Background
Cybersecurity
The spectrum of threats to organisations is widening every year, especially as business operations go global and the number and variety of devices rapidly grows with the IoT.
Institutional networks are further challenged by the emergence of so-called "IoT threats". The emergence of BYOD (bring your own device) devices such as smart phones, smart watches, tablets, etc., which challenge the traditional view that protection against outside attacks at the "edge" of networks is sufficient to protect against threats.
However, newer methods based on simple network monitoring or signature-based detection are also proving ineffective against modern threats. Attackers are using increasingly sophisticated 'stealth' techniques to bypass traditional defence and detection mechanisms, whereby their traffic patterns become almost indistinguishable from regular administrative activities.
Security Operation Center, SOC
Today's protection against threats requires a formalised, structured and disciplined approach. An SOC provides a wide range of services, from monitoring and management to comprehensive threat protection solutions and hosted security, which can be tailored to the customer's needs.
A modern and effective SOC can be organised around three main building blocks: the professional (analyst, incident manager, threat hunter), security processes and technology. Security Operations Centres typically employ security analysts and engineers who monitor and analyse the activities of networks, servers, endpoints, databases, applications, websites and other systems, looking for anomalous activities that could indicate a security incident or threat. The SOC is responsible for ensuring that potential security incidents and threats are correctly identified, analyzed, protected, investigated and reported. A first level analyst is responsible for monitoring (real or false), prioritising and analysing security alerts. If the incident cannot be handled and resolved by simpler means, it is escalated to a second level analyst or incident manager for deeper investigation. At the top of the pyramid are third-level threathunters, who use complex and sophisticated techniques to investigate the cause and origin of the incident. The two core elements of the technology are SIEM (security information and event management system) and SOAR (security orchestration, automation and response).
SIEM systems are used for data collection and filtering, threat detection and classification, and threat analysis and investigation. SOAR platforms are similar to SIEM in that they collect, correlate and analyse alerts. However, SOAR technology goes a step further by integrating threat intelligence and automating incident investigation and response workflows based on playbooks developed by the security team.
Goals
One of our major goals is to promote and support different aspects of cybersecurity at university level, as sooner or later companies, businesses and other institutions will need experienced and well-trained professionals, engineers and researchers in this field. In addition to teaching and establishing a theoretical background, we attach particular importance on cybersecurity research, development and innovation to provide practical techniques and methods for our students and partners. In the practice of teaching, we focus on developing a project approach, nurturing talent and encouraging research. To this end, we set up research groups with students, where they learn the challenges of research and development in a practical approach and experience teamwork.
In order to support cyber defense research, a "core" real/virtualized hybrid test network is continuously being developed within the university network, including a Security Operation Centre (SOC) and a Honeypot segment, complemented by additional intrusion detection, prevention and analysis solutions. The SOC is operated in a largely virtualized environment using open-source building blocks. Since cyber defense research (Honeypot and SOC optimization, attacker profiling, digital forensic, active deterrence, incident management) requires a large amount of log and traffic samples, we organize various cyber defense challenges and competitions (Capture the flag (CTF) and Attack/Defense competitions), which on the one hand provide excellent motivation and orientation of students towards cyber security, and on the other hand provide sufficient "realistic looking" simulated attack data for analysis and optimization.