RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

Jet Security Operation Center (JSOC)

Product
Developers: Jet Infosystems
Last Release Date: May, 2015
Technology: Cybersecurity - Antiviruses,  cybersecurity - the Antispam,  cybersecurity - Authentication,  the Firewall,  cybersecurity - Information loss preventions,  cybersecurity - Backup and data storage,  cybersecurity - the Fraud detection system (fraud),  cybersecurity - Means of enciphering,  cybersecurity - Information management and events in a security system (SIEM),  Data processing centers - technologies for DPC

Content

JSOC is especially relevant for those companies which, first, need information security support 24/7, but have no own duty shift in division of cybersecurity. And secondly, – wish to get rid of routine and labor-consuming tasks of management of means of protecting.


The center of monitoring and operational management of cybersecurity allows to provide:

  1. monitoring of incidents of information security;
  2. response to cybersecurity incidents;
  3. control of security of information systems;
  4. management of the cybersecurity systems of the company.


These services can be rendered as on the basis of a monthly subscription when the required equipment and software is provided in lease from cloud infrastructure of JSOC, and using the cybersecurity systems existing at the client.

In the JSOC command more than 30 specialists of cybersecurity work - it is two duty shifts of monitoring of incidents and an administrinfrovaniye of means of protecting and also leading experts and analysts of cybersecurity.

Technologies

Technologies are separated into groups:

  • audit of events;
  • collecting, filtering and storage of events;
  • correlation of events and identification of incidents;
  • investigation of incidents and escalation of problems;
  • the reporting at all levels of incident management.

For audit of events are used as regular mechanisms of operating systems, network equipment, application servers, web services and databases, and the imposed means of cybersecurity – for example, the systems of protection DBMS Imperva SecureSphere or IBM Guardium.

For correlation of events of cybersecurity with data on real vulnerabilities of IT infrastructure, integration of Command center by cybersecurity incidents with the MaxPatrol systems from Positive Technologies or Vulnerability Management from McAfee is carried out.

Directly technologies of event handling, investigation of incidents and the reporting are based on the systems of leading manufacturers, such as HP ArcSight, RSA enVision, Symantec of SIM.

Rendering cloud services of SOC

  1. connection of infrastructure of clients to own SOC;
  2. continuous monitoring and analysis of events of cybersecurity;
  3. rapid response in mode 24х7 to cybersecurity incidents;
  4. creation of regular reports for technical specialists of departments of cybersecurity and the management.

Processes

Creation of an incident management process of cybersecurity allows to increase significantly efficiency of the applied technologies, namely to achieve full solving of tasks of SOC according to the best practices. During building of an incident management process of cybersecurity experts of Jet Infosystems company carry out procedures:

  1. classification of possible events;
  2. formation of the list of events to which it is necessary to react;
  3. typification and arrangement of priorities for incidents;
  4. determination of roles of the employees who are involved in investigation of incidents;
  5. investigation of incidents;
  6. preparation and planning of the preventive measures of cybersecurity preventing repeated emergence of an incident.

The process approach does reaction and permission of incidents of cybersecurity by more operational and allows to use as accumulated during projects, and own experience of clients on permission of incidents of cybersecurity.

Control of requirements of regulators, monitoring of execution of security policies, support of security of infrastructure, control of partners, protection of business applications and some other services are a part of the provided services.

Problems of preprocessing of messages about incidents and also about events in the systems of clients, are solved respectively specialists of groups of analysis of incidents and administrations which are in Nizhny Novgorod. Such factors as existence of universities where there are corresponding specializations and also the developed IT environment had an impact on placement of services of "the first line" in this city.

Specialists of "the second lines" are located in Moscow; in the most complex cases analysts and information security administrators in addition are attracted.

In JSOC about one and a half hundred incidents of information security, and 80% from them — daily are registered in the afternoon. A big part of the directed attacks is fixed during the period from eight in the evening till nine in the morning, when as their organizers believe, counteraction of personnel of the relevant services is less probable.

According to the statistics JSOC, within the first month of work comes to light about ten incidents of unauthorized access in the systems of clients, not less than five leaks of confidential information, before ten violations of policy of Internet access and also non-core use of technology accounts.

Several agreement types about service quality (Service Level Agreement) are provided. For example, for SLA with the best parameters of service time of detection of critical incidents does not exceed 10 minutes, time of their basic diagnostics and informing the customer with providing the research opinion defined by the agreement — 20 minutes, issues of recommendations about counteraction — 45 minutes[1].

Updating of JSOC from Kaspersky Lab

Within partnership Jet Infosystems and Kaspersky Lab the reputation database of the outsourcing service Jet Security Operations Center (JSOC) provided by the system integrator will be replenished in real time with information on relevant threats from Kaspersky Lab.

Specialists of Jet Infosystems company developed the special mechanism allowing to lead a diverse data set (about 24 types) to a uniform type for integration of databases. It gives the chance to load new data at least once 10 minutes. Today the reputation JSOC database contains about 3 million samples of the malware.

"As to the Russian service provider it is extremely important to us to aggregate information on the malware, the websites and new scenarios of cyber attacks from the leading Russian and foreign sources. Partnership with Kaspersky Lab is of special interest for us as in addition to use of the highest competences of our partner in the field, we obtain from them information adapted for the Russian modifications of threats and specifics, – Vladimir Dryukov, the head of outsourcing of cybersecurity of Information Security Center of Jet Infosystems company tells. – An opportunity to use diverse reputation bases that is important for our clients became result of our partnership. Besides, we brought to qualitatively higher level rendering services in pro-active control of security and to counteraction to the attacks".
"For us development of partnership with providers of services of information security (MSSP) is one of strategic objectives. Corporate customers trust such companies more and more tasks, including management of Information Security Centers worldwide, – Veniamin Levtsov, the vice president for corporate sales and business development of Kaspersky Lab explains. – In the next plans – active expansion of MSSP network, using our services and data streams, in addition to those who already cooperate with us in Europe, Asia and in the Middle East. Partnership with Jet Infosystems company became the first experience of technology cooperation such in the territory of Russia and the CIS countries".

Benefits

  1. Creation of JSOC allows to reduce damage from cybersecurity incidents due to timely and effective reaction and collecting of evidential base.
  2. the Permanent analysis of events and incidents of cybersecurity, clarification of the reasons of their emergence allow to estimate efficiency of measures of protection, to reveal their shortcomings and to develop offers on their replacement or adjustment.
  3. using Command center regulatory and international requirements on monitoring of events of PCI DSS, service station of BR, ISO/IEC 27001, the Federal Law "About Personal Data" are implemented by incidents of cybersecurity.
  4. Centralization of information on a cybersecurity status in a single system allows to cut down auditing expenses and control of events of cybersecurity.
  5. JSOC increases controllability and stability of the company that leads to increase in its cost.

Compliance of the engineering systems of DPC to requirements of Uptime Institute Tier III and also use of technologies of high availability in an IT complex provide, according to the company, the level of readiness of JSOC answering to an indicator of 99.8%. Infrastructure of JSOC has the certificate of conformity to specifications of the PCI DSS standard. As the SIEM system (Security Information and Event Management) the software package HP ArcSight is used. Investments into the project make more than 4 million dollars.

History

2015: The center of monitoring started service "JSOC. Cyber crime counteraction"

On May 28, 2015 the companies Solar Security also Group-IB announced the conclusion of technology partnership as a result of which the commercial center of monitoring and response to incidents of cybersecurity of JSOC started service "JSOC. Cyber crime counteraction"[2].

Within technology partnership own analytical information of the JSOC center is continuously supplemented with data from the Bot-Trek Cyber Intelligence (CI) platform and the Threat Detection Service (TDS) system. Experts of Solar Security company developed the integration mechanism structuring, analyzing and loading in real time into the JSOC databases all volume of diverse data with a binding on each certain client for ensuring technical interaction between JSOC and Group-IB.

JSOC service gives the chance to operate with a data stream about the real incidents of cybersecurity registered by platforms Bot-Trek CI and TDS in the Russian companies of specific industry for timely updating of correlation rules of the center of monitoring and early detecting of similar incidents at the clients connected to JSOC.

Service "JSOC. Cyber crime counteraction" checks data for presence of infections with zero-day trojans detected in other companies to prevent the preparing APT attack before causing visible damage. In that case when the target attack is carried out, and it became known of a compromise of credentials, analysts of JSOC will estimate danger of specific leak and will develop recommendations about minimization of damage.

"JSOC as the MSSP provider, is focused on the most pro-active warning of threats of information security of the clients. In this context the key value is purchased by aggregation and analytics of all available data on change of the threats new and the attacks, hacker tools, descriptions of behavior of zero-day of viruses, most widespread in specific environments. Connection to Group-IB services became the next stage of transformation of JSOC into large-scale domestic competence center on opposition to the targeted attacks", – Igor Lyapunov, the CEO of Solar Security told.

As a part of service "JSOC. Cyber crime counteraction" three components:

  • operational check of all infrastructure of the client of JSOC regarding the active or "sleeping" viral infections and assessment of real security from new threats. Data on zero-day viruses and incidents of cybersecurity are aggregated with information arriving from the Bot-Trek CI platform which conducts monitoring of the Internet regarding identification of new vectors of the attacks, samples and descriptions of specific viruses and trojans;

  • processing by analysts of JSOC of the compromised these clients identified by the Bot-Trek CI platform for receiving a relevant picture about danger of this specific leak:
  • Whether * any malicious operations with use of the compromised accounts were performed,
  • Whether * loss direct financial or reputational risks for customer organization carries them;
  • check by analysts of JSOC of an infrastructure host, suspicious in terms of Threat Detection Service (TDS), regarding relevance of infection and work planning on its cleaning. The analysis of possible ways of infections for prevention of the repeated attacks in the future.

Services can appear within separate options.

Notes