-days, APTs and more. Given that university campuses often operate like small cities, they can face their own unique challenges.

Thousands of students constantly come and go on campus, bringing their own devices and using on-site equipment. Advanced research might require bespoke equipment that needs to be securely plugged into the network, creating information that then needs to be protected by an under-resourced security team.

According to higher education non-profit Educause, information security strategy is the main IT issue in the sector and has been since 2016. IBM’s 2018 Cost of a Data Breach survey states that it takes education organizations an average of 217 days to find a threat and 84 to contain it.

Pooling resources for a shared security operations center

To better combat the threats they are facing, a group of universities in the Midwest joined forces to create a joint security operations center (SOC), known as OmniSOC, to supplement their own SOCs with added capabilities. Based at Indiana University, OmniSOC, which won a CSO50 Award for security innovation, currently serves five universities: Indiana University, Northwestern University, Purdue University, Rutgers University and the University of Nebraska. It provides services such as 24/7 event monitoring and triage, incident alert notification, call center services, threat hunting and analysis and threat intelligence collection and sharing.

OmniSOC collects real-time security information data feeds from each member university and collates with other intelligence and data feeds. It monitors and identifies suspicious or malicious traffic or events and escalates that back to the university’s on-site SOC if required. Currently, OmniSOC has six service desk technicians providing tier-one analysis and triage, three security engineers doing tier-two security analysis and threat hunting, and four and a half people on platform engineering.

Indiana University

“We’re not trying to be a replacement for the talented security professionals that are at our customer institutions,” says Tom Davis, executive director and CSO of OmniSOC. “The fact of the matter is that they’re extremely overworked, and so we are trying to support those schools by augmenting what technologies they currently have in place and by providing more consistent 24-by-7 monitoring of the alerts that are getting generated from those good systems that they’ve deployed there.”

“So, if they get distracted by an event or the project on campus, they have the knowledge that the OmniSOC team is continuing to look at those alerts that are coming across and then escalating those alerts back to the campus as necessary,” Davis adds.

Collaboration and trust key to sharing security operations

Davis has been at Indiana University for over 30 years, and he served as the university’s CSO prior to becoming OmniSOC’s CSO and executive director in 2017. He says the Big Ten Academic Alliance (BTAA), a group of universities across the Midwest, has been collaborating around cybersecurity since the 1990s.

“At the end of the day we’re not competing. It’s about supporting the overall mission of the higher education space, which is creating and disseminating knowledge,” says Davis. “And I think that’s kind of the one area that distinguishes higher education from some of the other sectors that focus on cybersecurity in that we have always collaborated.”

Back in the 1990s Davis says the main information sharing was around the mainframe and was done face-to-face every few months. “We would go back to our institutions after those face-to-face meetings, and we get so involved and engrained in the business and security of our own university that we really didn’t have the opportunity to collaborate more holistically on operational security services.”

Around three years ago discussions began about collaborating around security operations among the Big 10 universities. While Davis is keen to involve more universities in the future, the decision was made to keep the initial launch within the Big 10 community. “Security professionals are really protective of the information we’re entrusted with, and it requires a significant level of trust from the customers to the OmniSOC and vice-versa to make this work.”

“We realized that if we’re going to do something operationally focused where we’re trusting each other with incident data or security event data, that it would be best within our own family and figure out how to make this work within the family because of the trust and the personal relationships we’ve developed throughout the years and then expand those operations and services out,” he adds.

Once all the formal data sharing agreements were decided upon, the OmniSOC team was hired and began visiting each of the founding member universities to ask what kind of services the universities needed the most.

Collating information to better protect all campuses

OmniSOC uses Elasticsearch as its SIEM infrastructure. Event data flows into customers’ security and monitoring solutions, is enriched and normalized, and then put into the Elasticsearch environment. The team uses Kibana to create visualizations and dashboards to quickly identify traffic spikes or new events that are being created on the campuses that need attention.

“We are alerting them to things we are observing on their network. We are providing contextual information around those alerts that we escalate to the campus teams, and we’re not just launching a grenade into their foxhole and then expecting them to deal with it,” says Davis. “We will provide them support along the way, providing them details on what data we observed, why we think it was particularly suspicious or malicious, and provide them guidance if they need it on how they might mitigate that risk.”

Davis says that information flowing in from a variety of environments all using different tools provides greater visibility to the team, and because it is then fed into one data stream means any indicators of an incident can quickly alert other campuses to similar attacks. “We might have a Palo Alto at one campus, you may have Bro or Suricata at another campus and they each have different approaches to identifying malicious traffic. Where one might miss it, another will catch it and alert us to look for that kind of similar traffic at the other institutions. The Elastic stack allows us to quickly pivot on that information to be able to look across the other customers’ networks and be able to identify any kind of similar traffic that may be occurring in those institutions.”

The benefits, Davis explains, were almost immediate. Within 24 hours of the OmniSOC going live, it discovered a compromised host that the affected institution had to respond to, and the week before speaking to CSO, his team identified a threat that had been targeting multiple campuses.

Indiana University a higher education security hub

OmniSOC is housed within Indiana University. Its security staff are IU employees, and member universities pay a fee to cover the cost of operation. Indiana University is also home to both the Global Research Network Operations Center (GlobalNOC), which provides network management services to the higher education space, and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), which shares threat intelligence and alerts among the education sector.

“One of the reasons why the CIOs [of the member universities] chose to place the OmniSOC at Indiana University is because we have a proven track record of providing these kinds of higher-ed focused services out to the higher ed community as a whole,” explains Davis.

On the technical side, Davis says the plans are to mature OmniSOC’s capabilities and processes, start doing more around sharing threat intelligence back into the wider higher education community through the likes of REN-ISAC, and delve further into machine learning and automatic remediation. “We’re currently piloting [machine learning] right now. It’s going to be a big one for us because we’re talking about receiving large, large quantities of data and regardless of how many security engineers I hire in this SOC, there’s no way we’re going to be able to have eyes look at all the data that we’re getting sent to us.”

“[With automated mitigation] we’ve got to figure out a way to be able to enact change on the campuses, and that requires even more trust because we could inflict a lot of damage if we mitigate a risk that really isn’t a risk or block some key services to support the mission of the schools,” says Davis.

Expanding OmniSOC’s reach has been the goal “from day one.” Davis says the priority over the next 12 to 18 months is to expand into other large universities outside of the Big 10 that have their own SOCs that OmniSOC can complement, before eventually moving into smaller institutions. “We want to make as much of an impact in higher education as we can around cybersecurity,” he says. “Some of the smaller schools in higher education really either lack a dedicated security professional or they have a security professional who is also acting as the network administrator and desktop support person, so they would most likely require additional support from our security engineering team.”

“They’re the ones likely in the most need of them because of the limited staffing that they have and really looking for these kinds of shared services, but we need to mature our operations to understand what it means to provide this level of services to smaller mid-size schools.”