One branch of the global presence telecom company used a primitive IRP system with a very limited functionality. Since the company is a managed security service provider, arose the need of a new, more flexible platform with a significantly greater range of functions. After a series of negotiations and the PoC project, the Defensys SOAR was chosen as a core solution.The Provider offers its SIEM and TI systems to each customer and, depending on the customer infrastructure, one company can have several platforms. For that reason, Defensys software had to be integrated with all installed systems.
The Provider’s client database was connected with the Defensys SOAR and stored information is being synchronized with custom assets. Due to this, when an incident occurs, the Provider has very exact information, which SIEM system it comes from, which company is involved, and all the data is already stored and up-to-date in the client’s card for further processing. It made possible a customized incident notification via, for example, ITSM systems or messengers. As a result, it became a very effective tool with the workflow for a particular incident type created exactly for the Provider’s needs.
Moreover, the Provider uses well-liked mailing for subsequent reporting involving several mail-boxes.
During the course of compliance assessments, auditors inevitably record a certain number of violations.
The main mistakes that can be made at this stage are:
– Treating a violation/issue as one of the fields to be filled in with text during the audit.
– Treating issue input as the ultimate goal of the audit.
Why should all detected issues be treated as a separate entity within the audit framework? First of all, for proper monitoring, the comment must have at least the following attributes:
– Status
– Creation date
– Elimination date
– Author
– Responsible staff
– Completion date.
This is already more than something that will comfortably be stored within one, two, or three fields. However, the list of required attributes does not end there. With respect to the comment, it is also important to record:
– For which asset was it initiated?
– In the context of which audit?
– What requirement was violated?
– What evidence was attached ref the violation?
The Defensys company updated its platform for digital imitation of IT infrastructure components Defensys Threat Deception Platform (TDP). The vendor added SCADA and Linux FullOS traps to the list of existing ones and also expanded the list of current lures templates.
There was a high increasing of the total number of cyberattacks focused on critical infrastructures in 2022. And consequences of such attacks can be very serious: leaks of confidential information, financial and reputational losses. Considering this statistics, the Defensys company developed the SCADA trap and added it to the latest TDP version. It helps to detect threats in infrastructures of industrial companies. Now users can create fake PLCs (programmable logic controllers) – crucial automation elements in the technological processes management. This way Defensys TDP now detects attacks focused on very specific assets that belong to IT and OT segments.
One more trap added by the vendor is Linux FullOS. It helps to create an emulated full operating virtual machine working under Linux based operating systems in the chosen network. Thus trap type can be the base for creating a lot of fake network elements tuned for customers’ specific needs. Furthermore, users now get lures in the form of saved browser credentials in MS IE and MS Edge Legacy.