Security Operations Center cases
A mid-size bank contacted us intending to introduce a Security Incident and Event Management (SIEM) system in their data centre. This bank had some elements of a Security Operations Center (SOC) and asked us to improve it, bring it up to modern standards and take over the support of SOC.
From the several available SOC/SIEM models (on-premise SOC, cloud implementation, full outsourcing, etc.), the client selected a combined model, which required our staff to work with monitoring systems physically located in the bank.
First, we carried out an inventory of the client’s information assets, identified the sources of events from more than 5000 hosts located in 12 offices and data centers of the bank, including more than 50 database servers. Next, we identified incident profiles, response and support procedures, and estimated the incident flow capacity, which was about 1500 EPS.
Based on the IBM QRadar high-availability cluster, we implemented the following functions and components in the bank's data centre: log management, security event management, threat intelligence, risk and vulnerability management, user and entity behaviour analysis, machine learning, orchestration and response, honeypots/honeynets, threat hunting, and digital forensics.
Our experts developed the necessary rules and procedures, wrote the missing custom parsers and quickly connected event sources from Microsoft Server Family, Microsoft System Center, RedHat Enterprise Linux, Hitachi, IBM AIX, IBM Storage Manager, Cisco IOS / NX-OS, Check Point NGX, SAP, Citrix XenServer, XenDesktop, XenApp, Microsoft SQL, Oracle, Microsoft Exchange, SharePoint, UAG and many other types of systems.
We protected the system components with firewalls, and the data streams with Site-to-Site VPN. Then we determined the role-based access matrices for the system, set up continuous updates, fine-tuned the rules and tested the detection of anomalies and threats.
Right before the production launch, we delegated the security roles and responsibilities between our personnel and the customer’s staff, conducted their training and put the system into commercial operation.
The implementation of the system took us 8 months.
Conclusions. As a result of the implementation, the bank received a modern Security Operations Center based on a real-time monitoring system for event logging and responding to security threats. Among other outcomes, we optimized some of the customer’s technological processes, discovered obsolete assets, improved server access control, set up the collection and storage of security event protocols in accordance with PCI DSS requirements and national requirements for the collection of forensic evidence acceptable in court. The bank successfully passed several external independent audits and became compliant with norms and standards. The total annual damage from security incidents has decreased manifold.
The websites of a Ukrainian information technology university suffered from regular attacks. Mainly, it was begrudged students who hacked their alma mater, and these future IT specialists penetrated and defaced the websites just for fun. The university staff were unable to withstand the attacks, and the university management decided to outsource the website security to us.
First, we performed the initial security hardening. In particular, we conducted a security audit of 6 websites and several technological processes. Then we analyzed the assets, defined the security policies and procedures, hardened the web servers using the CIS Controls and CIS Benchmark frameworks and updated several weak components. Additionally, we implemented comprehensive backup procedures, log collection services, strict role-based access, two-factor authentication, and other security controls. Following the university's policies, we employed several open source security solutions, namely, Web Application Firewall (WAF) ModSecurity, Host-based Intrusion Detection System (HIDS) Tripwire and some other products.
Then we implemented continuous protection for the websites. We employed Cloudflare services in order to thoroughly protect against DDoS attacks. Website availability checks were executed every minute. We enabled transaction checks – user browser emulation to test the important functions of the websites, for example, login/registration, etc. Also, we have deployed the Real-User Monitoring (RUM) checks to test the download time of the websites from the real user's perspective. We connected the university's systems to our SIEM security monitoring system, which also had some positive side effects. That also introduced some positive side effects and enhancements like acceleration of traffic for mobile devices.
After that, we delegated security responsibilities among the university's security staff and our personnel. Our dedicated specialists started to monitor the website security round-the-clock. Then, we performed several training sessions for the university's engineers covering security vulnerabilities, security testing, security event monitoring, and incident response.
Finally, we even advised the university to announce a bug bounty program encouraging the students to report vulnerabilities and try to hack the websites as part of their practice. Therefore, we turned our adversaries into our allies with no additional cost and, at the same time, discouraged anyone who did not want to collaborate.
As a result of the implementation of continuous website protection, website incidents decreased to a negligible level. Penetrations and defacements stopped completely. The IT university's reputation as a secure organization was saved and considerably improved.