Payment infrastructure of a financial ecosystem of "Tinkoff of Bank" is under Solar JSOC control

2020: Organization of control over payment infrastructure

On March 19, 2020 Rostelecom-Solar reported that together with Tinkoff began next a cooperation stage. Now under control of the center of monitoring and response to cyber attacks of Solar JSOC there is also payment infrastructure of a financial ecosystem.

Cooperation Rostelecom-Solar and Tinkoff began in 2015. Identification of the computer attacks and protection of IT infrastructure of the company was initially main objective of service provider. The first year of operation of services showed their high efficiency and in a year the list of services was significantly expanded: in addition to monitoring of incidents and optimization of scenarios in hands of experts of Solar JSOC problems of identification of indicators of a compromise of hacker tools and search of their traces were transferred in infrastructure, questions of operation and tuning of performance of the SIEM platform, customization of the scenarios which are already existing at the customer on identification of incidents.

In the conditions of promptly changing infrastructure of bank, growth of quantity and complexity of the computer attacks it is extremely important to rely on the reliable partner in questions of ensuring operational security of our products and services. Our long cooperation with Solar JSOC underwent testing time, engineering and process changes. Together with them we daily increase the level of security of our ecosystem and are glad to continuation of cooperation with such high quality command, told Dmitry Gadar, the vice president, the Head of Department of information security of Tinkoff

Connection of critical payment infrastructure on the round-the-clock monitoring became the next stage of cooperation between Tinkoff and Solar JSOC. In addition to monitoring and incident analysis specialists of Solar JSOC developed the special scenarios ground only under payment infrastructure of the customer.

Solar JSOC collects information on events of information security more than from 200 technical sources in an ecosystem. During joint work of specialists of Tinkoff and Solar JSOC under needs of the customer only for the last year of work 10 specialized scenarios were created, 15 more – it is seriously customized.

Work on building of end-to-end seamless process of response to incidents was in parallel carried out. Tinkoff strengthened management of information security of the round-the-clock command of response to incidents. This step allowed to reduce twice cumulative time of counteraction to the computer attacks.

In addition, within management of information security of an ecosystem the internal Red Team team – experts in the analysis of security and testing for penetration was formed. They on a regular basis without warning of specialists of external SOC and the command of reaction implement different scenarios of the attacks on infrastructure applied by malefactors. Activity of Red Team allows to check degree of security of an ecosystem, quality of scenarios of identification of incidents and also level of work of experts Rostelecom-Solar and managements of information security of Bank which are responsible for identification, the analysis and response to incidents.

Life under intensive continuous testing of security from the first-class specialists – always a call for the SOC command. But while we successfully cope – analysts of Solar JSOC reveal over 80% of key steps of "malefactor" while for success of the attack each of them should remain unnoticed. At the same time both for us, and for a command of information security of bank it is an opportunity to continuously improve quality of scenarios of identification of incidents and to optimize processes of our interaction and joint response to incidents. Work in such aggressive environment with a high quality team of experts from bank allows to reach the high level of security of infrastructure, speaks Anton Yudakov, the operating officer of the center of monitoring and response to cyber attacks of Solar JSOC of Rostelecom-Solar company

2016: Connection to service of the round-the-clock monitoring

In June, 2016 Solar Security reported that it connected infrastructure of Tinkoff of Bank to service of the round-the-clock monitoring and response to incidents of cyber security of Solar JSOC.

Originally Tinkoff Bank was engaged in monitoring of incidents independently, was for this purpose purchased SIEM- a system HP ArcSight, own logic of correlation rules for detection of incidents is configured. In connection with rapid growth of business by specialists of bank the decision on attraction of additional resources for implementation of continuous analytics of new vectors of threats, monitoring of incidents in real time, full-time work with SIEM on development of new rules, deshbord, reports and writing of connectors for connection of the new systems was made.

The company contractor was attracted on the hybrid circuit when the outsourcer uses the HP ArcSight system which is already implemented in bank. For implementation of such model of interaction after carrying out a pilot project and the feasibility statement Solar JSOC – the Russian commercial center of monitoring, identification and response to incidents of Solar Security company was selected.

Within connection tasks of significant expansion of logic of detection of incidents among the sources of events of information security which are already connected to SIEM were set for specialists of Solar JSOC. The list of systems which needed to be connected to monitoring was defined and to provide new rules under them. Continuous monitoring and the analysis of the events in infrastructure of bank in terms of cyber security became the main objective.

Start of services of Solar JSOC was carried out in several steps. As the bank long time conducted works on HP ArcSight filling as own rules and reports, it was important to save the received results therefore at the first stage the analysis of a SIEM system was carried out and new content without violation of work of the saved-up logic is set. Further there was a profiling and adaptation of scenarios of detection of incidents of Solar JSOC under the connected infrastructure and the work services, systems and users which is taken over in Bank for regulation. At the third stage connection of a SIEM system of bank to the Solar JSOC lines on duty for ensuring the round-the-clock monitoring and response to incidents took place. After commissioning specialists of Solar JSOC started direct rendering service with regular updating and adaptation of rules, writing of logic under the new connected sources and monitoring of operability of software and the equipment of SIEM which still is on administration at specialists of bank.

When implementing hybrid model of outsourcing the bank reached development of the most important functions of own SOC. As a result of connection to Solar JSOC the list of scenarios of detection of incidents was significantly expanded, the number of false notifications is minimized, the regulations of interaction in case of detection of incidents are entered and worked out roadmap of connection of new sources of infrastructure and business applications.