RED Security SOC

The main articles are:

• Situational centers (definition, main tasks)
• Security Information and Event Management (SIEM)

MTS RED SOC is a center for monitoring and responding to cyber attacks. The center's specialists analyze what is happening in the customer's IT structure and scan for vulnerability to new threats, block malware and eliminate loopholes through which the attacker penetrated.

2024

Detection of 190 thousand information security incidents per year using SIEM-system KUMA

Using the SIEM system of Kaspersky Unified Monitoring and Analysis Platform (KUMA), the RED Security SOC cyber attack monitoring and response center identified more than 190 thousand information security incidents, including 21.6 thousand - highly critical. RED Security announced this on February 5, 2025.

Among the attacks identified using KUMA are more than 33 thousand attempts to bypass security tools by hackers, over 26 thousand network attacks, about 21 thousand attempts at virus infections and more than 28 thousand attacks on other vectors.

High-critical incidents identified by RED Security SOC on the basis of KUMA were recorded mainly in the industrial sector - a total of more than seven thousand incidents. This industry for a year remained the most attacked by hackers in the Russian economy. Also, 3.7 thousand highly critical cyber attacks were blocked in IT companies and 3.5 thousand in the field of telecommunications.

KUMA has high performance and is easily scalable, and out of the box supports a large list of connectors to typical event sources. This allows us to take companies under protection as quickly as possible, connecting basic scenarios for detecting cyber attacks in the shortest possible time. In addition, it is very important for us that KUMA can be integrated with the solutions of any developers, since we act as an open ecosystem cyber security and provide customers with maximum freedom and flexibility in choosing suppliers of certain protection technologies, - said Mikhail Klimov, head of services at the RED Security SOC cyber attack monitoring and response center at RED Security.

Together with RED Security, we are working to increase the level of protection of companies in the Russian market, solving their current problems in the field of information security. SIEM is one of the key tools for SOC specialists, and we regularly improve our KUMA platform to work with it as conveniently as possible. In particular, at the request of the RED Security team and other customers, in the latest update, in addition to correlating events on the fly and retrospective analysis, the function of regularly checking previously collected events, previously processed using SQL-quests, was added. The joint use of analytical functions DB ClickHouse and a correlation engine expands the system's ability to detect complex attacks in which attackers seek to be below the radar. The results that information security specialists receive with the help of KUMA are the best proof of its effectiveness, "said Ilya Markelov, head of development at a single corporate platform Kaspersky Lab."

Xello Deception Implementation

MTS RED entered into an agreement with the company. Xello Thanks to this technological partnership cyber attacks , the MTS RED Monitoring and Response Center SOC will help customers reduce the likelihood of damage even if hackers they penetrate the company's infrastructure. RED MTS announced this on June 26, 2024.

MTS RED will act as an MSSP-provider (Managed Security Service Provider) of the Xello Deception platform, which detects the activity of attackers, providing them with inaccurate information about the IT infrastructure. The solution creates a false layer of various data and information assets over the company's network, which are likely to be involved in cyber attacks.

Thus, if an attacker was able to bypass the company's perimeter security, Xello Deception technologies help guide him on a false trail in finding key infrastructure elements or confidential data of the victim company. This allows you to identify the presence of hackers in the customer's IT infrastructure before they reach the target and damage the company, as well as block the development of the attack in a timely manner.

The service is provided according to the cloud model with the placement of key system components at the customer's site. As part of the service, the Xello Deception platform transmits data on the actions of attackers in a false infrastructure to the MTS RED SOC cyber incident monitoring and response center. This data is processed by professional analysts who notify the customer of the incident and issue recommendations for responding to a cyber attack.

Cyber ​ ​ warfare systems are a highly trusted source of compromise for SOC centers and do not create a large stream of false positives. At the same time, when notified from the system, skills are needed for incident analysis and prompt response. MTS RED specialists have the necessary experience and competencies to provide service in all areas, - said Alexander Shchetinin, CEO of Xello.

In conditions when cybercriminals are improving techniques and methods to bypass classic means of protection and remain unnoticed for a long time in the victim's infrastructure, an additional level of protection in the form of cyber warfare systems becomes an important component in ensuring cybersecurity of critical business assets, "said Ilnaz Gataullin, technical head of MTS RED SOC at MTS RED.

Adding Kaspersky EDR

MTS RED, a member of MTS PJSC, has supplemented the services of the center for monitoring and responding to cyber attacks MTS RED SOC with technology for protecting workstations and servers based on the Kaspersky EDR (Endpoint Detection and Response) solution. MTS RED announced this on April 5, 2024. Read more here.

Availability in Hybrid Format

MTS RED, a member of MTS PJSC, announced on February 29, 2024 that the services of the MTS RED SOC cyber attack monitoring and response center are now available to customers in a hybrid format.

The hybrid format of using the services of the center for monitoring and responding to cyber attacks implies that its technological core - the SIEM system - is implemented directly in the customer's IT infrastructure. At the same time, only the functions of administration, monitoring, content development and the formation of instructions for responding to cyber attacks or the direct use of measures to technically block attacks are transferred to outsourcing.

Within the framework of the hybrid model, MTS RED SOC specialists implement the SIEM system at the customer's site and set up rules for correlation of incoming information security events to identify cyber threats in the early stages. MTS RED SOC specialists connect to the customer's SIEM system via a secure communication channel, and all incident data is stored and processed in the company's loop. At the same time, MTS RED SOC applies many years of expertise accumulated during projects to protect companies in various industries to support and develop rules for correlating information security events, identify cyber attacks, form instructions or implement measures to counter attackers, as well as provide in-depth analytics to further increase the level of customer security.

If the company already uses the SIEM system, MTS RED specialists help to audit its current state and assess the sufficiency of the volume of connected sources of information security events. In addition, MTS RED SOC provides customers with its own set of rules for correlating information security events, taking into account industry specifics and tested when detecting cyber attacks on the largest companies in Russia. After profiling incident detection scenarios, MTS RED SOC experts perform a full scope of work with the SIEM system - from tincture and support to round-the-clock detection and response to cyber attacks.

The demand for a hybrid model for the supply of services to monitoring and responding to cyber attacks is higher than ever. Large companies, especially banks and CII entities, prefer to outsource only those functions that require a large staff of highly qualified experienced specialists, leaving inside the IT infrastructure systems that directly store and process incident data, - said Ilnaz Gataullin, technical head of MTS RED SOC at MTS RED.