Solar JSOC

The main articles are:

• Firewall
• DLP - Data Loss/Leak Prevention
• Fraud Detection System

Solar JSOC is a commercial center for monitoring and responding to information security incidents, a set of information security services to counter modern threats.

Information Security Service Model

Solar JSOC Security Service Provider (MSSP):

• 24/7 incident detection, response and investigation;
• analysis and prioritization of vulnerabilities of both core infrastructure elements and business application code;
• reflection of targeted APT attacks;
• detection of infected network hosts by targeted malicious ON
• protection of web applications, including DDoS.

The incident monitoring service began operating in 2013. Solar JSOC has more than 30 shift specialists, analysts and experts who handle more than 75 thousand events with suspected incidents per year.

Client data is protected at all stages of information security incident monitoring and response. Security is implemented both at the physical and information level using access differentiation tools, audit of the work of Solar JSOC specialists, integrity control and data protection during transmission. Solar JSOC is PCI DSS certified.

Solar JSOC Functions

• incident monitoring, working 24x7 to monitor and respond to internal cybercrime threats and attacks. Allows you to get a service with guaranteed SLA - from long-term storage of information security events to investigation of incidents identified using correlation rules. At the same time, monitoring of incidents of the level of applications and users is based on an analysis of business processes and information about targeted attacks from leading laboratories of information security of Russia.
• security control that identifies and prioritizes vulnerabilities based on their level of risks, infrastructure, availability of current security systems and compensatory protection measures. Also, using the "JSOC - Security Control" service, a periodic check is carried out for traces of work or instances of malware that is not detected by antivirus tools.
• anti-DDoS, which reliably protects against attacks on the availability of services and applications. The service is provided on the basis of leading solutions in the market segment of protection against. DDoS
• protection against, cyber crime based on real-time data on current threats and targeted attacks. The service makes it possible to take retaliatory measures in time: block compromised accounts, check the infrastructure for targeted malware, ON analyze the attack and return information systems to their previous state.
• security administration, which is a classic outsourcing of services for many information security solutions to free up customers' own resources for new tasks and projects.
• analysis of application code, which helps to build a full-fledged process of identifying and eliminating vulnerabilities before launching systems of own or custom development into operation.
• protection of web applications, organized as a service with the provision of WAF and services for its operation as a subscription. This approach eliminates the need to process traffic outside the client's network, and online configuration of signatures to block unknown types of web attacks makes it possible to counter threats in the early stages.

2023

HardBit ransomware decoder release

The cybercriminal group HardBit, which previously attacked Western countries using the ransomware of the same name, was spotted trying to extort a Russian organization. Experts from the Solar JSOC CERT Cyber ​ ​ Incident Investigation Center of RTK-Solar analyzed samples of all versions of HardBit and found a way to decrypt files. The company announced this on September 7, 2023. Read more here.

Joining the creators of the ETHIC service to the Solar JSOC center team

The team of creators of ETHIC - the Russian service of the Digital Risk Protection (DRP) class - moved from Infosecurity (part of Softline Group of Companies) to Rostelecom-Solar, joining the team of the Solar JSOC cyber attack center. Representatives of the company reported this to TAdviser on February 9, 2023. A joint group of more than 20 experts is already preparing to launch an updated and significantly supplemented service for detecting external digital threats. Read more here.

Launch of Kaspersky Lab SIEM to provide services for monitoring and responding to cyber attacks

To provide services for monitoring and responding to cyber attacks, Rostelecom-Solar launched the SIEM platform Kaspersky Unified Monitoring and Analysis Platform (KUMA). It allows you to centrally collect, analyze and correlate cybersecurity events from various data sources to quickly identify and prevent cyber incidents. This was reported on January 20, 2023 at Kaspersky Lab.

One of the key tools of SOC is the SIEM system. At the same time, "Rostelecom-Solar" traditionally seeks to provide customers with the opportunity to choose a platform for their tasks. In the spring of 2022, the company decided to supplement the service portfolio with the KUMA platform, praising the flexibility of the architecture, the ability to accept and process large data streams and the understandable migration process from other solutions. In addition, the product supports a wide range of boxed connectors to typical log sources. An important role in the implementation process was played by the readiness of Kaspersky Lab to quickly improve the functionality of the product in accordance with the strict requirements of Solar JSOC and current market requirements. All these factors made it possible to almost twice speed up the integration and launch of the service: the full cycle took only 4 months.

The experience of Solar JSOC can be useful to those companies that need to migrate from foreign solutions. To make this process comfortable, customers can turn to services to providers that provide monitoring services consulting in the SOC area. The KUMA-based service will help you quickly provide protection infrastructures by transferring a number of functions to external specialists.

Kaspersky Lab and Rostelecom-Solar have serious plans for close collaboration to increase the level of protection of companies in the Russian market. The company takes into account the requirements of Solar JSOC, based on the real experience of monitoring numerous customers. This made it possible to develop KUMA with an understanding of the real needs of the customer ― not just to comply with market trends, but to solve current problems, commented Ilya Markelov, Head of Development of Kaspersky Lab's Unified Corporate Platform.

By introducing the second SIEM, the company was interested in maintaining the quality of the service. And this was due to the presence in the SIEM system of the most flexible functionality for developing correlation rules, connecting event sources, and the possibility of integration with external systems. The ease and transparency of migration with the solutions of foreign vendors was also noted, including due to similar approaches in architecture and the use of a single event format. In addition, colleagues from Kaspersky Lab showed a personalized approach and promptly took into account the needs and wishes for the development of the product. As a result, the revised version of KUMA in terms of efficiency corresponds to the level of solutions of the same class from foreign vendors, noted Maxim Zhevnerev, Head of Technology Development and Advanced SOC Services at Rostelecom-Solar.

2022

Allocation of Emergency Incident Response Service

Rostelecom-Solar has allocated the Emergency Incident Response service in its portfolio of response services. The application completed on the site is processed for less than 30 minutes, and the service is provided day to day, taking into account the criticality of the incident. The service is provided by experts from the Solar JSOC CERT Cyber ​ ​ Incident Investigation Center in 24/7 mode to both existing and new customers. This was announced by the company "Rostelecom-Solar" on November 14, 2022.

Since February 2022, the number of mass cyber attacks organizations has the Russian increased hundreds of times compared to 2021 time , while the number of serious targets for attacks objects public administration CUES has increased 4-5 times. Against this background, the need for companies to investigate and respond to cyber incidents has rapidly increased. So, in just 4 months (from March to June 2022), Solar JSOC CERT experts implemented more response projects than in the entire 2021. In 80% of cases, operational blocking of the developing attack was required. At the same time, among the customers there were organizations of various industries and maturity levels:,,, INFORMATION SECURITY public sectors sectors power engineering specialists,, industries, financial , etc. agriculture telecom retail The level of attackers also differed significantly - from beginners to foreign hacktivists pro-government groups.

infrastructures Many Russian companies have accumulated for years, vulnerabilities which the company and other market experts have repeatedly INFORMATION SECURITY talked about. Unfortunately, the territory sew countries actually turned into a large field for hacker experiments based on political motives, and this situation even affected those companies that were uninteresting before the announcement of the SVO to malefactors and believed that they could "afford" unclosed holes. They safety are reconsidering their approach to information security, but protective it is required to work out and implement measures, and attacks time occur here. The company has allocated an emergency response as part of the services - a kind of ambulance information security assistance available on the day of request through the site, commented on the head of the Solar JSOC CERT cyber incident investigation center of Rostelecom-Solar, Igor Zalevsky.

To receive the service, it is enough to fill out a small form of appeal on the site, indicating the type of incident (suspicion of compromise, leak information hacking of public services, enciphering data etc.). Contractual obligations will be drawn up in parallel in an accelerated mode. The emergency response service includes localization of the incident, isolation of compromised resources, coordination of the customer's information security service in eliminating the consequences of the attack, as well as recommendations for preventing such incidents in the future.

The service is provided only on the basis of the customer's own infrastructure and does not apply to leased cloud resources. A comprehensive incident investigation and response service is still available to customers when they need to identify the cause of an incident in more detail or to find other possible locations for an attacker in the infrastructure.

Security Vision Incident Response Platform Service Availability

Rostelecom-Solar customers will be able to automate the response to cyber incidents with Security Vision. The Security Vision Incident Response Platform (IRP/SOAR) service is already available to all customers of the Solar JSOC Cyber ​ ​ Attack Center. This was announced on July 6, 2022 by the Roste lecom-Solar company. Read more here.

Adding Threat Intelligence Database Data "Dr.Web"

Rostelecom-Solar and Dr.Web have entered into an agreement to jointly counter computer attacks. Companies will share analytics and statistics on current cyber threats, as well as detected indicators of compromise (IOC). The partnership also involves the exchange of experience within working groups. Such interaction will help both companies more efficiently and quickly identify computer attacks and eliminate their consequences. Rostelecom-Solar announced this on March 16, 2022.

Every year, the number of cyber incidents increases. In particular, according to to data "-Rostelecom Solar," in 2021 the number of attacks by professional attackers increased by a third. At the same time, they constantly improve techniques and tactics, increase the complexity of the logic of HPE operation, and quickly find and exploit vulnerabilities. Botnets are also becoming a growing threat to companies. So, in the fall of 2021, the largest was discovered, Meris botnet which at that time included 200 thousand devices, and which became the reason - DDoSattacks for "" and Yandex a number of other large companies.

As part of the partnership, Rostelecom-Solar and Dr.Web plan to exchange information about compromised hosts and hosts in botnet compositions, detected attempts to attack various information resources and send malware. This data will complement existing Threat Intelligence sources and increase the effectiveness of investigations conducted by specialists from the Solar JSOC Cyber ​ ​ Attack Center. And for Dr.Web, data on the attack profile, 0-day malware, exploits through which malware spreads, and existing botnets are especially valuable - all this will significantly complement the existing vendor database.

This cooperation will allow the expert knowledge possessed by the specialists of our companies to harmoniously complement each other. Virus The Dr.Web laboratory has developed methods for detecting the full range of cyber threats, these methods are constantly being improved and, in conjunction with the expertise of Rostelecom-Solar, should serve to significantly strengthen the counteraction to cyber attacks, - said Evgenia Khamrakulova, head of technological partnerships at Doctor Web.

Indeed, against the background of the growing danger in cyber, it is extremely important to unite the efforts of the entire information security community, otherwise it will be impossible to build effective protection for both state organizations and private companies. The partnership with Dr.Web will certainly strengthen the expertise of our cyber attack response center. At the same time, Solar JSOC is constantly expanding data sources on current information security threats. This is its own daily updated database of indicators and knowledge about new threats (Threat Intelligence), and information from the network of sensors and honeypots throughout the country, and the results of penetration tests, and data from third-party SOC and CERT, vendors and regulators, "explained Alexey Pavlov, Business Development Director of the Center for Countering Cyber ​ ​ Attacks Solar JSOC Company "Rostelecom-Solar. "

The ability for customers to control the operation of all services in a single personal account

Rostelecom-Solar customers can now monitor the connected services of the Solar JSOC cyber attack center in single window mode. The company announced this on January 27, 2022. The personal account, implemented as a web interface, allows you to get data on the infrastructure connected to monitoring, running scenarios and other details of interaction with Solar JSOC at any time. This makes the work of services more transparent for the client, and his full-time information security specialists are able to more quickly analyze incidents. The personal account is already available to all current and new customers of Rostelecom-Solar.

Previously, organizations connected to Solar JSOC services either received notifications of incidents (i.e. tickets) in the mail and could contact the provider by phone, or tickets were sent directly to the client's IRP system. However, companies that have their own IRP are still units.

The main task of the personal account is to make the process of managing Solar JSOC services as transparent and understandable as possible for customers. Therefore, at the stage of concept development, we analyzed the market request, feedback on various prototypes and created a convenient interface for continuous control of service parameters and further interaction with the monitoring team. This significantly increases the quality of service provision, the convenience and transparency of using the service, as well as allows you to see the real level of cyber defense of the infrastructure and increase the responsiveness to incidents, − explained Alexey Pavlov, Business Development Director of the Solar JSOC Cyber ​ ​ Attack Response Center of Rostelecom-Solar.

Among the key functions of the personal account is the ability to quickly receive detailed information about all events recorded on the company's infrastructure, their statuses (legitimate activity, confirmed incident or false triggering) and see where the attacks on the company are coming from. A client can also create their own call to the provider if some activity in their infrastructure seems suspicious.

In addition, the list of tickets can be filtered by specifying the necessary parameters or keywords. The interface allows you to search by alert body, status, script type. Thus, the user can see a list of all incidents and identify weaknesses on the IT perimeter, typical problems, the most current and frequent cyber threats. And the heads of IT and information security services will be able to control the work with tickets from their subordinates, for example, how quickly the latter respond to messages and whether they miss notifications from the service provider.

Through the personal account, the client can always check the data on his infrastructure (sites, IT assets, subnets), sources connected to monitoring and the dynamics of their changes. And also clarify which scenarios for detecting cyber incidents are currently launched and which are available based on the characteristics of the company. Finally, the user can at any time clarify the main parameters of the service contract, find contacts of all those responsible on the side of the service provider, assess the stock of licenses under the current contract, etc.

In the near future, the functionality of the personal account will expand. In particular, all Rostelecom-Solar cybersecurity services will be connected to it, additional components of the incident monitoring and response service (IRP, EDR, NTA according to the SaaS model) will be added, and users will begin to receive a digest of current information security news and cyber threat alerts.

2021

Opening of Solar JSOC branch in Rostov-on-Don

The Roste lecom-Solar company has opened a branch of the Solar JSOC commercial center for countering cyber attacks in Rostov-on-Don. The regional division will provide cyber protection for organizations of the Southern and North Caucasus Federal Districts (Southern Federal District and North Caucasus Federal District), as well as a number of large federal customers. As of November 2021, the work of the branch is provided by over 40 analysts and engineers responsible for monitoring cyber incidents and operating information protection tools. Rostelecom announced this on November 18, 2021.

{{quote 'Cybersecurity issues for business are becoming more relevant every year. Companies suffer losses from the actions of intruders or competitors, or simply because of the carelessness of employees. Solar JSOC in Rostov-on-Don will be responsible for the security of all regional customers of Rostelecom around the clock and provide a full range of services: from monitoring and managing protection systems to repelling and investigating cyber attacks. This branch will become the most important technological center for ensuring Russia's cybersecurity in the South, "said Sergey Mordasov, vice president and director of Rostelecom in the South. }}

The opening of the Solar JSOC branch in Rostov-on-Don is due to the high level of cyber threats in the Southern Federal District. So, in incomplete 2021, Solar JSOC experts recorded 58 thousand attacks here, of which more than 40% were implemented malware using (,, viruses encoders trojans spy ON , etc.), which is an extremely high indicator against the background of other regions. The second and third most popular methods of hacking corporate infrastructures were attacks on web applications (29%) and (6 DDoS %). At the same time, quite often the tools of cybercriminals in the Southern Federal District are based on the commercial Cobalt Strike framework, designed to exploit vulnerabilities. This indirectly indicates the high activity in the region of cybercriminal groups aimed at direct monetization of attacks.

We see a request for an information security examination by organizations of the Southern Federal District. At the same time, there is a personnel deficit in the region in the field of information security. The opening of the Solar JSOC local center in Rostov-on-Don will make cybersecurity technologies more accessible for companies in the South, as well as increase personnel potential and attract young talented specialists to the industry, "said Igor Lyapunov, Rostelecom vice president for information security.

Rostelecom-Solar actively cooperates with leading universities in the Rostov Region (Don State Technical University, Southern Federal University, M. I. Platov South Russian State Polytechnic University) in the practical preparation of students for work in the field of information security. Already in November 2021, more than 70 Rostov students underwent specialized internships. The best of them will be offered work in the center for countering cyber attacks.

Integration with the Vulners database

Rostelecom-Solar on July 15, 2021 announced the conclusion of a cooperation agreement with Vulners Inc., which administers the international database of information security threats. As part of the technology partnership, data collected by Vulners will be integrated into the internal processes of the Solar JSOC Cyber Attack Center. This data will complement existing Threat Intelligence sources and improve the effectiveness of Solar JSOC investigations, as well as the level of expert analytics and the quality of Vulnerability Management services.

The Vulners database is continuously updated, accumulating information about current threats from more than 140 different sources. In the system you can find vendor bug reports, data from key knowledge bases and research centers, exploits from the Exploit-DB and Metasploit archives, bug bounty results, patches for updates, publications on information information security resources. All this information is processed, catalogued, structured and available to Solar JSOC experts at any time. A key advantage of the Vulners database is data correlation, which allows you to identify links between vulnerabilities to determine the real level of danger. This will significantly save the time of information security specialists in the study of complex attack vectors.

In addition, Rostelecom-Solar plans to use Vulnerabilities to assess the volume and criticality of vulnerabilities discovered within the Vulnerability Management (VM) service implemented on the Solar MSS cybersecurity services platform. According to Solar JSOC, most Russian companies cannot resist not only professional attackers, but also amateur hackers. More than 70% of companies have critical vulnerabilities that cybercriminals use to overcome the IT perimeter - this is proven by Solar JSOC penetration testing.

It is necessary to track vulnerability data on a regular basis, and work on identifying and eliminating them in your infrastructure must begin even before the exploit appears. These tasks are solved by the Vulnerability Management (VM) service, and the Vulnerabilities tool significantly increases the efficiency of scanning, "said Vladimir Dryukov, director of the Solar JSOC Cyber ​ ​ Attack Center at Rostelecom-Solar. - In addition, Vulners will allow us to significantly improve the Threat Hunting process, as Solar JSOC experts will be able to receive extensive information about trend vulnerabilities, their speed of operation, as well as cybercriminals' techniques, tactics and tools. This data will be used when creating correlation rules to detect intruders and suspicious activity in the infrastructure.

At the heart of most information security processes is the need for up-to-date threat information. The accuracy and completeness of this information determines the quality of work of many tools and solutions. After all, without knowing about the vulnerability, it cannot be eliminated. Combining the technologies of Vulnerabilities and Solar JSOC will bring Russian solutions of the Vulnerability Management class to a different level and significantly increase the security of customers, - said CEO of Vulnerabilities Inc. Kirill Ermakov.

In addition to Vulners, the sources of data on current information security threats for Solar JSOC are: its own daily updated database of indicators and knowledge of threats (Threat Intelligence), information from a network of sensors and honeypots throughout the country, the results of penetration tests, data from third-party SOC and CERT, vendor commercial subscriptions, as well as regulatory data.

Transformation into a comprehensive center for countering cyber attacks

Rostelecom-Solar, a subsidiary of Rostelecom, transforms its commercial Security Operations Center - Solar JSOC - into a comprehensive center for countering cyber attacks, providing protection from hacker groups with qualifications up to the level of foreign special services. Rostelecom announced this on May 26, 2021. Based on the experience of countering such attacks, Rostelecom has formed a set of services for delivering accumulated expertise to organizations whose cybersecurity is of strategic importance for the country - including federal executive bodies and subjects of Russia's critical information infrastructure.

The Solar JSOC transformation was a response to changes in the digital space. In 2020, more than 200 hacker attacks by highly professional cyber groups were recorded, including massive attempts to influence entire industries and sectors of the economy, large government agencies, and significant KII facilities. NCCCI also notes that the increase in the number of highly professional attacks on executive authorities in 2020 amounted to more than 40%.

The actions of the most professional groups cannot be detected using tools and expertise of standard monitoring centers that prevail in the Russian market. Therefore, to fully counter the most professional attackers, we have formed a service offer. It is implemented not only through expertise, but also by the volume of technologies on the basis of which each of the Solar JSOC services is provided, - said Igor Lyapunov, Rostelecom vice president for information security.

When determining the set of cybersecurity services required for each specific customer, the level of intruder relevant to its industry, vectors of the most dangerous and highly probable attacks, as well as many other parameters are taken into account. All of them are formed on the basis of many years of experience in protecting companies of various scales and areas of activity - from the banking to the industrial sector.

As part of the Solar JSOC transformation, services for analyzing threats to the external situation, security control, monitoring, response and investigation of information security incidents were brought to a fundamentally different level. The changes also affected the options for providing services: in addition to the classic outsourcing of information security, hybrid or completely alienated models of monitoring centers have become available to customers. One of these options is to build an internal SOC in organizations with further training of its team, as well as consulting in monitoring and responding to cyber threats.

The Solar JSOC Threat Intelligence Database is now enriched with data that is collected as part of the Threat Hunting process from a system of sensors and honeypots deployed on Rostelecom's infrastructure. In addition, it is constantly replenished due to data from commercial subscriptions, open sources, information exchanges with regulators and various CERTs, as well as the results of an analysis of incidents in the infrastructures of more than 140 key Russian organizations - Solar JSOC clients. This provides Solar JSOC customers not only with completeness, but also with the highest achievable rate of closure of emerging cyber attack vectors.

Classic security control services have been supplemented with a service to verify real readiness to repel Red Teaming cyber attacks. It allows customers to test the protection processes and technologies used, as well as train their information security team in "combat" conditions. The service is provided in the format of both secret cyber operations and open cyber exercises, and is continuously enriched with data on the most current attack vectors from Solar JSOC CERT and the National Cyber ​ ​ Police. Thanks to this, Red Teaming Solar JSOC is carried out taking into account industry specifics - the techniques and tactics of relevant cyber groups are imitated, the most likely attack vectors are used.

To identify attempts at covert attacks by highly professional groups, the monitoring process must be based on a large stack of technology. The Solar JSOC monitoring service, in addition to the standard SIEM tools, is based on data from network traffic analysis (NTA) systems and information security events at network endpoints (EDR). This saves companies from "blind spots" in the overall picture of the organization's security and ensures that complex cyber attacks are detected at the earliest stage. In addition, Solar JSOC uses an Incident Response Platform (IRP) solution that helps automate customer-side response processes - one of the key components of success in countering an evolving attack.

Advanced services for investigating and eliminating the consequences of attacks are implemented with the involvement of Solar JSOC CERT experts and are provided in two versions: the classic Incident Response for simple and explicit attacks and in-depth technical investigation (Digital Forensics), based on the accumulated experience of countering targeted attacks - when it comes to long and hidden attacks, seizing control over the organization's infrastructure. In the second case, experts not only investigate the incident and eliminate its consequences, but also collect digital evidence as imperceptibly as possible for cybercriminals so as not to provoke them to immediately implement destructive influences.

All Solar JSOC services and services function as a single ecosystem, within which there is a constant exchange information of cyber threats and enrichment of scenarios for detecting and countering cyber attacks. A well-developed approach allows you to create an optimal economically sound protection system for any organization, relying on the type of cyber threats that are relevant to it.

2020

Launch a service to identify complex multi-component attacks based on Kaspersky Endpoint Detection and Response

On October 22, 2020, Rostelecom-Solar announced that, together with Kaspersky Lab, it had launched a service to identify complex multi-component attacks on workstations and servers of corporate customers. It is based on the system for detecting attacks on end hosts Kaspersky EDR (Endpoint Detection and Response, EDR). The solution is connected to the services of the Solar JSOC cyber attack monitoring and response center and will help identify the activity (for example, the presence in the infrastructure) of highly qualified attackers, which is usually not detected by basic protection tools. Read more here.

Launch PT Network Attack Discovery Deep Network Traffic Analysis Service

On October 15, 2020, Rostelecom-Solar announced that it had launched a deep network traffic analysis (NTA) service with Positive Technologies based on the PT Network Attack Discovery (PT NAD) solution. The deep traffic analysis system is integrated into the existing incident detection cycle of the Solar JSOC Cyber Attack Monitoring and Response Center. Read more here.

Launch Customer Incident Response Automation Service with R-Vision

Rostelecom-Solar and R-Vision on August 11, 2020 announced that they were launching an incident response automation service on the customer side. The joint solution based on the R-Vision IRP (Incident Response Platform) platform has been worked out for more than a year and is now available to customers of the Solar JSOC cyber threat monitoring and response center. The service provides a set of ready-made dynamically updated response scenarios with a division of responsibilities. Read more here.

Identify ten targeted attacks with MaxPatrol SIEM

On May 13, 2020, Rostelecom-Solar announced that Solar JSOC had identified ten targeted attacks using MaxPatrol SIEM.

According to the company, experts from the Solar JSOC cyber attack monitoring and response center have been using Positive Technologies' MaxPatrol SIEM system for more than two years. With its help, ten APT attacks and several hundred mass mailings of malware aimed at government agencies and state corporations, organizations of the fuel and energy complex and transport companies were identified. The total flow of events handled by Solar JSOC using MaxPatrol SIEM as of May 2020 is more than 150,000 per second. Solar JSOC has been providing information security incident monitoring services based on MaxPatrol SIEM since the end of 2017. Among its customers using this solution are more than 30 large government organizations and departments, as well as industrial companies.

We expect that in 2020 the number of customers using Solar JSOC services based on MaxPatrol SIEM will more than double. The burden on security systems in Solar JSOC, including MaxPatrol SIEM, increases annually, and requirements for SIEM systems are growing in terms of identifying signs of complex and targeted attacks and providing advanced analytics. Therefore, at the start of cooperation, we presented high requirements for both the performance and stability of the solution and its functionality. The Positive Technologies team has seriously finalized MaxPatrol SIEM, and for May 2020, the product allows us to solve complex tasks for monitoring and detecting cyber attacks. explained Vladimir Dryukov, director of the Solar JSOC cyber attack monitoring and response center of Rostelecom-Solar

During the implementation of MaxPatrol SIEM in Solar JSOC, the product was successfully tested on high-load systems. The solution was also adapted to the processes of the company's cyber threat monitoring and response center. In particular, the logic of forming rules for detecting cyber attacks has been changed. This allowed Solar JSOC experts to create their own ways to detect threats using MaxPatrol SIEM and use them to monitor the security of their customers' networks. Over two years, experts have written more than 300 rules for detecting attacks. To support existing threat management processes, MaxPatrol SIEM has been integrated with three popular incident response (IRP) and support (service desk) platforms.

The number of targeted attacks is growing every quarter. At the same time, 68% of APT groups are aimed at state institutions, 59% at industrial companies, and 41% at the fuel and energy complex. Our practice shows that many state organizations and industrial enterprises use only basic means of protection or use modern tools without proper configuration and expert support. This dramatically reduces the effectiveness of the defense system - making it impossible to timely identify and respond to complex targeted attacks. We are proud of our long-standing collaboration with Solar JSOC. Colleagues are included in the program for early familiarization with updated versions of the product and participate in the formation of the functionality of its future releases. This allows us to enrich the product, including the experience and expertise of Solar JSOC, accumulated by the monitoring center over the years of successful operation. noted Maxim Filippov, Director of Business Development at Positive Technologies in Russia

Exchange of data on cyber threats with the Sakhalin Regional Center for Informatization

Rostelecom-Solar"" February 25, 2020 announced that together Sakhalin Regional Center for Informatization (GBU SO SOCI) with signed an agreement on cooperation in the field of counteraction. computer to the attacks The purpose of this interaction is a bilateral exchange data of cyber threats to quickly strengthen the protection measures of the organizations served.

Sakhalin the regional informatization center is responsible for information security regional information telecommunication infrastructure, Governments of Sakhalin Oblast executive authorities and local self-government, Sakhalin Oblast including the regional structure. At health care the same time, "-Rostelecom Solar" has a large commercial center for monitoring and responding to cyber threats Solar JSOC, under the protection of which there are more than 110 large companies and throughout state structures. Russia The center processes about 80 billion information security events per day and already cooperates with,,, FinCERT Bank of Russia NCCCI FSB Russia as well as with IT and Communications Department of Samara Region manufacturers of information security solutions that regularly provide data about the identified threats.

The agreement will help both companies ensure an early response to various types of cyber attacks. In particular, the parties agreed to inform each other about the techniques, tactics and tools that are used in attacks on information resources.

Government agencies are increasingly becoming the target of hackers - as the ultimate goal or as a "donor" of computing resources for attacks on other organizations. Information exchange with Solar JSOC, which has a dynamically updated database of compromise indicators, will help us to ensure proactive protection of the state information resources of the Sakhalin region from mass attacks and to develop effective measures to combat them. comments Roman Chuzhinov, Head of the State Budgetary Institution "Sakhalin Regional Center for Informatization"

We are glad to cooperate with the Sakhalin Regional Center for Informatization, which has a mature Security Operations Center and can be a supplier of valuable information about the emerging attack vectors. The more participants in this data exchange system, the higher its effectiveness and the more powerful protection each of them receives, noted Denis Baskakov, Business Development Director for Information Security in the Far East, Rostelecom-Solar

2019

Access to ESET Threat Intelligence

On August 20, 2019, "," a Rostelecom-Solar national provider service and technology company, cyber security announced that anti-virus ESET it had entered into a strategic cooperation agreement with an international company. Within the framework of the technological partnership, "-Rostelecom Solar" gained access to a dynamically updated reputation base ESET Threat Intelligence containing hundreds of thousands of names of current ones at each moment in time. These harmful domains data enhance the Solar cyber attacks JSOC Monitoring and Response Center's ability to proactively detect customer threats information security by blocking malicious traffic and evolving attacks. phishing

Dangerous domains are uploaded to the Threat Intelligence Solar JSOC every 5 minutes. The use of this data, along with the use of antivirus software from another vendor, significantly enriches the Solar JSOC reputation base. Thanks to this, customers receive prompt comprehensive protection even against such methods of compromising the IT infrastructure that are not recorded by the antivirus deployed in them.

The constant collection and updating of threat information is a strategic direction for any center for monitoring and responding to cyber incidents, since this enriched data largely determines the effectiveness of its work. At one time, we entered into an information exchange agreement with FinCERT, which was later joined by the most prominent players in the information security market. Together with our own Solar JSOC analytics, this has made it possible to achieve a high level of completeness and relevance of the data of our Threat Intelligence platform, but we are constantly working on its replenishment and are striving to cooperate with leading providers of information about current threats.

{{quote 'author = notes Alexander Pirozhkov, Head of ESET Threat Intelligence|ESET Threat Intelligence data streams increase the ability to detect threats and help respond to security incidents in a timely manner. We observe high interest from large businesses - the service is used by customers not only in Russia, but also in the CIS, }}

Launch of Russia's largest regional center for monitoring and responding to cyber attacks

On June 24, 2019, Rostelecom announced the opening, according to the company, of Russia's largest regional center for monitoring and responding to cyber attacks. It was launched in Nizhny Novgorod and was created on the basis of the Solar JSOC center, which provides security for more than 100 largest Russian companies.

Rostelecom Vice President for Information Security and Head of Rostelecom-Solar Igor Lyapunov said at the opening ceremony that by June 24, 2019, Solar JSOC has its head office in Moscow and specializes in analytics and development. Regional units - monitoring centers - are located in Nizhny Novgorod, Samara and Khabarovsk. By the end of the year, it is planned to open another such facility in Rostov-on-Don.

Solar JSOC in Nizhny Novgorod will be responsible for the security of all regional clients around the clock, offering them security monitoring services, managing customer protection systems, repelling and investigating cyber attacks, etc.

According to Solar JSOC statistics for 2018, more than 90 thousand information impacts on company infrastructures, more than 5 thousand computer attacks were recorded in the Nizhny Novgorod region. This is above the average level in the Volga regions.

We expect that the opening of the second largest Solar JSOC division in Nizhny Novgorod and our personnel strategy will allow the city to become one of the most important technological centers for ensuring Russia's cybersecurity, "said Igor Lyapunov.

Investments in the Nizhny Novgorod monitoring center exceed 100 million rubles a year at the time of opening. Rostelecom explained the choice of Nizhny Novgorod to open the center as a personnel issue: it is here that a number of universities are located that train strong specialists in the specialized field.^[1]

2018

Services for the creation and operation of corporate and departmental centers of State system of detection, prevention and elimination of consequences of computer attacks

The company, a Rostelecom-Solar national provider of services and technologies for the protection of information assets, targeted monitoring and management, on information security September 27, 2018 announced the signing of an agreement FSB Russia with the aim of organizing interaction in the field of detection, prevention and liquidation computer attacks within the framework. State system of detection, prevention and elimination of consequences of computer attacks

The signed document, in particular, allows Rostelecom-Solar to provide Russian organizations with services for the creation and operation of corporate and departmental centers of State system of detection, prevention and elimination of consequences of computer attacks: performing tasks for detecting, responding to and eliminating the consequences of computer attacks, assessing the security of infrastructure and ensuring the interaction of corporate and departmental centers with higher centers of State system of detection, prevention and elimination of consequences of computer attacks. Thus, State system of detection, prevention and elimination of consequences of computer attacks entities can use the resources and expertise of the Solar JSOC cyber attack monitoring and response center, transferring responsibility for implementing the functions of the center to State system of detection, prevention and elimination of consequences of computer attacks of service provider.

This is an important milestone in our interaction with the National Coordination Center for Computer Incidents. Thanks to this agreement, we will be one of the first on the market to provide customers with a holistic service for the implementation of the functions of corporate and departmental centers of State system of detection, prevention and elimination of consequences of computer attacks, thus closing the corresponding block of requirements, 187-FZ said Vladimir Dryukov, director of the Solar JSOC cyber attack monitoring and response center Rostelecom-Solar.

Federal Law No. 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation", which entered into force on January 1, 2018, obliges bodies, state power state corporations and other organizations related to, to CUES create departmental or corporate centers of State system of detection, prevention and elimination of consequences of computer attacks. This implies the creation of the necessary technical base, monitoring processes, analysis and investigation of incidents, as well as the performance of a number of other functions in accordance with the methodological recommendations of the FSB of Russia. CII subjects can build State system of detection, prevention and elimination of consequences of computer attacks centers on their own or perform this task using service providers with licenses for relevant activities.

In addition to the exchange of information about information security incidents, as well as interaction in the field of detection, prevention and response to computer attacks, the FSB of Russia and Rostelecom-Solar also agreed to conduct joint training and exercises on the functioning of State system of detection, prevention and elimination of consequences of computer attacks. Cooperation will be aimed at increasing the level of awareness and qualifications of specialists of both organizations in the field of information security and improving the methodological base developed for the effective operation and functioning of State system of detection, prevention and elimination of consequences of computer attacks. The agreement also provides for joint seminars, conferences and other events, noted in Rostelecom-Solar.

2017

Partnership with Positive Technologies

Positive Technologies and Solar Security entered into a cooperation agreement in May 2017: Solar JSOC became the first participant in the Positive Technologies MSSP program, which allows Positive Technologies to provide technologies under a lease scheme. Cooperation of companies implies several large technological integrations, which will make it possible to form a number of information security services that combine deep expertise and proven technologies of Russian market leaders.

The first step was to create a Solar JSOC service for protecting client web applications based on the PT Application Firewall, which detects and blocks modern attacks on web portals, ERP systems, Internet banking, etc.

Solar JSOC Confirms PCI DSS Compliance

Solar Security announced at the beginning of the year that Solar JSOC has successfully passed its annual QSA audit for PCI DSS compliance. The received certificate of conformity confirms full compliance with the requirements of the Payment Card Industry Data Security Standard 3.1. in terms of storage, processing and transfer of payment card data.

The annual Solar JSOC audit was conducted by experts from Compliance Control Ltd, one of the first specialized organizations in Russia to provide services in the field of PCI DSS compliance and certification.

2016

Solar Security updates Security Operations Center service model

Solar JSOC includes more than 40 atomic services, combined into higher-level services that provide a comprehensive solution to business problems. An important advantage of Solar JSOC is information exchange with state and industry CERTs, as well as leading information security vendors. Reputational bases and feeds enrich all Solar JSOC services in an end-to-end way, providing protection against the latest and latest cyber threats. The Solar JSOC model provides a deeper level of analytics, demonstrating to customers the root causes and consequences of incidents and vulnerabilities.

The Solar JSOC service delivery format is based on three levels - Security Maintenance, Security Monitoring information security and Security Management.

The lower, basic level of Security Maintenance includes the operation and administration of information security systems deployed in the company. Solar JSOC services at this level include provision, fine-tuning and management of active security tools - WAF, Sandbox, anti-DDoS, firewalls and proxies.

The quintessence of SOC functions is the Security Monitoring level, which provides monitoring, detection and analysis of information security incidents within the company. In parallel, Solar JSOC aggregates information from information security vendors as well as various CERTs into a global knowledge base. This knowledge base contains data on malicious network hosts, Internet system compromise indicators, 0day-malicious ON and new vulnerabilities aimed both at a specific industry and directly at a single company.

The collection of information obtained from within the organization and from external sources allows you to form your own database of event correlation rules, which is the core of any SOC. A broad set of correlation rules provides robust monitoring of infrastructure security against cyber attacks, and allows you to quickly identify and prevent both external intrusion attempts and internal violations.

At the Security Management level, the key task is to assess the actual criticality of the incident for the company and its business processes. As a result of analyzing incidents and anomalies, analyzing the causes of their occurrence and assessing the potential damage, the company identifies new technical and business risks. All analytical data is presented in the Solar JSOC Security Dashboard visualization system in the form of visual diagrams. The objective picture of the state of information security in the company and the data confirmed by statistics on "pain points" and the most serious risks make it possible to make a justification for decisions in matters of long-term information security management. Nevertheless  , due to the strategic importance of such decisions, they remain in the sphere of competence of the customer company.

JSOC Security Dashboard

JSOC Security Dashboard is an online system for analyzing and visualizing the security status of information systems connected to Solar JSOC.

On February 18, 2016, Solar Security introduced the JSOC Security Dashboard. Only customers of the company can use it.

JSOC Security Dashboard allows each Solar JSOC client to receive personalized information about the state of the company's information security in real time as part of a single window. Special panels display data on all main information systems, infrastructure connected to Solar JSOC, detailed information on external attacks and internal information security incidents detected during monitoring.

JSOC Security Dashboard is implemented on the basis of a product for visualizing multi-level analytics and monitoring the effectiveness of Solar inView information security, which shows the state of information security in the company as clearly as possible with the desired level of detail, up to the transition to information on a specific incident, at a specific moment in time. The mutual integration of Solar Security products and services helps create an ecosystem that provides an integrated approach to information security issues.

The JSOC Security Dashboard helps evaluate the performance of [[SLA - Service Level Agreement} SLA|the SLA - Service Level Agreement} SLA]] within the Solar JSOC services. As of February 18, 2016, the SLA for Solar JSOC ~ 99.2% - an average, for critical SLA incidents it is higher and reaches ~ 99.5%.

JSOC Security Dashboard monitors the entire path from identifying an incident to analyzing and responding to detailed information about the type of incident, what systems are associated with, who worked on it, what measures were taken, how the analysis and response took place.

JSOC Security Dashboard solves two problems at once: it gives our client an understanding of the actual state of security and makes our work more transparent. We wanted to provide the client with the opportunity to see trends in changing attacks on company resources or user behavior: which business system causes increased interest of cybercriminals, which organizational unit of the company worst complies with information security standards, etc. This information is not based on generalized statistical models, but on real incidents that occur and are processed in the client infrastructure. JSOC Security Dashboard is not only reporting and visualization, it is also a system for supporting decision-making on further steps to improve its security. Vladimir Dryukov, Solar JSOC Head of Solar Security