Security Operations Center (SOC) delivers 24-hour detection and response
Note: The Security Operations Center (SOC) is currently staffed Monday-Friday, 7:00 a.m. to 11:00 p.m., and Saturday-Sunday, from 7:00 a.m. to 5:00 p.m. A staff member is on call 24/7. Jesse Adams manages the SOC.
The reason information security specialists have trouble sleeping at night? They know that the bad guys don't.
With the frequency and complexity of cyber attacks targeting universities and hospitals rising – day and night – the Security Assurance Team in UIT's Information Security Office (ISO) launched a 24/7 Security Operations Center (SOC) in March. The SOC represents a significant advancement for ISO's intrusion detection and response capabilities.
"It's a pretty big deal to have staff looking at events as they happen on the network at any given hour," said Security Assurance Manager Colby Gray. "By identifying malicious attacks in real time, the SOC can potentially save a lot of trouble for the University."
SOC Analysts Josh Bowden, Matt DeYoung, Romney Doria, Nick McNeal, and Nate Remynse work staggered 10-hour shifts. They alternate schedules each month to avoid one person exclusively covering the overnight shift.
The SOC relies heavily on IBM's security event management suite QRadar. Data collected from intrusion prevention tools like FireEye and Tanium feed into QRadar. In addition to consolidating log events and network flow data, QRadar's robust analytics engine correlates the data to help SOC analysts identify and triage security events that may require further investigation.
Gray said that while the SOC isn't tasked with investigating to the level of detail his senior security analysts are, "they can identify an event as it happens and are empowered to take action, clip the traffic and try to limit any impact to the network."
As a correlation engine, QRadar forms a big picture from what may seem like unrelated events, for example, 50 bad hosts trying to connect to a single port as opposed to a single incident. And in that way, QRadar helps Gray put his valuable resources into following good leads rather than dead ends.
Despite headline-grabbing stories of Russian hacking, Gray noted that an uptick in traffic at odd hours or originating from foreign countries doesn't suggest anything is amiss.
"It might be business hours in another country and could very well be legitimate traffic," he said. "The University has many international students and we encourage people from different countries to look at us."
The idea of launching a SOC was discussed for years, with leadership support from University Information Technology (UIT) and Information Technology Services (ITS). In addition to shoring up security, the SOC complements and interacts with the U's Network Operations Center (NOC), which receives real-time metrics on the status of U applications from campus, clinical and external locations.
Gray would like to publicly thank his senior security analysts for their help training new SOC staff, and ISO's student employee program, where training for a full-time SOC first took root and developed. Thanks to their combined efforts, and with the support of Governance Risk & Compliance Analyst Lana Xaochay, SOC analysts came in with dozens of documented security procedures to follow.
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.