Cyber threats are becoming increasingly common, and they are also becoming more complex and targeted. It is therefore imperative to have instantaneous access and real-time visibility of each endpoint to understand what happens at the level of applications, end-user accounts and privileges, device configuration, network connections and internal and external web requests. This is the role of the SOC (Security Operations Centre). Its mission: collect events (in the form of activity logs) put together by the different components (of the security system or others) to analyse and detect abnormalities, correlate them with indicators (from internal and external sources of information) and define appropriate reactions in case of an alert.
With Trusted Security Europe, EBRC has three service offerings. The SOC can observe the elements related to the security of the client, analyse the traces left behind in the system by the attackers and suggest appropriate solutions through the SIEM technology (Security Information & Event Management) by HP ArcSight, Cyber Security & Forensics with EnCase Guidance Software (Forensics) and Vulnerability Management based on Ikare by ITrust.fr. These solutions are supported by the security experts of EBRC, which can also intervene on-site for a client in case of need.
This group of offerings targets all organisations for which the integrity of information, its availability and confidentiality are major issues. All sectors are concerned: finance, health, public institutions and even sectors as particular as gaming or start-ups which often base their development on intellectual property. There is a real unmet need: regulations are becoming stricter, traceability has to be ensured, and the IT security system has to be under control...
The correlation of events arising from different sources and analysis in real-time thus allow for rapid identification of risks, including those of intrusion. Overall, the SOC has to help reduce risks and the unavailability of critical components of the IT system, but also identify threats, prevent them, shorten maintenance durations and simplify administrative tasks. Its main task: identify and bring together all the security elements and all detected anomalies, whether they originate in the servers, applications or networks.
EBRC's approach, based on the NIST framework (identify, protect, detect, respond, recover) is coherent and responds to all potential issues related to cyber threats, and does so around the clock.
EBRC is one of the few players with all the skills and resources to effectively correlate data and intervene on several installations without downtime. This success needed time.
'In essence, the SOC is based on the experience of what already happened, comments Régis Jeandin. We keep these traces to understand, to go back in time, to re-live history. We confront this new experience with new vulnerabilities, with new exploits, with information reported by Telecom companies (like POST). Understanding is the best way to avoid new risks: a firefighter has to know where the fire started and how it spread!'
To manage security events, the SOC is based on a methodology and tools allowing it to diagnose, understand and anticipate potential attacks. Thus, the management of traces is very important - a trace is information on the activity and the identity of its users that a digital device records. The conservation of tracing information addresses two issues: regulatory compliance and research and investigation of identified events in real-time or post-mortem. Event management is at the heart of this. Each trace converted into an event has a contextualised severity, defined by several parameters and requirements - this criticality is adjusted according to the client's activity.
'EBRC's commitment through this SOC-as-a-Service offering is to build up a defence strategy with its clients to monitor critical infrastructure, detect potential attacks and react in an organised manner to confirmed threats', explains Régis Jeandin.
EBRC's SOC is technologically neutral, completely agnostic in terms of the technologies used by the clients. 'We are not technology resellers but independent consultants, specifies Régis Jeandin.
However, we welcome them in an exceptional environment regulated by the CSSF and benefit from certifications like ISO 9001, ISO 27001, ISO 20000 and PCI-DSS Level 1, an environment installed in a worldwide unique network with three Tier IV certified data centres.'