Radboud University’s Security Operations Centre (SOC) was launched in the summer. The goal: to increase the digital security of the university. Several near-disasters allowed the team to immediately justify its existence. “We had to pull out all the stops.”
After months of preparation, several hackers broke into Maastricht University’s network in early 2020. That crippled the network, and the university ultimately paid a ransom of hundreds of thousands of euros (30 bitcoins) to get it back. “That prompted Radboud University to significantly increase our security”, explains Peter Arnts, team leader at the RU SOC.
Part of the programme was setting up an RU SOC, a team of four security analysts that works closely with the national SURFsoc and can be contacted around the clock. “We do our work in constantly changing SOC roles”, explains team member Remco Derksen. “For instance, we keep an eye on email traffic and we respond to phishing attacks. And we’re especially alert to abnormal patterns. If someone logs in via a VPN in the Netherlands and again a half hour later via a VPN in Aruba, something may be going on and we call it in. A hack often starts when someone clicks on an innocent-looking link. And with about 5,000 employees and 25,000 students, the risk of that is quite high.”
“We also monitor current developments”, adds Jacques Loonen. “Recently, Chinese surveillance cameras that possibly contained spy software were a hot topic. Then we follow the news and, if necessary, make recommendations for improving a potentially unsafe situation in the building control systems.”
Because of the pandemic, the team exclusively worked from home and mainly had contact via Teams. Looking ahead to a full reopening after the pandemic, the team expects to reach full strength by working together in earnest. “We all bring different expertise from our pasts”, says manager Jeroen Beekhuis, referring to various specialisations (Linux, Windows, networks and monitoring). “Our strength is that we complement and reinforce each other.”
At the end of the year, it became clear that attention can never wane. Team member Henry van Doorn recalls an “apparently reliable email” that mentioned a well-known website for innovation in higher education. “Malware could be spread via fake updates.” In addition, the Log4j vulnerability came to light at the end of the year. Van Doorn: “That became an IT calamity, and our team played an advisory role. We all had to pull out all the stops.”
The team is led by Peters Arnts and consists of four specialists: Remco Derksen, Henry van Doorn, Jacques Loonen and a colleague who wishes to remain anonymous. The team is functionally managed by IT Security manager Jeroen Beekhuis.