Sharing Threat Intelligence in Higher Ed
The OmniSOC security operations center exchanges security data and best practices with institutions throughout the higher education sector.
Category: IT Infrastructure and Systems
Institution: Indiana University
Project: OmniSOC
Project lead: Tom Davis, associate vice president, information security, and executive director and chief information security officer, OmniSOC
Tech lineup: Elastic
Project lead Tom Davis
Back in 2017, cybersecurity experts from five Big Ten universities got together to set their sights on new, shared cybersecurity services that would allow their institutions to make better use of resources, scale operations to include other peer institutions, and perhaps best of all, develop and share new knowledge and practices around threat intelligence in the higher education sector. By 2018, a security operations center named OmniSOC became fully operational with its founding members: Indiana University, Northwestern University, Purdue University, Rutgers University, and the University of Nebraska-Lincoln.
OmniSOC is a shared cybersecurity operations center for higher education. Its central operating principle is articulated very simply on its home page: "…this pioneering initiative strives to help higher education institutions reduce the time from first awareness of a cybersecurity threat anywhere to mitigation everywhere for members."
Project lead Tom Davis is IU's associate vice president for information security and OmniSOC's founding executive director and chief information security officer. "We will be monitoring security information and event data for our member networks…" he explained in an informative video introduction to OmniSOC, adding, "If we identify a threat of interest we will notify the member campuses so they can investigate." Rick Haugerud, assistant vice president of information security for member campus University of Nebraska-Lincoln, went on to point out the long-term value of gathering sector-specific data: "As the Big Ten institutions continue to collaborate on the OmniSOC and the collection of threat data, it will give us a treasure trove of threat intelligence that we'll be able to analyze and sort through and try to determine if there's any rhyme or reason to how some of these attacks begin, how quickly they're going to spread, the direction they might spread — any of those things might deliver benefits that we can use to better protect ourselves in the future."
Beneficiaries include campus IT security teams, freed from the overwhelming task of analyzing security information and event data, as well as faculty and staff, who can rely on sensitive information remaining safe and protected. OmniSOC also provides internship opportunities for students, who learn about collaborative security and best practices using new technology to mitigate threats.
OmniSOC interns
OmniSOC is informed through many sources. It examines real-time security information data feeds from all member campuses, along with a plethora of governmental and corporate security subscriptions. It also exchanges threat intelligence or indicators of compromise more widely with institutions throughout the higher education sector — for example, this type of sharing may be done through OmniSOC's membership in the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC).
The sharing of security data is probably one of the most unique aspects of OmniSOC, and it is an example of some of the best values of the higher education sector, especially held in contrast with general practices across the cybersecurity industry.
While it's probably not appropriate to publish a full list of tools and resources used by any security operations center, OmniSOC staff are happy to point us to just one of its core technologies, the Elastic stack. With its dashboards and visualizations, this technology offers quick visibility of threat data and enables interactive security analytics and effective threat hunting. Security personnel can use one data source to access another and compare data in a common language. Elastic also includes a powerful search technology: Cross-cluster search allows OmniSOC operators to ingest massive amounts of structured and unstructured data so they may analyze it across all members, in order to supply members with the best possible information for decision-making.
OmniSOC's operations home is at IU in conjunction with GlobalNOC, a nonprofit providing research and education network services. But as new higher education members join OmniSOC, the natural complexity of including diverse institutions and perhaps multi-institutional systems may raise a demand for multiple SOCs. Concerned about losing operational efficiencies to rapid growth, OmniSOC has made a commitment to work ahead of the curve, making plans for a tightly integrated network of SOCs that can retain all the benefits of scale while inspiring innovation and the flexibility to respond to larger environmental changes.
Additionally, OmniSOC's roadmap includes projects to enable machine learning within Elastic, more evolved integration of strategic and tactical threat intelligence in its processes and systems, the use of diversionary tactics to gather additional insight into hacker tactics, and enrichment of existing data sources with added vulnerability scanning.
Talking with OmniSOC leaders, it's easy to see that they are keeping their ultimate goal at the forefront: to protect higher education assets so that institutional missions of education and research can proceed without disruption.
Return to Campus Technology Impact Awards Home