RED Security SOC

The main articles are:

• Situational centers (definition, main tasks)
• Security Information and Event Management (SIEM)

MTS RED SOC is a center for monitoring and responding to cyber attacks. The center's specialists analyze what is happening in the customer's IT structure and scan for vulnerability to new threats, block malware and eliminate loopholes through which the attacker penetrated.

2025: Providing free cyber risk insurance

RED Security will provide free cyber risk insurance to customers of cyber attack monitoring and response services. If the customer suffers damage as a result of an incident in the area of ​ ​ responsibility of RED Security SOC, he will receive compensation in the amount of up to five million rubles. The company announced this on October 29, 2025.

The issue of responsibility of commercial centers for monitoring and responding to cyber attacks for the quality of the services provided is regulated mainly by SLA metrics. The key ones are the accuracy of detecting critical information security incidents, the timing of their analysis and issuing recommendations to customers to counter the actions of attackers. For RED Security SOC, these indicators do not exceed 30 minutes, which corresponds to the best industry benchmarks. Now, in addition, customers are guaranteed damages if an incident occurs in the area of ​ ​ responsibility of RED Security SOC, which will lead to financial losses of the organization.

Thanks to the cyber insurance service as part of the RED Security SOC services, customers can not only minimize, but also transfer to a third party the risks of damage from successful cyber attacks, including stopping business processes, financial losses or fines from regulators.

RED Security SOC customers will receive reimbursement for losses in the event of loss of digital information or corporate software, extortion by cybercriminals, misuse of computing resources, theft of funds in electronic form, as well as compensation for damage due to the occurrence of liability to third parties. In addition, insurance provides for compensation for the costs of possible costs associated with the consideration of the incident in court.

Customers trust us to protect themselves from cyber threats, and we need to be responsible for the end result for the business, not just the interim performance metrics. We are confident in the quality of the work of RED Security SOC experts and are constantly working to increase the speed and completeness of detecting the likely actions of attackers, so we provide free insurance for possible damage. In fact, it covers all key cyber risks - from infection with ransomware and miners to the illegal withdrawal of money from the organization's accounts and regulatory fines, - said Mikhail Klimov, head of services at the RED Security SOC monitoring and response center for cyber attacks at RED Security.

2024

Launch cyberattack consulting

RED Security on September 4, 2025 announced the launch of consulting in the development of correlation rules - scenarios for detecting cyber attacks. This service is aimed at companies that create their own corporate centers for monitoring and responding to cyber threats (SOC), and helps to increase the effectiveness of countering cybercriminals.

With the increasing number and complexity of cyber attacks, including targeted APT attacks and hacktivism, Russian companies face the need to strengthen their defense systems. According to RED Security SOC, the total number of cyber attacks on Russian companies from January to June 2025 exceeded 63 thousand, which is 27% more than in the same period in 2024. The development of effective scenarios for detecting information security incidents is becoming a key factor in combating growing cyber risks.

RED Security SOC consulting includes the individual development of correlation rules taking into account the specifics of the infrastructure and cyber attacks relevant to the client's industry. Key Russian SIEM systems can be used as a technological core for service provision. As part of the service, the company provides methodological assistance in creating and configuring correlation rules, as well as ensuring their regular update. In the event of non-typical tasks, customers can involve RED Security SOC analysts with experience in preventing complex attacks, including attacks through contractors, to solve them.

The launch of the correlation rule development service is a response to the growing demand of Russian companies to create their own monitoring centers that meet the requirements of legislation and industry standards, "said Mikhail Klimov, head of RED Security SOC services. - It is the writing of incident detection rules that is the most time-consuming step in the creation of internal corporate SOCs, and we are ready to share our many years of experience in protecting the largest Russian companies in order to ensure that customers quickly increase their resistance to cyber threats.

The content of the correlation rules from RED Security SOC includes a description of the cyber attack scenario and normalization rules, as well as the correlation rule itself for the SIEM system used by the company. The customer also receives recommendations for analyzing and responding to an incident with instructions that can be used to create a playbook.

Once correlation rules are created, they are tested in a test environment by simulating an actual attack. The rule is checked for the accuracy of the detecting logic and the probability of false-positive positives, and the duty shift is trained in the correct response scenarios. Only then does it start in the production environment.

Thanks to this service, Russian companies can significantly accelerate the creation and launch of their own centers for monitoring and responding to cyber threats and, as a result, reduce financial and reputational risks from the consequences of hacker attacks. In addition, the involvement of a contractor to write rules for identifying information security incidents allows you to save on training and advanced training of information security specialists in the state.

Detection of 190 thousand information security incidents per year using SIEM-system KUMA

Using the SIEM system of Kaspersky Unified Monitoring and Analysis Platform (KUMA), the RED Security SOC cyber attack monitoring and response center identified more than 190 thousand information security incidents, including 21.6 thousand - highly critical. RED Security announced this on February 5, 2025.

Among the attacks identified using KUMA are more than 33 thousand attempts to bypass security tools by hackers, over 26 thousand network attacks, about 21 thousand attempts at virus infections and more than 28 thousand attacks on other vectors.

High-critical incidents identified by RED Security SOC on the basis of KUMA were recorded mainly in the industrial sector - a total of more than seven thousand incidents. This industry for a year remained the most attacked by hackers in the Russian economy. Also, 3.7 thousand highly critical cyber attacks were blocked in IT companies and 3.5 thousand in the field of telecommunications.

KUMA has high performance and is easily scalable, and out of the box supports a large list of connectors to typical event sources. This allows us to take companies under protection as quickly as possible, connecting basic scenarios for detecting cyber attacks in the shortest possible time. In addition, it is very important for us that KUMA can be integrated with the solutions of any developers, since we act as an open ecosystem cyber security and provide customers with maximum freedom and flexibility in choosing suppliers of certain protection technologies, - said Mikhail Klimov, head of services at the RED Security SOC cyber attack monitoring and response center at RED Security.

Together with RED Security, we are working to increase the level of protection of companies in the Russian market, solving their current problems in the field of information security. SIEM is one of the key tools for SOC specialists, and we regularly improve our KUMA platform to work with it as conveniently as possible. In particular, at the request of the RED Security team and other customers, in the latest update, in addition to correlating events on the fly and retrospective analysis, the function of regularly checking previously collected events, previously processed using SQL-quests, was added. The joint use of analytical functions DB ClickHouse and a correlation engine expands the system's ability to detect complex attacks in which attackers seek to be below the radar. The results that information security specialists receive with the help of KUMA are the best proof of its effectiveness, "said Ilya Markelov, head of development at a single corporate platform Kaspersky Lab."

Xello Deception Implementation

MTS RED entered into an agreement with the company. Xello Thanks to this technological partnership cyber attacks , the MTS RED Monitoring and Response Center SOC will help customers reduce the likelihood of damage even if hackers they penetrate the company's infrastructure. RED MTS announced this on June 26, 2024.

MTS RED will act as an MSSP-provider (Managed Security Service Provider) of the Xello Deception platform, which detects the activity of attackers, providing them with inaccurate information about the IT infrastructure. The solution creates a false layer of various data and information assets over the company's network, which are likely to be involved in cyber attacks.

Thus, if an attacker was able to bypass the company's perimeter security, Xello Deception technologies help guide him on a false trail in finding key infrastructure elements or confidential data of the victim company. This allows you to identify the presence of hackers in the customer's IT infrastructure before they reach the target and damage the company, as well as block the development of the attack in a timely manner.

The service is provided according to the cloud model with the placement of key system components at the customer's site. As part of the service, the Xello Deception platform transmits data on the actions of attackers in a false infrastructure to the MTS RED SOC cyber incident monitoring and response center. This data is processed by professional analysts who notify the customer of the incident and issue recommendations for responding to a cyber attack.

Cyber ​ ​ warfare systems are a highly trusted source of compromise for SOC centers and do not create a large stream of false positives. At the same time, when notified from the system, skills are needed for incident analysis and prompt response. MTS RED specialists have the necessary experience and competencies to provide service in all areas, - said Alexander Shchetinin, CEO of Xello.

In conditions when cybercriminals are improving techniques and methods to bypass classic means of protection and remain unnoticed for a long time in the victim's infrastructure, an additional level of protection in the form of cyber warfare systems becomes an important component in ensuring cybersecurity of critical business assets, "said Ilnaz Gataullin, technical head of MTS RED SOC at MTS RED.

Adding Kaspersky EDR

MTS RED, a member of MTS PJSC, has supplemented the services of the center for monitoring and responding to cyber attacks MTS RED SOC with technology for protecting workstations and servers based on the Kaspersky EDR (Endpoint Detection and Response) solution. MTS RED announced this on April 5, 2024. Read more here.

Availability in Hybrid Format

MTS RED, a member of MTS PJSC, announced on February 29, 2024 that the services of the MTS RED SOC cyber attack monitoring and response center are now available to customers in a hybrid format.

The hybrid format of using the services of the center for monitoring and responding to cyber attacks implies that its technological core - the SIEM system - is implemented directly in the customer's IT infrastructure. At the same time, only the functions of administration, monitoring, content development and the formation of instructions for responding to cyber attacks or the direct use of measures to technically block attacks are transferred to outsourcing.

Within the framework of the hybrid model, MTS RED SOC specialists implement the SIEM system at the customer's site and set up rules for correlation of incoming information security events to identify cyber threats in the early stages. MTS RED SOC specialists connect to the customer's SIEM system via a secure communication channel, and all incident data is stored and processed in the company's loop. At the same time, MTS RED SOC applies many years of expertise accumulated during projects to protect companies in various industries to support and develop rules for correlating information security events, identify cyber attacks, form instructions or implement measures to counter attackers, as well as provide in-depth analytics to further increase the level of customer security.

If the company already uses the SIEM system, MTS RED specialists help to audit its current state and assess the sufficiency of the volume of connected sources of information security events. In addition, MTS RED SOC provides customers with its own set of rules for correlating information security events, taking into account industry specifics and tested when detecting cyber attacks on the largest companies in Russia. After profiling incident detection scenarios, MTS RED SOC experts perform a full scope of work with the SIEM system - from tincture and support to round-the-clock detection and response to cyber attacks.

The demand for a hybrid model for the supply of services to monitoring and responding to cyber attacks is higher than ever. Large companies, especially banks and CII entities, prefer to outsource only those functions that require a large staff of highly qualified experienced specialists, leaving inside the IT infrastructure systems that directly store and process incident data, - said Ilnaz Gataullin, technical head of MTS RED SOC at MTS RED.