This article was written by guest author Ryan Regnier, Nelnet’s cybersecurity director of protective operations.

At Nelnet, securing our data – and protecting our customers’ personal information – is always a top priority. To ensure the safety and integrity of our data from unauthorized users, we formed the Nelnet Cyber Fusion Center (CFC). Located in our Centennial, Colo. office, the CFC establishes an innovative and collaborative space for Nelnet cybersecurity stakeholders (i.e., business, IT, fraud, and security), resulting in contextual intelligence, faster response times, reduced costs, and increased productivity. Unlike traditional security operations centers, the CFC brings Nelnet associates from diverse departments together, in a discrete location, to work jointly toward a common objective.

The CFC concept is not unique to Nelnet, as it has long been a common tool used by government and law enforcement agencies. However, in recent years, other organizations have begun embracing the concept, including higher education institutions, cyber-related companies, and government contractors such as Accenture Federal Services. It’s easy to see why – as these centers drive enterprise-wide visibility, reduce the time it takes to detect attacks, and protect organizations’ most critical assets.

  • Red Teaming: A security methodology that engages associates in ethical hacking. These associates have a vast knowledge of current hack/attack methods and leverage that knowledge to anticipate attack strategies that could be used against Nelnet.
  • Threat Defense Operations: Also known as Security Operations or Blue Team, these associates stand guard 24/7, constantly hunting for abnormalities and indications of compromise.
  • Purple Teaming: A security methodology which has red and blue teams (i.e., Threat Defense Operations) working closely together to maximize cyber capabilities through continuous feedback and knowledge transfer.
  • Cybersecurity Incident Response (CIRT): This group organizes associates and other resources when potential cybersecurity incidents are reported/detected.
  • Government Risk and Compliance: This team works to ensure that Nelnet is in compliance with federal and state consumer protection laws and contractual obligations.
  • Vulnerability Operations: This team is responsible for detecting and remediating technology vulnerabilities, as well as adhering to technology configuration Security Technology Implementation Guides (STIGs).

The Power of Collaboration

The CFC bolsters Nelnet’s cyber threat intelligence (CTI) by enabling associates from underlying disciplines to collaborate in real time. These underlying disciplines include continuous red teaming, threat defense operations, cybersecurity incident response (CIRT), governance, risk and compliance, and vulnerability operations. The CFC enables these associates to easily monitor cyber threat data and trends as they are happening, as well as provides a space to analyze tactical risk in contextual, technical, and strategic ways.

A great example of this collaboration is our threat defense operations. These associates are continuously hunting for active threats and reviewing log collection and correlation. If malicious activity is detected, the CFC quickly activates the cybersecurity incident response process to engage resources for investigation, coordination, resource prioritization and remediation. By providing a discrete location for cybersecurity, IT, and business associates to review, monitor, and discuss the detected malicious activity, the CFC helps Nelnet minimize the possibility of information leakage and better control communications to all appropriate parties.

The Value of Collaboration

The value to Nelnet’s cyber threat intelligence expands far beyond cyber incident response and defense operations. By providing a venue for red team associates to disguise themselves collaboratively and continuously as an enemy or competitor, we strengthen Nelnet’s overall readiness for similar, authentic events. The CFC multiplies these effects by bringing associates from threat defense operations and governance, risk and compliance together with the red team for comprehensive purple team, or readiness, exercises. These exercises allow Nelnet’s testing to be more comprehensive and better challenge our plans, policies, and systems. Nelnet IT, cybersecurity, and business stakeholders can then use purple team reports to make necessary adjustments to our processes and procedures.

Governance, risk and compliance, and vulnerability operations are the remaining disciplines that support our cyber threat intelligence and leverage the CFC. While their duties are often described as “Scan, Patch, Scan,” the vulnerability operations team employs a variety of techniques for vulnerability and compliance scanning. The team then analyzes those results to determine the level of risk associated with individual findings before creating complex plans for mitigation and remediation. This multifaceted process plays an essential part in Nelnet’s overall security awareness. And finally, governance, risk, and compliance is the guiding light. Responsible for creating and maintaining security policy for all of Nelnet, the governance, risk, and compliance team works closely with vulnerability operations. This partnership allows both teams to manage corporate risk and produce comprehensive risk assessments for a variety of purposes.

The Cyber Fusion Center is an essential tool for Nelnet’s cybersecurity defense. In providing a space for critical associates to work alongside each other, in an isolated location, they are free to collaborate on highly sensitive topics and make quick decisions. It is a critical instrument for fusing traditional security, IT, and business to create innovative cyber capabilities.

The Cyber Fusion Center in Action

So far in 2021, Nelnet’s Threat Defense Operations (Blue team) has participated in two large-scale cyber threat and security competitions and performed exceedingly well. Earlier this year, the team finished in the top 15% at their first-ever competition. Then, in early August, two Nelnet CFC teams participated in Splunk’s Boss of the SOC (BOTS), a global blue-team, jeopardy-style, capture-the-flag-esque activity where participants leverage Splunk’s Security Suite – and other resources – to answer a variety of questions about the type of real-world security incidents that security analysts face regularly. Nelnet’s teams placed 16th and 28th among more than 225 competitors – a testament to the capabilities and expertise found within our CFC.

Guidance for Outside Organizations

Most organizations have evolved their cybersecurity program to be more than “Scan, Patch, Scan,” but strides can still be made in proactive and reactive defensive operations. With the CFC, we’ve learned that specialized cybersecurity associates can be more effective when asked to collaborate with one another on a regular basis. To that end, we believe the CFC is an investment that will pay dividends.

Several resources exist today for organizations seeking to build a CFC. At Nelnet, we recommend partnering with your industry’s information technology or cybersecurity knowledge sharing organization, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). Remember: By working together to build stronger cybersecurity defense, we all benefit.


Ryan Regnier

Director of Protective Operations