OmniSOC: High Speed Threat Detection at the Big Ten

The Elastic Stack is becoming increasingly popular in deployments relating to security analytics. We’ve previously looked at some of the features and capabilities that are driving adoption, including this machine learning deep dive and these security examples of Logstash enrichment for Elasticsearch data. In this post, we learn about a group of US-based universities that are adopting the Elastic Stack as their security analytics platform. The idea of sharing cyber threat information between different companies and groups is not new. In fact, there are many Information Sharing and Analysis Centers (ISACs) that have been created for this purpose, including a Research and Education ISAC (REN-ISAC).

Five Big Ten schools, led by Indiana University, are going well beyond information sharing by teaming up to apply the power of the Elastic Stack to tackle a thorny problem—how to protect their students, faculty, and staff from cyber attacks.

Indiana University (IU), Northwestern University, Purdue University, Rutgers University, and the University of Nebraska-Lincoln, have launched a new cybersecurity operations center based at IU—called OmniSOC—to share threat intelligence and dramatically reduce the time between when a cyber threat is detected and when it can be addressed and mitigated by its member universities.

OmniSOC relies on the Elastic Stack as its security analytics platform, utilizing Elasticsearch, Kibana, Beats, Logstash and critical features like security, alerting, and machine learning. The Elastic Stack ingests, correlates, and analyzes vast quantities of information from thousands of systems across all of its member institutions in order to detect security breaches and cyber threats. OmniSOC security engineers then provide rapid, actionable intelligence back to its members so they can mitigate risks, close security gaps and prevent future attacks.

Tom Davis, founding director and CISO of OmniSOC shared this with us: “With tens of thousands of students, faculty, and staff, university campuses are really like small cities, with sensitive data and powerful computing systems that are coveted by threat actors. Protecting critical data across hundreds of thousands of devices requires expertise, systems, policies, and rapid response as new vulnerabilities surface. With Elastic, we were able to roll out a scalable and high performing security analytics engine that gives us deep visibility into security information and event data provided by our member universities.”

The next cyber attack isn’t a matter of if, but when, so it’s imperative to shrink the amount of time between when systems are breached and when a threat is detected in order to minimize damage. By some reports, the median time for attackers to stay undetected from breach to discovery was 99 days—an incredibly long time that allows for maximum damage to be done. The key to detecting a threat can come from anywhere, so having a complete picture of what's going on across all systems in real time matters—and that’s where Elastic comes in. OmniSOC placed a priority on minimizing the time from detection to mitigation. The Elastic Stack, known for horizontal scalability and high performance indexing and searching, allows the OmniSOC team to quickly search data and systems to spot suspicious or anomalous behavior. In the past, this has been a massive job requiring teams of engineers and days of work. With Elastic, a single engineer can monitor and search massive data sets in minutes, making threat detection fast and easy.

Greg Hedrick, CISO at Purdue University describes the value of this collaborative approach: “Higher education is for the most part an open environment, so we often see cyber crimes that others have not. By allowing us to monitor across higher ed organizations, OmniSOC will improve our ability to identify and react more quickly to these bad actors. My hope is that this information can be shared with others outside of our community in order to protect the entire ecosystem.”

Working hand in hand with the Elastic Stack, OmniSOC is taking a data-driven approach to security that makes innovative use of data monitoring, analytics, and search technologies to make threat detection much more predictive and proactive. Beyond that security focus, the choice to go with the Elastic Stack was influenced by the flexibility of the Elastic platform. For example, member staff envisioned future uses of the Elastic Stack to store a multi-petabyte digital archive that will need search functionality, as well as additional use cases in the NOC, like operational logging.

Along those same lines, in the future, OmniSOC plans to scale up its services and expand membership beyond the Big Ten Academic Alliance to include other institutions. Check out this short video to learn more about the OmniSOC mission.