Given the growing number of cyber threats and targeted attacks on enterprises of Ukraine, VOLIA one of the first in the sector decided to invest in proactive information security. The company strives to comply with international requirements and standards in the area of information security, and always care for the safety of personal data of its customers. Decision to strengthen information security meets completely the company’s mission ─ to open the world to their customers by providing highly professional, innovative and reliable services.
One of the first steps in this direction is testing of analytical package DetectTor by SOC Prime. DetectTor designed to detect connections to Darkweb or Darknet network, where many variations of illegal activities take place everyday and from where the majority of cyber attacks are performed. As a result of effective use of the package, communications with hidden Tor network have been discovered that were not previously monitored. Now there is a detailed study, if these communications were used for the malicious actions.
After DetectTor success, information security experts of VOLIA Company conducted effective pilot and implemented APT Framework Advanced package, which is designed to detect targeted cyber attacks (APT). Experience of 2015 – 2016 showed that this is a real and very serious threat. Such attacks can lead to the theft of valuable data or affect the stability of the enterprise infrastructure due to the destructive actions of the attackers.
During its PoC, Predictive Maintenance (hereinafter – PM) has proved its efficiency even at the stage of deployment of monitoring agents: the installer has revealed that the service of one of the connectors was not added to autorun. In practice this seemingly small change easily leads to unresolved questions that need to be addressed when a free moment occurs, and this question is why this connector hadn’t turn on after the server was restarted as scheduled. Within 5 minutes after the launch of the PM console, resources of the Manager, the main consumers of memory, active lists and lists of sessions became visible. We found a few excess lists, which consumed a lot of RAM, but were no longer used. Over 20 minutes after the launch of PM, several thousands of parsing errors were found at one of the Flex Connectors, which greatly affected the performance of the connector and the server as a whole. Minor changes in the parser significantly reduced the load on the connector. Using PM for a long period made it possible to analyze the behavior of each connector in the infrastructure, a task for which we often had no time previously. In addition, we were able to prioritize work to improve productivity and quality of the processed data. Total Health of the entire SIEM installation increased from 70% to 90% over 2 weeks of operation, and we spent 10-person-days of resources for troubleshooting and remediation. Without PM, just audit and prioritization ofole 2 weeks.
VOLIA is one of the first companies in Ukraine who has started to use into practice platform for trusted exchange of Use Cases (Use Case Library by SOC Prime) for Security information and event management systems (SIEM). This allowed simplifying detection of new types of cyber attacks and to reduce the direct costs of development and maintenance Use Cases for IBM Qradar. And also, very importantly, free up valuable time of experts for the investigation of information security incidents and analyze the behavior of systems in order to detect anomalies and deviations that may be signs of unauthorized access to these systems.
“Use Case Library is a handy tool for searching, ordering and delivery of finished Use Cases for SIEM. It is very simple to choose Cases as needed and order developing them in unexpected need or urgent tasks that are set by the leadership. Now, there is no need to spend time on basic analytics building; tried-and-tested standardized Cases are available in the library. Now we can concentrate on building specific and narrowcasting analytics and dealing with incidents,”
─ says Nikolay Ovcharuk, Information Security Auditor of VOLIA Company.
Development, maintenance and building of analytical base for the Security event management system based on IBM QRadar and SOC Prime Use Case Library allow VOLIA to respond quickly and effectively on new security threats and proactively prevent potentially harmful effects on their information systems and complexes.