1. Home
  2. References
  3. IT Centre of RWTH Aachen University

IT Centre of RWTH Aachen University

Development and implementation of a SIEM solution

The customer:
RWTH Aachen University is a leading German technical university based in Aachen, North Rhine-Westphalia. With a strong focus on engineering, natural sciences, economics and medicine, the university offers a wide range of degree programmes at Bachelor's and Master's level. RWTH Aachen University is characterised by its outstanding research and teaching, particularly in areas such as mechanical engineering, computer science, electrical engineering, chemistry and medicine. The close links with industry and numerous co-operations with companies contribute to the practical training of students and promote the development of innovative technologies. The university has a large and diverse student body consisting of students from all over the world. The exact number of students can vary depending on the semester, but is typically in the region of over 45,000 students in total. 

Challenge / Goal:
RWTH Aachen University needed a Security Information and Event Management (SIEM) system to analyse data and information from various source systems in the university network primarily for security risks. 
Our costumer had the following minimum requirements for the system: The system to be used must be able to receive, process and store log entries, events and messages from RWTH Aachen University's source systems. Furthermore, the system should be able to process at least 30,000 log messages per second on a daily average and a daily data volume of at least 1.0 TiB. At the same time, a short-term peak load of 25% above the average must be assumed. 
The system must also receive, process and store netflow messages totalling at least 100,000 flows per second on a daily average. A short-term peak load of 40% above the average must be taken into account.

Realisation / solution: 
Two geo-redundant clusters with five servers each were planned and put into operation for the realisation of the project. In order to make the best possible use of the server capacities, one Logstash and one Elastic instance were installed on each of the four servers and two Elastic instances on each of the fifth servers. Logstash instances were used to receive, process and forward the data for indexing. The project team installed an Elastic Agent on the source systems at RWTH Aachen University so that the data could be forwarded to the Logstash instances.
A throughput of at least 96,000 events per second was achieved for the eight Logstash instances. Furthermore, at least 45,000 Netflow messages are processed per Logstash instance. This means that the entire cluster is capable of reading 360,000 messages per second. This corresponds to a multiple of the minimum system requirements. Firstly, the necessary Elastic components were installed on the test environment and then a small number of servers were connected from each data source. This made it possible to create a template for the installation of the agents on the source systems as well as the data mapping and index architecture for the other systems and the production environment.
Once the result on the test system for RWTH Aachen University met expectations, delivery to the production system began. The source systems can now be connected directly with the correct field processing and, if necessary, extraction or anonymisation. Following a subsequent and extensive test, further users can now be authorised to access the system. Users are managed by RWTH Aachen University itself using AD groups.

Benefit: 
The SIEM solution developed and implemented by Robotron makes it easier to recognise attacks on infrastructures and compromised access points in the RWTH Aachen University network. This means that countermeasures can be taken at an early stage and damage to the university network can be averted. To this end, Robotron developed dashboards together with RWTH Aachen University to detect and prevent attacks via known identifiers.
Parallel to the implementation, the RWTH Aachen University team received further training in the use of the developed SIEM solution in Elastic training courses and can therefore independently make adjustments and configurations in the system.

Back