Given the scope, scale and speed of the evolving cyberthreat, it’s possible that cybersecurity is a bigger job than any one university can handle on its own.
That’s why five major institutions joined forces recently to create a combined cyberintelligence hub. OmniSOC is a specialized, sector-based cybersecurity operations center, or SOC, that helps its members to track and respond to emerging cyberthreats in real time. The center went live in February.
Organizers say the operation is the first of its kind, a cyber-resource specifically tailored to meet the complex security needs particular to higher education. Based at Indiana University, OmniSOC also serves Northwestern University, Purdue University, Rutgers University and the University of Nebraska-Lincoln.
Operators track the threat landscape through a range of resources. Leveraging the capabilities of the GlobalNOC, the 24/7 Global Research Network Operations Center, OmniSOC ingests real-time security information from each member campus, as well as governmental and corporate security data. The system is engineered to advise members of emerging attack vectors and to provide rapid incident response.
By combining their cyber-resources, the partners are able to get a bigger view of the threat landscape. Such teaming is a natural fit in the culture of higher education, planners say.
“Traditionally higher ed has done a really good job of collaborating, of sharing policies and guidelines among institutions,” said Tom Davis, executive director and CISO (chief information security officer) of OmniSOC. “That gives us an immense advantage. All the higher ed institutions have qualified, competent security professionals on their campuses. When all these people pool their knowledge, you really lift all boats. Cyber thrives on collaboration.”
By combining their resources, the member institutions are able to cultivate an approach to cyber that responds to the particular needs of the academic environment.
“All the verticals face the same kinds of threats: cybercriminals, hackers. But when you look at risk management principles and philosophies those vary greatly across the verticals,” Davis said. “The financial sector will say you cannot bring your own device to work. In higher education we don’t have that privilege. Faculty, staff and students expect to bring their own devices. We have to meet the specific needs of our customers.”
To meet those needs, OmniSOC operators are looking to leverage the latest advances in artificial intelligence and machine learning, but not right away. They’ll rely on human analysts to establish sound policies and procedures, before venturing into AI-driven processes.
In the long run, “machine learning will be critical to allow us to scale our service at a pace that will keep up with the amount of data we will be analyzing,” Davis said. “But we have to be guarded in how much we expect. We want to look for that sweet spot. We want to figure out the ways to make best use of it over time, but I don’t think it’s a single bullet.”
In these early days, operators are focusing on the fundamentals, building repeatable procedures to automate the analysis of large volumes of information. “We are looking at security information and event data coming from member institutions. Those can be things as simple as firewall logs, network flow information, intrusion detection events,” Davis said. “We put that all in a security information and event management system, the SIEM, where we aggregate and enrich that information. That allows us to do more thorough threat hunting, correlating the data and investigating a little bit further.”
Right now, OmniSOC tailors its alerts and advice to the specific needs of its five member institutions. Operators say they are looking to unify these procedures, with an eye toward eventually scaling up the operation.
In the long term, OmniSOC aims to deliver a significantly higher level of cyberawareness and protection than any single university could achieve on its own.
Planners say the outputs should enhance network safety at both the strategic and tactical levels, offering big-view analysis of emerging trends and immediate warning of daily threats.
“We want to know what bad IP addresses are being used by the bad actors today, and we also want to stick our head out past the local concerns and think more globally about the threats that are emerging across all verticals,” Davis said.