OmniSOC: Why Higher Ed Needs Operational Collaboration in Cybersecurity

In August 2016, an article appeared in the Wall Street Journal entitled "Big Banks Team Up to Fight Cyber Crime." These highly competitive, profit-driven institutions had come to the conclusion that they were better off collaborating against cybercriminals rather than trying to create some internal competitive advantage over their peers.

We realized that if banks could set aside their competitive nature, then colleges and universities should be able to do so as well. At that point, our work to establish the OmniSOC began in earnest. The idea to collaborate on cybersecurity in higher education goes back several years. We have long shared information through the REN-ISAC and HEISC, but the OmniSOC founders felt that a deeper collaboration on cybersecurity operations was necessary.

So you may be asking questions like "Why operations?," "Why now?," "Why Big Ten schools?," or "How did OmniSOC choose its SIEM?" The answer is simple: We're planning now for the future.

Why Focus on Operations?

Colleges and universities have excelled at sharing security information. Indiana University hosts the REN-ISAC, and its reach to just under 600 institutions is an excellent tool for dissemination of threat intelligence. But human-mediated intelligence-sharing can only go so far. The OmniSOC uses operational security information and event data from its members to correlate, analyze, hunt for, and then mitigate cyber threats in real time.

Why Now?

In short, cyber threats are increasing at a rate — both in number and in severity — such that this past year we saw cyber threats orders of magnitude beyond anything we've seen before. The Mirai botnet attack on Dyn involved requests from tens of millions of different IP addresses. WannaCry ransomware shuttered the doors of National Health Service hospitals. Cybercrime continues evolving rapidly, and we felt the need to evolve rapidly, as well, to be guarded for whatever comes next.

Why the Big Ten Academic Alliance?

A shared, sector-specific cybersecurity operations center requires trust and familiarity. We had established that trust and familiarity with our Big Ten Academic Alliance colleagues over the course of our 25+ years of collaboration on information security. In fact, the Big Ten institutions had established data sharing agreements among its members before the founding of the OmniSOC. The common bonds and trust we have built within the Big Ten Academic Alliance made it easy to get our five institutions to the table and agree on a common set of goals. Going forward, we look forward to welcoming OmniSOC members from all parts of higher education.

How Did OmniSOC Choose Its SIEM?

The OmniSOC evaluated multiple vendors and ultimately selected Elastic as its SIEM. With the Elastic stack, we found a product that allows OmniSOC to scale as we add new members. Even among our five founders, we have significant heterogeneity among our SIEMs, intrusion detection systems, and other security-related systems. Elastic provides us the ability to integrate all these sources and do so in an affordable and scalable way.

How Can Other Institutions Get Involved?

Adding institutions to OmniSOC will only improve our collective defenses. The more anomalous data we collect, the better we can correlate and diagnose malicious activity and mitigate it, often before it affects the majority of our members. If you are interested in becoming an OmniSOC member, or would like to learn more, please fill out our contact form.

---

Daniel Calarco is the Chief of Staff for the Vice President for Information Technology and CIO at Indiana University.

Tom Davis is the founding Executive Director and CISO of the OmniSOC.