SURFsoc gives you a single point of contact for all your infrastructure security issues. SURFsoc monitors cyber threats and possible attacks on the institutional infrastructure, for example via a SIEM system. We share the knowledge that we acquire within SURFsoc with the institutions.
Faster and more targeted threat interception by monitoring security
SURF is innovating non-stop and is currently developing a number of security services to intercept irregularities in the network more quickly and more effectively. SURFcert can then warn of threats at the earliest possible stage.
Domain Name System (DNS) monitoring and filtering
Detecting suspicious domains
With DNS monitoring, SURFcert detects malicious domains that are queried in DNS in a privacy-friendly manner. Cyber criminals use DNS for their activities in various ways; requesting a particular domain (or pattern of domains) from a DNS resolver can be part of an Indicator of Compromise (IoC). A system may therefore be infected or an attack may take place. We check requested domains with a list of suspicious domains and get a better understanding of possible threats. With this insight, we warn and advise institutions, for example, to monitor more closely or to isolate certain systems.
Block malicious requests
In the future, we will consider actually blocking such domains. If you then request these domains, it will no longer yield results in DNS, for example, or you will see a page from SURFcert. We are still investigating this option thoroughly: the measure is far-reaching, with potentially unforeseen consequences.
Intrusion Detection System (IDS)
Check and warn
An Intrusion Detection System (IDS) consists of sensors that monitor network traffic. An IDS checks for IoCs (Indicators of Compromise), and warns if it detects something. In the network, these sensors act as passive monitors and do not interfere with the normal operation of the network. They are strategically placed and, based on information from IoCs, check for certain suspicious patterns in network traffic. If you want to use these IoCs for your institution's IDS systems, you can already get them from SURFcert.
Setting up IDS in a SURF network
We are investigating the possibilities of setting up our own IDS in the SURF network, using the same infrastructure as that of Firewall-as-a-Service. We will then monitor IoCs outside the institution's networks as a possible addition to the institution's own IDS; after all, an IDS in the SURF network cannot see any internal institution traffic.