SURFsoc collects log data from various sources in the institution's infrastructure and analyses it to identify attacks and suspicious behaviour so that you can take targeted action. It also monitors all systems in conjunction: suspicious traffic in one system is therefore more easily recognised in another. In this way, you increase your detection capacity as an institution.
- Security Operating Centre (SOC): in the SOC, security specialists analyse the data of institutions 24/7 to detect cyber threats and attacks and inform customers of SURFsoc in the event of an incident.
- Security Incident and Event Management (SIEM) collects log data from the institution's (cloud) network infrastructure and analyses it automatically.
- Network Detection and Response (NDR) inspects network traffic for suspicious behaviour.
- Endpoint Detection and Response (EDR): alerts can be linked to the SIEM as a log source. Analysis by the SOC on these is currently still limited.
SURFsoc works across institutional boundaries with a central security operations centre, allowing it to detect threats even better. In case of suspicious traffic at one institution, the networks of all other institutions are also analysed for that type of traffic. In addition, the knowledge about cyber threats, possible attacks and intrusions on the ICT infrastructure of member institutions is available not only to the customers of SURFsoc, but also to all institutions connected to the SURF network. This is how we work together to strengthen our position in information security.