CyberPosse: A SOC-as-a-Service for Higher Education

min read

CyberPosse, a UT Austin SOC-as-a-service offering, provides institutions of any size with a 24/7 managed detection and response capability that leverages in-house products and the UT Austin team’s security engineering background to ensure that the institution is covered.

image of a three-quarter moon in the center of a spoked, wheel-like circle
Credit: The University of Texas at Austin © 2019

The complexities and demands of an institution's cybersecurity program are growing at an accelerating pace, while the resources and sustained talent pools have become scarcer and more constrained. Fortunately, a number of security operations center (SOC)-as-a-service offerings are available to provide colleges and universities with some relief and extended support capabilities.

CyberPosse is a managed detection and response service offered by the Information Security Office at the University of Texas at Austin (UTISO). The UTISO has been providing managed detection and response services to a large customer base since 2009. Providing extended coverage and protection to 15 campuses in the University of Texas System; 77 independent school districts, small colleges, municipalities, and hospitals; and dozens of state agencies, the UTISO has developed a proven and reliable service for institutions needing to augment, optimize, or accentuate their existing cybersecurity program.

With the development of PANOPTICON in 2004, the UTISO was one of the first creators of a SOAR (Security Orchestration, Automation and Response) platform for rapid, enterprise-scale detection and response capabilities. The UTISO uses PANOPTICON along with other incident management tools in its Cybersecurity Operations Center (CSOC) to massively scale the operation across a wide customer base. UTISO pairs these technical strengths with a deep knowledge of the higher education environment to tune and customize service delivery (e.g., providing one of the first data-leak detection services capable of operating on a multi-100Gb network).

CyberPosse is designed to efficiently and effectively serve an institution—no one has time for false positives. Only highly accurate and actionable alerts are reported to the institution. If it isn't verified to be compromised or vulnerable to a high-risk exploit, then we don't waste your time. Because CyberPosse is designed to report issues in real time, you can further automate downstream actions in real time (e.g., disabling a user account, null routing a system, sending additional notifications) so that the problem doesn't evolve into something even worse. It is designed to support your operation behind the scenes and provides your institution with another team of paranoid eyeballs to help you have more confidence in and awareness of your overall security posture.

The managed detection and response portion of CyberPosse relies on a traffic monitoring capability located at the institution. To meet this requirement, the UTISO provides a managed security stack as a component of the service to which an institution can connect an existing network tap infrastructure. CyberPosse can accommodate any size network and currently operates in networks ranging from single gigabit taps to networks with dozens of 100Gbps taps monitoring well over 150Gbps of sustained traffic. The UTISO can also work with regional ISPs serving higher education to develop backhaul strategies that would more effectively leverage existing fiber networks and reduce the costs associated with deployed infrastructures.

In addition to managed detection and response capabilities, CyberPosse includes an automated cyber hunting option, leveraging UTISO's Cyber Hunting Orchestrated Maneuvers Platform (CHOMP). CHOMP is a massively scalable, big data platform leveraging machine learning that can quickly discover anomalies and vulnerabilities for an institution. Most recently, CHOMP was used to analyze billions of passwords for accounts across the planet (obtained from a series of data-leak dumps known as Collections#1 – 7, plus "antipublic") and alerted almost 850 campuses subscribed to the free Dorkbot web application security service to their potential exposure. Many campuses reported that they had numerous compromised passwords still active in their environments and were able to use this information to quickly remediate the exposure.

Please feel free to share any questions or comments at [email protected], or refer to the UTISO's services page for more information.

Cam Beasley is Chief Information Security Officer for the University of Texas at Austin.

© 2019 Cam Beasley.