OmniSOC Core Services

Cyber threat intelligence

Integrate strategic and tactical threat intelligence into analysis, processes, and technology to understand, identify, and counter threats and threat actors more efficiently and effectively. Create new, analyze and enrich existing, and share resulting threat intelligence.

Process: Consumes threat intelligence from a variety of sources including member institutions, REN-ISAC, external entities, higher education colleagues, industry sources, and law enforcement. Analyzes strategic threat intelligence to facilitate security planning, prevention, and awareness of security trends and threat actor intent, capabilities, and techniques. Integrates tactical threat intelligence into security analysis tools to assist in threat detection, alert triage, and incident response.

Create and share: Analyzes member security information and event data to create new, or enrich the depth and/or breadth of existing, threat intelligence. Uses and deploys tools and techniques (honeypots, sinkholes, malware analysis, etc.) to mine for additional threat intelligence. Shares new and enriched intelligence, in partnership with REN-ISAC and others, for both strategic and tactical purposes. Shares intelligence with members and, as appropriate, the larger information security community.

Security analysis tools will process tactical threat intelligence 24/7. Other aspects of this service are typically available during normal business hours, Monday through Friday. However, OmniSOC tier 2 analysts are on call 24/7/365 and will respond after hours as necessary.

This advisory level service is provided to all OmniSOC members as part of their annual membership fee.

Incident notifications

Notify member incident response teams of adverse events or incidents that may require additional investigation or action. Provide relevant details, including context, timeline, and scope, in notifications to facilitate member team interpretation and action.

Notify: Need for notification is determined based on a number of factors, including event analysis, triage, and pre-determined criteria. Notification will occur using pre-established methods such as phone call trees, emails, and direct incident ticket creation.

Provide Details: Provides member with relevant details, including context, timeline, and scope, in notifications to facilitate member team interpretation and action. The type and quantity of details provided will vary based on the incident but will fall into four categories: basic (severity, category, indicators, IP addresses, etc.), contextual (correlation to other alerts, malware type, attacker method of operation, etc.), timeline (entire event window, not just at time of alert), and scope (was event seen on other member networks, etc.).

This service is available 24/7/365.

This advisory level service is provided to all OmniSOC members as part of their annual membership fee.

Information sharing

Provide timely, routine, and useful communications regarding threats and threat actors. Share effective operational practices, tools, and procedures. Report on organizational status, including operational and security metrics.

Develops and shares timely and routine briefings, reports, and other published products to provide insights into security trends, events, incidents, threats, and threat actors. Shares effective operational practices, tools, and procedures such as signatures, indicators, and dashboards. Provides information on organizational status, activities, and metrics, particularly those metrics that help gauge organizational efficiency and effectiveness.

This service is typically available during normal business hours, Monday through Friday. However, OmniSOC tier 2 analysts are on call 24/7/365 and will respond after hours as necessary.

This advisory level service is provided to all OmniSOC members as part of their annual membership fee.

Threat hunting

Proactively searches for threats that evade network and system defenses, including those undetected by existing security systems. Works with member institutions to assess full scope, impact, and severity of adverse events. Automates investigation and analysis using machine learning, visualization, correlation, scripting, and dashboards to streamline future threat hunting activities.

Proactive: Proactively searches for threats that evade network and system defenses, including those threats that go undetected by existing security systems. The two primary goals of this service are to: catch attacks earlier in the kill chain before the attacker is able to complete their overall objective; and, identify and mitigate threat actors who may already be active, yet hidden, in the member’s network.

Collaborate and coordinate: Collaborates with member security and incident response teams to assess full scope, impact, and severity in response to adverse events. Coordinates with other OmniSOC analysts and member security and incident response teams to ensure appropriate response to incidents.

Automation: Automates investigation and analysis using machine learning, visualization, correlation, scripting, and dashboards to make future threat hunting activities more efficient and more accurate.

This service is typically available during normal business hours, Monday through Friday. However, OmniSOC tier 2 analysts are on call 24/7/365 and will respond after hours as necessary.

This advisory level service is provided to all OmniSOC members as part of their annual membership fee.

Analysis

Investigates cases escalated from OmniSOC tier 1 analysts. Performs in-depth analysis of security alerts and associated data feeds from member systems and networks. Determines what actually happened based on analysis, to validate or refute the potential adverse events. Works with member institutions to assess full scope, impact, and severity of adverse events. Automates analysis using custom signatures and dashboards to streamline future similar event handling.

Escalation: Takes ownership of cases escalated from OmniSOC tier 1 staff that require additional analysis. Determines what, if any, further action is necessary.

In-depth analysis: Identifies and investigates suspicious or anomalous activity in security alerts and associated data feeds from member systems and networks to determine whether a potential incident occurred. Reviews and analyzes network or system events for attack signs (precursors or indicators). Collects, correlates, and analyzes relevant data to determine an incident’s impact and severity. Determines what actually happened based on analysis, to validate or refute the potential incident.

Collaborate and coordinate: Collaborates with tier 1 analysts and member security and incident response teams to assess full scope, impact, and severity in response to adverse events. Coordinates with other OmniSOC analysts and member security and incident response teams to ensure appropriate response to incidents

Automation: Automates analysis using custom signatures and dashboards to streamline future similar event handling.

This service is typically available during normal business hours, Monday through Friday. However, OmniSOC tier 2 analysts are on call 24/7/365 and will respond after hours as necessary.

This advisory level service is provided to all OmniSOC members as part of their annual membership fee.

Monitoring and triage

Provide tier 1, 24/7/365 monitoring of security alerts and associated data feeds from member systems and networks. Provide preliminary analysis of relevant events and triage based on the criticality/severity of the event, associated system, and/or service. Escalate events as appropriate to member incident response teams or OmniSOC tier 2 analysts.

Monitoring: The OmniSOC will provide tier 1, 24/7/365 monitoring of security alerts and associated data feeds from member systems and networks. This monitoring will facilitate detection of potential threats to member networks that require additional research and investigation.

Preliminary analysis: OmniSOC tier 1 staff will conduct a preliminary analysis of relevant events and triage those events based on the criticality/severity of the event, associated system, and/or service. The triage process will refer to member-provided information such as critical asset lists, potential business functional impact from the loss or disruption of service, criticality or confidentiality of information, time to recover service, and so on to prioritize actions.

Escalation: OmniSOC tier 1 staff will escalate events as appropriate to member incident response teams or OmniSOC tier 2 analysts. The escalation path will be based on pre-determined criteria. For example, known bad events or events that pose an immediate threat will be communicated directly to the member incident response team, with an optional escalation to OmniSOC tier 2 analysts. Other events that are less defined, such as abnormal looking network traffic, potential attack traffic, or “never seen before” events will be escalated to OmniSOC tier 2 for further analysis. This escalation, regardless of path, will follow pre-established methods such as call trees and incident ticket creation. Please consult “Notify Member Incident Response Teams” and “Analyze Security Events” services for additional information.

This service is available 24/7/365.

This advisory level service is provided to all OmniSOC members as part of their annual membership fee.

Please note this service does not include monitoring and triage of the member institution’s local incident system ticket queue.

Call center services

Provide 24/7/365 call center support, email queue processing, support coordination, and trouble ticket management for security events and issues.

Support: Provides dual-site, 24/7/365, access to the OmniSOC team and services. Serves as first point of contact and communication in connection with OmniSOC services. Receives tips, incident reports, and service requests via phone, email, web forms, tickets, or other methods. Answers and processes phone calls for critical issues, general questions, or service requests. Prepares documentation, notification, and escalation lists associated with all services.

Ticket management: Oversees and monitors ticket management system. Documents each issue in accordance with requirements, including creating a trouble ticket associated with each issue. Coordinates, supports, and tracks security alerts and issues in ticket management system until such issues are resolved. Engages security teams, infrastructure providers, and equipment vendors to assist in the resolution of tickets, as appropriate. Provides appropriate wrap up for each resolved ticket, including creating documentation describing the incident in reasonable detail, the cause of the issue, if known, and the steps taken to resolve the issue. Provides weekly analysis of tickets, reports on major activities, and recommends areas for improvement or further consideration.

This service is available 24/7/365. Please call the OmniSOC Service Desk to report a critical issue; other contact methods such as email and web form ticket creation may not elicit an immediate response.

This advisory level service is provided to all OmniSOC members as part of their annual membership fee.