SURFsoc: working together to strengthen information security
SURFsoc reinforces collaboration on information security and is the single point of contact for institutions to detect and prevent security incidents.
Research and educational institutions increasingly use different forms of ICT, and do not always have the time and knowledge to protect them from threats. A joint Security Operations Center (SOC) strengthens their position in information security.
SURFsoc monitors for cyber threats, possible attacks, and break-ins on the ICT infrastructure of affiliated institutions, and it is available to all institutions connected to the SURF network.
SURFsoc consists of several components, which also reinforce each other:
- Security Incident and Event Management (SIEM)
- Advice on use case use and use case management
- Knowledge sharing in the field of security
- Vulnerability Scanning
The SIEM service is the most important part of SURFsoc. We assign this service to a supplier, who provides the SIEM system and the SIEM service. We work with the supplier and the institutions within SURFsoc on use case management, enabling institutions to make meaningful use of use cases and the SIEM system.
SURFcert is connected to the National Detection Network (NDN), a partnership between the National Cyber Security Centre (NCSC), the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD). The NDN wants to identify cyber security risks and threats more quickly by sharing threat information with each other, among others with a Malware Information Sharing Platform (MISP). SURFcert is permitted to store and share data received with the MISP. Institutions can use this 'Threat Intel Feed' together with their own resources and monitor for possible threats. You can read how to subscribe on the SURFsoc wiki (in Dutch).
SURFsoc also performs vulnerability scanning. This involves vulnerabilities and bad practices that are visible from the Internet and that can be abused in such a way as to harm institutions. This form of vulnerability scanning does not replace the vulnerability scanning that you perform yourself as an institution within your system administration and patch management. You can read more about vulnerability scanning by SURFsoc on the SURFsoc wiki (in Dutch).
Collaboration between SURFsoc and SIEM
Continuous (24/7) collection and analysis of log data from ICT infrastructure is specialist work. SURF is therefore outsourcing SIEM to a supplier; SURF itself is in charge. SURFsoc remains responsible for coordinating the needs of institutions; after all, they have a contract with SURF. SURF will remain the point of contact for joint services for detecting and preventing security incidents. The SIEM supplier will help SURF and the institutions to strengthen information security, identify threats, and advise the institutions on them. This advice then enables them to follow up reports and mitigate the threat. SURFcert will have access to all this information in order to strengthen their CERT function. When there is a threat to a single institution that can take place on a wider scale, SURF and the SIEM supplier will act proactively for all the institutions.
This infographic below shows how SURFsoc, SURFcert, SIEM and the institutions relate to each other. The SIEM service is part of the overarching SURFsoc service. SIEM therefore acts as an additional partner of SURFsoc and works closely with SURFcert. SURFcert has access to the data of all affiliated institutions. When calamities occur, SURFcert helps to resolve and mitigate them on the grounds of advice from SIEM and its own knowledge.