CyberART Cyber ​ ​ Defense Service

2024: MaxPatrol O2 usage

Since 2024, Innostage has been using autopilot in the field of effective cybersecurity MaxPatrol O2 at SOC CyberART to improve the effectiveness of monitoring its own infrastructure. This made it possible to increase the speed of handling incidents several times. InnoSTage announced this on July 29, 2024.

Innostage SOC CyberART processes more than 100 security alerts per day in its infrastructure. To reduce the burden on analysts, Innostage has implemented the MaxPatrol O2 meta-product, which, among a large number of information security events, identifies chains of suspicious activity, providing the full context of what is happening.

In addition, in the spring of 2024, Innostage launched a program of open cyber experiences in which "ethical hackers" try to hack into the company's infrastructure and steal money from its account - this led to an increase in the number of attacks on Innostage. Therefore, the company needed to strengthen and accelerate monitoring and response to incidents in order to reduce risks and increase confidence in protecting the business.

Autopilot MaxPatrol O2 promptly analyzes not just atomic incidents, but entire chains of actions of attackers. As a result, the efficiency of Innostage SOC CyberART is significantly increased: we more quickly receive all the necessary information about incidents that occur in the company, after which we minimize the risk of their repetition. At the same time, we can describe a specific unacceptable event in advance and set parameters so that in the future MaxPatrol O2 monitors it and predicts the reachability of a critical asset in each emerging attack chain. This will further assess the potential damage that can be caused if the attacker is not stopped in time, "said Maxim Akimov, head of Innostage SOC CyberART.

To obtain information about incidents, build chains of attacks and calculate the reachability of unacceptable events, MaxPatrol O2 uses data from the MaxPatrol SIEM sensor product. PT Network Attack Discovery is connected for visibility of network interactions. Automated response, including on end devices, is provided through integration with MaxPatrol EDR, which protects them from targeted attacks on all popular operating systems, including Russian ones.

It is important to note that the SOC Innostage team was able to adapt their MaxPatrol SIEM analytical content to MaxPatrol O2 to use their developments in the field of computer incident detection when identifying activity chains.

Our pilot tests at various Russian companies and government agencies show that even with SOC fully staffed, the response to an incident using the MaxPatrol O2 is much faster by minimizing manual labor. In SOC, Innostage MaxPatrol O2 acts as a "co-pilot," rechecks the entire flow of events in the field of information security and reduces the impact of the human factor, which is especially important for the company in the context of open cyber tests, - said Anastasia Vazhenina, head of metaproduct development practice at Positive Technologies.

2020

CyberART became a technology partner of Positive Technologies as part of the MSSP program

Cyber ​ ​ defense services operator CyberART (part of InnoSTage Group of Companies) has launched commercial services for monitoring information security events based on MaxPatrol SIEM. InnoSTage announced this on June 8, 2020.

Services are focused on many companies, including financial and energy, on the public sector. They help protect critical information infrastructure facilities, as well as improve information security in all other key computer systems.

One of the key competencies of InnoSTage Group of Companies is the implementation of projects and services for information protection. CyberART provides cyber defense services as part of information security monitoring and cyber incident prevention tasks. Cooperation with Positive Technologies will allow the specialists of the group of companies to expand the range of services for customers. It is important that customer companies receive several advantages at once:

• services based on a solution from a Russian market company;
• monthly updated rules for detecting current threats in the form of examination packages in MaxPatrol SIEM;
• Advanced CyberART analytics - With in-depth knowledge of To IT infrastructure customers, experts will help you tailor your policy packs to meet the needs of your customer, enabling you to identify even complex, non-typical computer attacks ones and effectively counteract them;
• solving the problems of implementing the requirements of regulators in accordance with the 187-FZ (Federal Law "On the Security of Critical Information Infrastructure of the Russian Federation";
• flexible licensing model.

With the support of the partner, we are expanding the services of our SOC in the field of monitoring - the foundation for building the protection of the customer company. MSSP collaboration with Positive Technologies provides us with customer flexibility. Within the framework of information security projects, companies will receive not only technology, but also knowledge of our specialists in the control and monitoring of security events based on many years of practice and experience. Also, in addition to our experience, we will be able to provide a licensing model from one of the leading vendors in the cybersecurity market, comments Aydar Guzairov, director of InnoSTage Group of Companies.

Positive Technologies has been implementing the MSSP partnership program since 2017. We are very careful to determine the partners of the MSSP program. CyberART meets all the requirements - the company has valid certificates for technical support MaxPatrol SIEM and, most importantly, certified specialists who know very well how our product can solve customer security problems. comments Maxim Filippov, Business Development Director of Positive Technologies in Russia.

The InnoSTage group of companies, in partnership with Positive Technologies, also specializes PT Application Firewall in ― flexible and accurate tool for comprehensive protection against web attacks, as well as PT Industrial Security Incident Manager (cyber incident management system). APCS

Home Office Security Checklist

CyberART, an operator of cyber defense services, has prepared a checklist to check the level of security of its company, and also outlined the main stages necessary to ensure the comprehensive security of the home office. This was announced on April 31, 2020 by InnoSTage.

A number of companies are already in the process of organizing a partial or complete "remote" for their team. However, to protect the "remote," a comprehensive approach is needed, since the "home office" format itself increases the number of potential threats to the company's security.

On the recommendation of CyberART, those who have already started switching to remote mode can answer the following questions to assess the current level of security:

• 1. For remote work, use secure communication channels, for example, using VPN (Virtual Private Network)?
• 2. When connecting to the infrastructure, the user undergoes two-factor authentication (tokens, one-time passwords)?
• 3. Do not use employees' personal devices when connecting remotely?
• 4. Are removable media controlled at remote workplaces, is "direct" access to the Internet prohibited?
• 5. When connecting to the company's network, do you check remote devices for antivirus and its relevance and for the necessary security updates?
• 6. Use of enterprise services is allowed only from specially configured "jump nodes": terminal servers, virtual desktops (VDI)?
• 7. The company's IT infrastructure is segmented and access delimitation is configured, do users have the minimum set of rights to work?
• 8. Does the company's IT infrastructure define and enforce information security and event audit policies?
• 9. Is there a constant monitoring and response to security events to detect and prevent computer attacks and incidents, until they can cause real negative consequences for the company?
• 10. Do you monitor changes in the composition of resources for which remote access is provided, analyze the security of the network perimeter and infrastructure, detect and eliminate vulnerabilities and configuration errors?

Often, such crises and the need for emergency measures exacerbate the existing information security problems in the organization. If the company has unprotected remote workplaces and "home offices," then the attackers will have a large range for the following capabilities:

• theft of confidential information and personal data;
• transfer of money from the current account;
• "infection" of a crypto company virus IT infrastructures. This, in turn, will be able to disable IT systems and industrial automation systems, disrupt the business and production processes of enterprises, etc.

In addition, threats have already become an increase in the number of phishing campaigns on remote employees, the emergence of fake sites, applications - all that, in the wake of the panic associated with the coronavirus, can provoke an employee to open an email, click on an attachment, follow the link or go to a malicious site.

Not all organizations have specialists from the information security department or corporate SOC (Security Operations Center) in their staff, who can competently assess the need for priority measures for a safe transition to remote work. Depending on the availability of their own resources, companies are advised to independently or, by joining forces with external experts, follow the following steps to implement a comprehensive remote access protection system:

• Step 1. Channel protection using VPN tools, which have the functionality of multi-factor authentication and checking the compliance of connected devices with security requirements.
• Step 2. Increase the security of end nodes used for remote access by configuring and distributing enterprise security policies to them.
• Step 3. Network-level intrusion detection and malware protection.
• Step 4. Identify and block previously unknown malware, targeted attacks, and zero-day attacks.
• Step 5. Advanced monitoring and control of privileged users.
• Step 6. Early detection of attacks using bait resources (HoneyPot), which are software traps that allow you to quickly detect an intruder at the initial stages of penetration.
• Step 7. Protect remote access channels from denial-of-service attacks.
• Step 8. Assessment of security using automated tools and manual checks to detect and eliminate vulnerabilities and configuration errors.
• Step 9. Monitor security events that are captured in remote access tools and other components of controlled systems, detect and eliminate computer attacks and security incidents before they cause real negative consequences.
• Step 10. Organize secure access infrastructure, including endpoint security, secure terminal access, and virtual desktop (VDI) technologies, and organize resources for secure communication and collaboration.

Due to the urgency of switching to remote access, business may lose sight of the usual internal security processes, thereby leaving the attacker with the possibility of an attack. The process of organizing a "remote" expands the number of current attack vectors on the infrastructure, which is now not limited to the walls of the office. Therefore, the process of transferring personnel to the "home office" should be considered not only in terms of the need to quickly complete IT tasks, but taking into account information security requirements, concluded in CyberART.

2019

As part of InnoSTage

Since December 2019, CyberART has been operating within the InnoSTage group of companies.

CyberART Launch

On November 19, 2019, CyberART, a professional service in the field of cyber defense, began operating in Russia. CyberART, an operator of cyber defense services, is based on the Information Security Monitoring and Computer Incident Response (SOC) center.

According to the company, the operator will provide comprehensive services for monitoring information security events and responding to computer incidents, providing information protection and management tools, behavioral content analysis and network activity control, vulnerability management, penetration testing and a number of other areas in the field of information security.

The transformation of the monitoring and response center into the CyberART operator is due to the reasons: the increase in the number of cyber attacks, their complexity, the need for a number of organizations to comply with information security regulations. To close such tasks yourself, the company needs to maintain an expensive staff, as well as regularly purchase and update relevant technical solutions. Working with an operator of cyber defense services will allow the enterprise to use only those services that it needs, interact with a team of specialists who regularly train and have experience in preventing various threats, as well as reduce capital costs for ensuring information security.

CyberART provides services in the following areas: content analysis, infrastructure control, network activity, security audit, data protection, WEB application protection, infrastructure audit, and others.

For many companies, creating their own SOC is time-consuming and very costly. Understanding this and feeling the requirements of the market, we transformed the work of SOC to provide services under the service model. The CyberART operator will continue to develop in this format. told Volodymyr Dmitriyev, representative of cyber defense services operator CyberART