Andrey Yankin, Jet Infosystems: Our development plan – an antifraud, consulting, services and outsourcing

Andrey Yankin: There is an old proverb: bad "bezopasnik" work with the equipment, and good – with people so it is impossible to call this approach of PCS essentially new. The concept of PCS among other assumes trust to people, their training and involvement in processes of cybersecurity. Vendors place the main focus on control of behavior of employees, advancing PCS in the context of DLP (Data Leak Prevention) and UBA (User Behavior Analytics). It in itself is quite good though it is a little unilaterally. Our experience shows that the concept of PCS effectively works at practice. It appeared, it is much more effective to build process of cybersecurity around the person – the client or the employee, keeping track of his behavior, but not in the old manner – controlling the addressing certain files or network flows. Old approach literally flooded with information a security service, this information needed to be structured somehow. And building of behavioral models, search of anomalies in behavior of the person really helps to build more effectively processes of cybersecurity, including using the products considering the concept of PCS.

Andrey Yankin: Yes, at the level of means of protecting there were already tools working according to approaches of PCS and in most cases it was not revolution, but evolution of the solutions on cybersecurity which are already presented at the market.

Andrey Yankin: First, we actively preach PCS, we use in the projects. Secondly, if not to list well-known methodologies of cybersecurity, and only the most relevant in the light of last modifications in security market, then recent stories with epidemics of viruses showed that the companies, implementing the innovation means of protecting, often forget about basic things - access control, antiviruses, management of vulnerabilities, restrictions of user rights, microsegmentation of networks and some other. And one more concept gaining steam now keeps on understanding that preventive measures of cybersecurity are not so effective today. Usually we build certain barriers, protecting network perimeter, and today there is practically no perimeter any more as means of social engineering allow to get over any "fences".

Today the focus of cybersecurity is shifted to detecting of the implemented threats. In fact, we recognize that the network is already hacked, and it is required to detect, neutralize the malefactor as fast as possible, with the smallest damage to the organization. In this context gain popularity of the solution cybersecurity like HoneyPot. Now solutions of such class vendors more often call Deception Tool, emphasizing transition of technologies to new level, but the essence from it does not change.

It does not mean that preventive control are not necessary any more. The context of cybersecurity changes and, respectively, investments into security are redistributed.

Andrey Yankin: TsIB exists more than 20 years, 165 people from whom 120 – project employees work in it. On structure of solutions in which we are engaged is all range of cybersecurity, since infrastructure security, protection of network and finishing with an antifraud. Specifics of our business such is that we first of all stake on execution of works, providing cybersecurity services, to a lesser extent we are engaged in supply of equipment.

Andrey Yankin: On profit at us first place is won by projects on infrastructure security, then service projects, DLP and consulting follow. Under the number of contracts first place is won by service, the second – pentests.

Andrey Yankin: We practice industrial approach. It is that we use the list approved by the director of TsIB allowed for award enforcement on cybersecurity. These are about 150 products and solutions, on each of which it is necessary to support competence level. To be included in this list the solution at least should pass through our laboratory. Respectively, architects select from this list the products which are most suiting the customer in terms of the solution of the tasks standing in the project.

Andrey Yankin: At first we will specify the term SOC. We treat it more narrowly, than the IB complex center. It is the center which basic function – monitoring of cybersecurity and work with incidents though, it is clear that along with it he solves including a part of tasks of compliance, and participates in creation of architecture of cybersecurity. In such treatment for the enterprise of the general SOC profile it is profitable at the scale from 8 to 10 thousand workstations and servers. If to speak about financial institutions, the IT companies, then it is incorrect to be guided by quantity of nodes, the extent of risks is critical here.

Investments into creation of own SOC are significant, according to our estimated calculations, the minimum investments in the long term three years, taking into account FOT, begin from 100 million rubles. It is clear, that not all have opportunities for such investments, but the task of the organization of high-quality incident management of cybersecurity faces many, and outsourcing which helps to optimize expenses comes to the rescue here.

Andrey Yankin: In the West and even in a number of the countries of Southeast Asia outsourcing of cybersecurity, including the monitoring focused on SMB was already created. In the Russian market, unfortunately, is not present, and it is a big problem. However, it is a matter of time, I think.

Andrey Yankin: It is necessary to understand that projects on construction of SOC are always joint work of integrator and the customer, but not the work made "turnkey". In our moneybox already several tens of such projects.

Andrey Yankin: There are standard scenarios on which it is possible to rely, but directly it is impossible to replicate experience of the project from one organization on another. In practice there are three options of creation of SOC, depending on outsourcing use volume: complete outsourcing, partial or own SOC. Often the companies pass this way entirely: from outsourcing to the SOC. Besides, a lot of things depend on the planned mode of its work: conditional 8 hours on the working days or the round-the-clock monitoring. Can seem that it is insignificant parts, but it essentially changes an appearance of SOC and approaches to its construction.

Andrey Yankin: Advanced detecting – attempt to find out at early stages that a system is compromised, to collect as much as possible information on the compromise fact, on the malefactor, his tools, to understand ways of penetration into a system. On the fighting systems it is very dangerous to do it. For the solution of this task mature tools of the class HoneyPot already appeared. The network is flooded with systems imitating fighting, and actually being just baits for the malefactor. Use of HoneyPot is a true art because it is required not only to simulate business processes and IT infrastructure of the company, but also to keep everything in secret, including from the employees.

Andrey Yankin: The fact that it is appropriate in any information system with the most different levels of a maturity of cybersecurity is characteristic of this technology. If in the IC everything that is possible is implemented and it is necessary, HoneyPot becomes such "cherry on cake" when the malefactor passed all barriers, and as a result it appeared in a trap. If security is implemented poorly, then it is possible to recognize what the malefactor inside and needs to begin him to be caught at once. Our customers are just divided HoneyPot into these two categories – front lines in respect of use of cybersecurity of the company and those who else start its implementation.

Andrey Yankin: So far there is not a lot of them, approaches ten. But we consider that this direction will actively develop, the market is not saturated yet, we stake on it.

Andrey Yankin: For us this old activity. First we were engaged in it only as integrator. Gathered from banks and other companies of specialists, high-risk in terms of a fraud, - those who understand business processes, implemented the western systems a fraud monitoring. Then ourselves became vendor. In the center of program developments, one of departments of our company, the wide experience on the systems of machine learning, the analysis of Big Data was accumulated, and we began to apply this experience in fight against fraud. Own Jet Detective platform which we actively advance the second year was created. It is the versatile tool which is not tied to specific industry potentially interesting to any business as it is about search of failures and deviations from any business processes. Today upon this solution banks and retail are interested, first of all, since recent time began to show interest in fight against fraud and industrial enterprises.

Andrey Yankin: Yes, it is our own development in which are used, including, open libraries, for example, regarding machine learning. Basic purpose – search of anomalies in business processes, the analysis of transactions.

Andrey Yankin: Outsourcing of cybersecurity now on rise, and we render such services, actively investing in this direction of business. Our specialization – service of operation of means of protecting, including monitoring of cybersecurity, certainly. Now we move towards more complex, intellectual outsourcing connected with operation of those means of protecting for which specialists of a narrow profile are required. It is economically inexpedient to support own specialists for such means of protecting to customers therefore they address for services us.

Andrey Yankin: We have no business of investigation of cybersecurity crimes, but we regularly interact with those companies which are engaged in it, and we meet swindlers nearly every day within works on implementation and support of a system of fight against a fraud. Based on our activity there are detentions, dismissals. And in general, to be aware of real threats and types of the attacks is really huge problem of cybersecurity. As they say, generals always prepare for last war, and lag from the market leads to the fact that security is under construction for the nonexistent attacks. Therefore we scoop information on cracking from all sources, we study the methods used by malefactors constantly we communicate with clients on a fraud. The fact that many successful cracking is performed at technological level of the trainee-pentestera that once again testifies for benefit of building of basic security surprises.

Andrey Yankin: For me the most interesting projects are connected with complex audit of cybersecurity. This year of large projects in this area was three, one of them in the international company (Sodruzhestvo Group, one of the largest processors of seeds of oil-bearing crops in the CIS and Europe). In such projects we can show everything that we are able to do – reverse engineering, consulting, works on pentest, etc. One more type very difficult in the organizational relation and interesting projects – implementation of IdM-solutions in the large companies because such implementations are affected, as a rule, by the greatest number of business processes and IT systems.

Andrey Yankin: I consider that it is quite realistic task, a problem of GOSSOPKI – not to build ideal security in all territory of the Russian Federation, and to obtain up-to-date information about security status, to carry out monitoring of a situation. You should not expect that in half a year after a release of the law a system will be created, but this movement in the right direction. Are already involved in practical work including large government institutions which were never engaged earlier in it.

Andrey Yankin: We actively cooperate in this direction with the state regulators, vendors, we act first of all as integrator. In addition, we see great opportunities for development of outsourcing of information security systems here.

Andrey Yankin: largely is an antifraud, consulting, services and outsourcing.