
You are located in service:Security Operation Center (SOC) (EN)
Security Operation Center (SOC) (EN)
What is the Security Operation Center?
The central task of the Security Operation Center (SOC) is to ensure operational IT security.
The SOC is responsible for operating the central RWTH firewall as well as the firewalls in the data centers and at the institutes.
This includes maintaining rule sets and comprehensively checking log files.
The SOC also acts as an interface to DFN-CERT: information about security incidents is provided by DFN-CERT and processed accordingly in the SOC. Affected users are then informed by the SOC.
The SOC also carries out the following activities:
- The analysis of log data generated by active network components and servers is also part of the tasks.
- Any anomalies found during the analysis are brought to the attention of the network users and/or administrators.
- Furthermore, the SOC will implement operational measures to increase security if appropriate findings are available.
- Creating vulnerability scans and reports for the server administrators.
- Operation of the Blast-O-Mat to automatically block suspicious systems.
- Managing the Netflow generators and collectors to analyze suspicious activities.
- Use of capture systems for detailed analysis of network connections.
- Implementation and operation of a SIEM system to automate log data analysis.
- Implementation of a DNS firewall, e.g. to detect or prevent command-and-control communication (prerequisite is the use of the RWTH DNS servers).
The goal of these activities is to ensure IT security at RWTH and to achieve the following results:
- Identify infected systems
- Detect compromised user accounts
- Detect and prevent unauthorized data leaks and unauthorized changes to data
- Identify attacks in a timely manner
- Detect network disruptions, such as denial-of-service (DoS) attacks, and isolate affected systems.
Who should contact the SOC?
The SOC can be contacted by all employees and students who access RWTH networks.
Although the SOC takes proactive measures to protect all employees and students on the RWTH network, it relies on the vigilance of users and administrators to identify systems that cannot be detected by automated processes.
As soon as anomalies or irregularities are detected on your workstation computer, a server, a virtual machine or in relation to the accounts you use, you should contact the SOC immediately - if necessary in consultation with the officially designated contact persons.
Analysis can only begin after a report has been made. If necessary, log data must be backed up before it is deleted.
How can I contact the SOC?
Please note that the IT-ServiceDesk is usually your first point of contact. The SOC should only be contacted directly in cases of concrete suspicion or urgent enquiries.
- Phone: +49 241 80-29505
- E-mail: soc@rwth-aachen.de
- In person: Wendlingweg 10
You can also use the e-mail address abuse@rwth-aachen.de. This address can also be contacted by people outside of RWTH, as it is stored in the RIPE database for the RWTH IP areas.
The SOC team is available on weekdays 8am to 4pm for inquiries that are not time- or security-critical.
In order to be able to respond promptly to potential threats outside of regular working hours, a SOC on-call service has been set up.
This means that the SOC team is on call for you around the clock if required.