Rory O'Connor
Case study

Sleeping better thanks to joint security operations centre

Erasmus University Rotterdam (EUR) was one of the first institutions to join SURFsoc in 2021. The immediate reason for this was the hack in late 2019 at Maastricht University. How can we prevent such a thing, was the question immediately asked at the Rotterdam university.

Initially, according to Rory O'Connor, chief information security officer (CISO) at EUR, the possibilities of an in-house Security Operations Centre (SOC) were explored. But he says that soon proved very costly and not feasible.

So when SURF came up with the initiative to set up a joint SOC, EUR was immediately enthusiastic. Rory: "My main challenge as CISO is to provide 24/7 protection for the university. To do that, you need to have people continuously available to monitor your systems and analyse logs. We don't have those people and Fox-IT, supplier of SURFsoc, does."

"I sleep a lot better"

Since connecting, Rory says there have been minor incidents, but thanks to SURFsoc, he and his security colleagues have been able to deal with them before they became major incidents. "SURFsoc improves our speed of action. Especially at times when hackers are active. I can assure you, I sleep a lot better now that I know SURFsoc is keeping an eye on things 24/7."

SURFsoc improves our speed of action precisely at times when hackers are active
Rory O'Connor

On average, the university's computer emergency response team (CERT) is alerted once or twice a month outside office hours from SURFsoc that something is going on that requires action. "Someone from us then gets a wake-up call," Rory explains. "In the beginning this happened a bit more often. But you notice that we are becoming more and more attuned to each other. The people at SURFsoc now know what are high-priority notifications for us and what things can wait for a while."

"That tuning and fine-tuning is important," he continues. "Certainly also for internal support. After all, you cannot expect colleagues to answer the phone in the middle of the night under the motto: heart for the cause."

Attack pressure will increase

According to Rory, when you see how many attack attempts are made, you understand how important it is to always be ready. And that attack pressure, he believes, will increase even further. "Not only from professional state actors who want to disrupt the Dutch education and research field, but also by petty criminals who can become hackers more and more easily due to the rise of AI and the low prices of hacker tools," he warns. In which, in his view, educational institutions are attractive targets due to their large attack surface.

Asymmetric warfare the education sector can only arm itself against together
Rory O'Connor

"Asymmetric warfare that the education sector can only arm itself against together," he continues. "In the end, we all have the same interest: ensuring that teaching and research can continue. We have so many partnerships and exchanges between us: when one educational institution is hit, it affects others. The more institutions are connected to SURFsoc, the safer we are as a sector. Just take the example of the use cases that we can continuously hone thanks to this collaboration."

Role of administrators

Rory stresses the importance of good and timely internal communication when you want to join SURFsoc as an institution. "Communication towards administrators, for example," he points out. "They may experience SURFsoc as a controller of their work. Whereas it is actually an extra layer of protection. It's important to have that conversation with them at an early stage. After all, you desperately need your administrators to make SURFsoc a success. Take keeping your log sources up to date. As an institution you really need to be on top of this yourself. If you have coordinated things well internally, everyone will quickly see and experience the benefits, according to this CISO. "As a university, we do an annual Red Team assessment and several pen tests. So far, these have been flagged by SURFsoc. Proof of how it works," he concludes.

Text: Sandra Kagie

Je hebt je beheerders hard nodig om SURFsoc tot een succes te maken. Neem het actueel houden van je logbronnen: daar moet je als instelling echt zelf bovenop zitten.
Rory O'Connor

Je hebt je beheerders namelijk hard nodig om SURFsoc tot een succes te maken. Neem het actueel houden van je logbronnen. Daar moet je als instelling echt zelf bovenop zitten.” Heb je de zaken intern goed afgestemd dan zal iedereen volgens deze CISO de voordelen snel zien en ervaren. “We doen als universiteit jaarlijks een Red Team assessment en meerdere pentesten. Tot nu toe zijn deze door SURFsoc gesignaleerd. Het bewijs van de werking”, besluit hij. 

Tekst: Sandra Kagie