Implement a 24x7 Security Operations Center

Brandon Booker, Senior Systems Development Engineer, Network Infrastructure and Services

Eric Brown, Senior Network Architect, Network Infrastructure and Services

Joe Hutson, Deputy Executive Director, Network Infrastructure and Services

Kerry Johnson, Associate Director, Network Operations

Greg Kroll, Associate Director, Information Technology Project Management

Jeff Lang, Director, Cyber Defense Operations, Virginia Tech IT Security Office

Steve Lee, Senior Director, Operations, Network Infrastructure and Services

Randy Marchany, Virginia Tech IT Security Officer

Dave Martin, Data Reporting Analyst, Research and Innovation Information Technology

Zach Mitcham, Associate Director, Security Operations

Justin Sobczak, Director, Security and Compliance, Network Infrastructure and Services

Josh Causin, Associate Director, Information Technology Support, Information Technology Experience and Engagement

Seth Coburn, Software Developer, Information Technology Experience and Engagement

Kevin Davis, Director, Web and Systems, Information Technology Experience and Engagement

Scott Farmer, Director, Outreach Information Services

Anthony Houston, Associate Director, Applications Administration

Joe Hutson, Deputy Executive Director, Network Infrastructure and Services

Greg Kroll, Associate Director, Information Technology Project Management

Joyce Landreth, Deputy Executive Director, Information Technology Experience and Engagement

Jeff Lang, Director, Cyber Defense Operations, Virginia Tech IT Security Office

Randy Marchany, Virginia Tech IT Security Officer

Zach Mitcham, Associate Director, Security Operations

Justin Sobczak, Director, Security and Compliance, Network Infrastructure and Services

Ryan Spoon, Director, Information Technology for the Virginia Tech College of Engineering

Scott Farmer, Director, Outreach Information Services

Joe Hutson, Deputy Executive Director, Network Infrastructure and Services

Greg Kroll, Associate Director, Information Technology Project Management

Joyce Landreth, Deputy Executive Director, Information Technology Experience and Engagement

Jeff Lang, Director, Cyber Defense Operations, Virginia Tech IT Security Office

Randy Marchany, Virginia Tech IT Security Officer

Zach Mitcham, Associate Director, Security Operations

Justin Sobczak, Director, Security and Compliance, Network Infrastructure and Services

Ryan Spoon, Director, Information Technology, Virginia Tech College of Engineering

Dawn Zimmer, Executive Director, Information Technology Experience and Engagement

The 2021 Deloitte review of the current state of IT operations and cybersecurity supported a prior finding by the IT Security Office that there was a need for augmented security monitoring that included 24x7 assessment and response capabilities. Pursuing these improvements has been a high priority for Virginia Tech’s Board of Visitors, Chief Operating Officer, and Chief Information Officer. This support enabled a plan to augment existing IT security monitoring capabilities with a 24x7 SOC, with a focus on increasing coverage and decreasing incident response time across critical systems.

A security operations center (SOC) brings together a team of security experts who focus on providing situational threat awareness and managing our overall security posture. A SOC serves as a correlation point, taking in data from an organization’s IT assets, including infrastructure, networks, cloud services, and devices. Using that data, SOC activities focus on managing, monitoring, analyzing, preventing, and responding to existing and potential threats and ensuring the university is protected from attack.

For many years, the IT Security Office has operated a Security Operations Center (SOC) that has provided network monitoring, alerting, analyzing, prevention, and response services during business hours (M-F 8-5) to mitigate cybersecurity risks. However, until now it has not been possible to offer services at all hours, during breaks, or on weekends, or to enable some of the advanced analysis tools that this project will provide.

• To provide comprehensive (24x7x365) monitoring and detection, threat intelligence, and incident response capabilities to mitigate cybersecurity risks.
• To communicate and educate the university on the Standard for Information Technology Logging and the use of our Centralized Log Service (CLS).

OmniSOC is a shared security operations center (SOC) for higher education and research institutions. Based at Indiana University, OmniSOC rapidly delivers critical and actionable alerts 24/7, allowing Virginia Tech’s cybersecurity staff to focus on prevention and response. OmniSOC serves the higher education cybersecurity community, and is trusted to operate collaboratively across member institutions, reducing the time from first awareness of a cybersecurity threat anywhere to mitigation everywhere for all of its members across higher education, regional Research and Education networks, and research facilities.

The VT IT Security Office (ITSO), with representation from central and distributed IT, has developed a plan to partner with Indiana University (IU) to provide Virginia Tech with 24x7 security monitoring. IU provides managed SOC services to higher education institutions and National Science Foundation research facilities through their OmniSOC program. The services offered align well with VT requirements to increase coverage and visibility and decrease incident response time across critical systems and is deemed to be cost effective compared to alternative providers.

This partnership will allow Virginia Tech to:

• Expand coverage from business hours to 24x7 in order to establish continuous awareness of security related incidents.
• Improve responsiveness to security incidents by leveraging the OmniSOC’s monitoring and incident notification services to initiate internal isolation and containment activities.
• Improve situational awareness by leveraging the threat intelligence insights that OmniSOC gains from other research and higher education institutions.
• Increase visibility and access to security related log information by expanding participation in the university’s central logging service (CLS).

According to Virginia Tech’s University Cyber Incident Response Guidelines, a cyber security incident is defined by the Department of Homeland Security as an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. An incident could be either intentional or accidental in nature.

When the IT Security Office gets a report of a cybersecurity incident, we work closely with departmental IT personnel to address the issue according to the procedures outlined in the Virginia Tech Guide for Cyber Security Incident Response v5.4

A system is considered “critical” if the loss of the asset for even a short period of time could prevent the organization from achieving its mission and/or could pose a risk to human health and/or safety if compromised or not available.

According to the Virginia Tech Risk Classifications standard:

• Data and systems are classified as high risk if:
  1. Protection of the data is required by law/regulation, and Virginia Tech is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed; or
  2. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

The Standard for High Risk Digital Data Protection defines the university’s high risk data elements/types, associated university policies and standards, associated laws and regulations, and the protections required by the university for that data element/type.

The Security Operations Center (SOC) aggregates log data from the following sources:

• Inbound and outbound internet traffic flows, providing:
  1. Intrusion Detection
  2. Traffic analysis
  3. DNS analysis for detection of malicious domains
• System and Application security logs forwarded through the Central Log Service (CLS).
• High level security alerts detected in Microsoft Sentinel Security Incident and Event Management (SIEM).

Protecting privacy and freedom of inquiry is of critical importance to everyone in the university community. These security initiatives will be implemented with transparency. As per Policy 7035, tools will not be used in ways that are inappropriate or that do not comport with Virginia Tech’s commitment to academic freedom. 

Access to employees’ electronic data is governed under Policies 7010, 7105, and 7035. Here’s a summary of the guidelines provided:

• Access will occur only for legitimate business or IT security compliance purposes;
• Access must be authorized by one or more appropriate and accountable authorities;
• Except as described in these policies, the university will obtain consent before an employee’s information is accessed;
• Access will be limited to the minimum degree necessary to accomplish the specified cybersecurity-related purpose;
• Within the limits of our storage capacity, records will be kept for a limited time to enable a review of compliance with these policies, but will then be deleted; and
• Information describing the process for access is available to all persons affected by these policies.

For faculty and staff, the IT Security Office recommends contacting your designated departmental IT support personnel.

• You may also submit an incident 24x7 directly to the IT Security Office using the following Service Catalog Item - Report a potential security incident

Students may reach out to 4help@vt.edu or call them at (540) 231-4357

• You may also submit an incident directly to the IT Security Office using the following Service Catalog Item - Have I been hacked?