Students in student-run SOCs are earning real-world security experience while helping university IT teams combat network threats.

How 3 university executives created student-run SOCs

Students are earning real-world security experience while helping university IT teams combat network threats

Cybersecurity has been top-of-mind for university IT leaders and administrators as they strive to balance access with security and vigilance. The challenge is complicated by a talent shortage and higher-ed’s continued position as a prime target for ransomware and cybercriminals. Now, many CIOs/CISOs have included students as part of the solution, creating student-run security operations centers (SOCs) that yield multiple benefits for their universities.

Student-run SOCs give students real-world experience in cybersecurity while giving their institutions more manpower and vigilance to prevent cyberattacks.

Launched just this month, Louisiana State University’s hybrid SOC trains students as if they’re full-time employees. The SOC is a partnership with Splunk, which provides a unified security and observability platform, and TekStream, Splunk’s cloud partner that provides technical and staffing solutions to organizations.

“Students are trained by TekStream and by LSU, doing remediation detection and response alongside TekStream. It will be true real-world experience,” said Craig Woolley, CIO at LSU. Woolley added that if students are unable to handle an incoming incident, TekStream will handle it. Students will work Monday-Friday from 8 a.m. until 8 p.m., with TekStream providing 24/7 support and monitoring.

LSU will operate two student-run SOCs at its Baton Rouge and Shreveport campuses, and eventually, SOC capabilities will be scaled to any institution across the state wishing to develop one.

Cal Poly’s student-run SOC began in 2019 as a summer internship project dubbed “SOC Lite,” and was fully operational before the pandemic forced institutions to go fully remote in March 2020, said Doug Lomsdalen, CISO at Cal Poly. 

The university partnered with Splunk, hired students, and built out a foundation that would support the full SOC capability it wanted to provide. Up to eight students work from 8 a.m.-5 p.m., with some covering weekend mornings. The SOC has evolved into what Lomsdalen called a “Learning SOC” because it provides students the opportunity to learn and use real-world tools and it introduces them to industry-standard data security.

The University of Cincinnati established its first SOC nearly a decade ago when it first partnered with Splunk. Now in its second iteration, students are heavily involved and work alongside a handful of employees dedicated to performing incident response and investigations, said Matt Williams, the university’s deputy CISO. 

Anywhere from four to seven students work at any given time, and the university plans to increase that in the future. The University of Cincinnati has many international students, and the SOC is able to give them the chance to gain real-world experience performing security operations.

Real-world experience to fill critical workforce vacancies

At Cal Poly, learning by doing is integrated into everything, and it’s no different in the Learning SOC. Students learn the theory behind various security concepts and then move to hands-on work with access to the tools provided by different security vendors. 

“We do lots of over-the-shoulder training with them,” Lomsdalen said. “We walk them through how to address specific alerts and emails, and then we give them the keyboard and go from there. They’re always being monitored by full-time staff—our students are never working by themselves.”

Universities benefit from students’ experience, too. LSU’s agreement with Splunk and TekStream allows for a reduction in pricing for every cyberattack that university students and staff discover and resolve. “The more impactful our students can be, the less our bill will be in the long run—it’s a unique agreement and one I’m happy we have in place,” said Woolley.

Students develop strong critical thinking skills along with an understanding of basic cybersecurity and technology principles when they’re working in a SOC.

Many students have gone on to work in cybersecurity and IT–and even if they pursue other careers, they bring those valuable skills with them.

Perhaps one of the biggest benefits is that students in the SOC are an extension of their university’s IT and cybersecurity teams and strategies. Full-time staff are freed up to address more strategic and operational concerns while students manage incoming alerts under staff supervision.

Protecting student health and well-being

“Student health is at the top of our list of concerns, especially after COVID. Our campus is like its own city, with its own police department and academic healthcare,” said Williams. “We started, in collaboration with the Public Safety Department, helping locate students.”

After concerned parents or friends contact the university’s police department, the department will work with the SOC to track data such as university-issued badge activity (like swiping into a dorm), activity in the cloud, LMS logons, cell phone pings, etc. These searches are performed by university employees and not by students, and only after it has been vetted by the legal office. And while this isn’t an example of a benefit realized by student participation, it’s an important role the SOC plays in student health.

It’s unfortunate how often this is needed, but these types of requests come in weekly,” Williams said.

The future of student-run SOCs

Student-run SOCs could become part of the industry standard at educational institutions moving forward.

“I think it can [become industry-standard],” Woolley said. “We’re hoping we’ll be able to show that it’s something that’s expandable and able to be replicated. I’m hoping it can be a standard and can be adopted elsewhere.”

How IT teams can reduce the threat of cyberattacks
Identity security can help your IT team mitigate risk

Sign up for our newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

Laura Ascione