Central security point
A company we shall not name used an array of technological solutions to ensure its cyber security. However, it had difficulty running the systems. The main problems stemmed from the diversity of the systems, the user interfaces and the lack of a central assessment mechanism. Another problem was the high turnover of employees in the IT Department, who had to work with the various technological solutions. Repeated employee training for a wide range of security tools thus accounted for a significant budget item.
This company then contacted us for assistance in resolving the situation. From the very beginning, the initial state appeared to be very complicated. We began centralising security into a single point and provided management of the security technology through support. The central point became a security operations centre (SOC) structured into multiple levels.
The actual construction of the SOC was preceded by an extensive analysis, which provided us the necessary information to integrate all the technology into a central point. As part of the analysis, we developed a register of log sources, risk analysis and threat models, and we created the processes needed to operate the security centre on site and throughout the entire company. The analysis also included an assessment of the client infrastructure and configuration optimisation for individual components.
The first problem we encountered in creating the SOC was when merging individual resources under central monitoring. The majority of the customised resources (primarily applications) could not be monitored in a standard way and therefore had to be connected through agents. This fact significantly prolonged the implementation time.
The second problem after resources were connected was to de-bug the false positives. We resolved this during pilot operations, when the system was customised to minimise false positives so that it only generated relevant events and did not unnecessarily burden the infrastructure. The client was thus able to fully use the SOC to ensure the security of its infrastructure.