The central task of the SOC is to ensure operational IT security.

The SOC is responsible for operating the central RWTH firewall as well as the firewalls in the data centers and at the institutes.
This includes maintaining rule sets and comprehensively checking log files.

The SOC also carries out the following activities:

• The analysis of log data generated by active network components and servers is also part of the tasks.
  • Any anomalies found during the analysis are brought to the attention of the network users and/or administrators.
  • Furthermore, the SOC will implement operational measures to increase security if appropriate findings are available.
     
• Creating vulnerability scans and reports for the server administrators.
• Operation of the Blast-O-Mat to automatically block suspicious systems.
• Managing the Netflow generators and collectors to analyze suspicious activities.
• Use of capture systems for detailed analysis of network connections.
• Implementation and operation of a SIEM system to automate log data analysis.
• Future implementation of a DNS firewall, e.g. to detect or prevent command-and-control communication (prerequisite is the use of the RWTH DNS servers).

The SOC also acts as an interface to DFN-CERT: information about security incidents is provided by DFN-CERT and processed accordingly in the SOC. Affected users are then informed by the SOC.