Cyber resilience of a large business

Oleksandr Atamanenko, CISO of Octava Group, about cyber security strategy for holding structures and the role of SOC in its implementation.Being in charge of cyber security for a group with the lion’s share of assets in the IT business is like getting a “jacked-up” character at the start of a computer game: the basic issues have already been resolved, and all the resources are in place to achieve strategic goals.
With Octava Group, the availability of key systems, a strong team of IT specialists responsible for IT infrastructure support, the R&D department, and engineering expertise available within the group certainly formed an excellent stepping stone for the cyber security function to be performed qualitatively.
Why the issue of increasing cyber resilience has arisen and where the curve of function centralisation has led Oleksandr Atamanenko, CISO of Octava Group, see in our dedicated publication.Testing ground for information technology

Large businesses, especially in competitive industries, are characterised by high technological maturity. Here, IT determines both the current stable operation and future development at the same time, which encourages management to implement modern solutions. Octava Group is not an exception, and due to its historically established IT specialisation, it is a testing ground for information technologies. This means that in terms of the availability of key technical means of defence in such companies, there are usually no issues.

“We conventionally call this state of customer ‘blind’ cybersecurity system. The company has invested in technical means of defence. It knows how to protect itself from standard threats. It has specialists in IT systems configuration and administration. But because the event notifications sent by the technical security means are not accumulated or analysed anywhere, the true state of affairs in the infrastructure remains unknown.”

Oleksii Sevonkin, BDM Octava Defence

In CISO focus

The key aspects that require the attention of a CISO in a large business are people and processes. In my situation, the need to centralise the function, spurred on the one hand by the increasing risks of cyber threats and on the other by the misalignment of individual businesses in dealing with them, led me to realise that I needed to rebuild the function again.
Of course, there was an audit of systems, a risk analysis and policies in place that apply to the group as a whole, but there was also a decision to outsource infrastructure monitoring, investigation and response tasks. Fortunately, within the group structure, there is an Octava Defence operator, providing a Security Operations Centre in a managed service format (SOC as a Service).

SOC as a service

The monitoring task itself is a fairly routine and relatively low-skilled task, which simplistically is the constant analysis of various systems’ dialogues for negative events — notifications of events on the network that go beyond the normal functioning process. These negative events can then be classified as either incidents requiring investigation or false positives requiring tuning of IT systems or filtering of this type of event.
Meanwhile, incident analysis is performed by cyber analysts — cyber forensics gurus who have specific experience with IT systems and can recognise an attack in a confusing set of events.

“For many companies, creating a SOC-level system (building specific processes, forming a cyber security team) is a non-core and, in some cases, unreasonably expensive task. Recruiting and retaining skilled staff, the need for deep immersion in highly specialised areas of cyber threat countermeasures and investigating the causes of cyber threats are just some of the barriers standing in the way.
Octava Defence, as a service provider, can offer the most appropriate technologies and solutions for the customer’s maturity level in the form of technology bundles, accompanied by engineers and cyber analysts with appropriate qualifications. Thus, the customer receives exactly the level of service he needs, including risk assessment.”

Oleksii Sevonkin, BDM Octava Defence

It would seem that in our case, having the necessary technical means to collect information about the state of the corporate network and qualified engineers, it was possible to do everything in-house instead of paying a monthly subscription fee to a contractor.
However, it’s not all as easy as it sounds. While outsourcing the monitoring, investigation and response tasks, I have made the following assumptions:

IT and cyber security functions cannot be realised qualitatively by the same team.

It doesn’t occur to anyone to conflate “innovation” and “financial control” in the same person. It’s no different here. IT industry strives to make the user’s life easier and more convenient. Cyber security, on the contrary, restricts the user, while achieving the required level of security based on business requirements and agreed policies. It takes a remarkable level of maturity to switch the focus of attention from one aspect to another in the operational routine of working with information systems. Very rarely can one find a specialist of this expertise in the position of a system administrator.

Everyone needs to be checked.

The Zero Trust concept, which many people have already heard about, implies that everyone should be checked, including system administrators themselves. The actualisation of internal action risk (intentional and unintentional), already considered one of the most crucial risks in cyber security, can have catastrophic consequences for a business in the case of users with administrator privileges.

The task should be given according to the qualification.

What happens when a high-cost engineer is given the task of monitoring? That’s right, the specialist tries to balance by doing both one and second tasks in sequence. This means that at certain intervals, no one is monitoring the systems at all. The consequences are clear.
What happens when a high-cost engineer has to perform the task of a cyber analyst? That’s right, an engineer does not equal a cyber analyst, which means there is no guarantee that the function will be performed well.

It is cheaper to outsource than to build your own monitoring and response team.

Big business doesn’t mean unlimited resources at all. Typically, administrators in such companies have a huge list of tasks. As we remember, on the one hand, these are somewhat high-cost specialists with qualifications you do not want to spend on monitoring but rather apply to more complex profile works. On the other hand, increasing the budget, creating a cyber security unit and the organisational costs of recruitment, onboarding, training, development, retention, etc., is also not an option.
Using SOC as a service is good because you can quickly get an independent, cool team of cyber security experts and engage them sufficiently for the organisation.

How to get started using SOC in a managed service format.

In addition to the emergence of an explicit monitoring function (what professionals call achieving observability), as well as improving the quality of investigation and response, it was important to me to integrate information from different systems within a single window. Typically, SIEM class systems are used for this purpose.
I had several options for deploying the SIEM platform. Based on a combination of factors, including analysis of the criteria “price vs. functionality”, we decided on a more functional commercial platform.
Octava Defence specialists took over the whole implementation process, and everything passed almost unnoticed for my team.
In parallel, Octava Defence specialists provided us with a recommended list of controls, advised us on existing international policies and standards, and helped us understand risk assessment and priorities.
Next, we analysed our existing infrastructure to see if we had enough technical means of defence in place to monitor the health of the network and cover vulnerabilities according to our priorities.

“We recommended Oleksandr to add two solutions to the infrastructure. The first is the End Point Detection & Response (EDR). It enables advanced endpoint health monitoring and investigation of and response to potential incidents. The second is Cyber Deception, which allows implementing a defence strategy using false target technology.”

Oleksii Sevonkin, BDM Octava Defence


In the next stage, we were engaged in optimising controls, i.e. we were doing response analysis, eliminating false-positive, reaching the normal state of the system (baseline) and eliminating deviations in the operation of IT systems. Thus, we provided the correct inputs to the SIEM system, achieving a minimum number of false events.

Two months later, the first working iteration took place: SIEM started working, and Octava Defence’s cyber analysts began to monitor the operation of our systems.
Over the course of six months, before we fixed the service permanently, we met periodically to discuss the interim results of the work, refined details, tapped additional sources, and planned refinements.

“What should those CISOs who are considering SOC as a Service for themselves take into consideration? At Octava Capital, we encountered the fact (and this is not uncommon) that, despite the high commitment of the head of the function, the rank-and-file employees were not automatically ready for the changes. IT professionals (not only them, though) don’t like to be controlled. Changing the perception of “we control you” to “we help you and relieve you” took quite some time. We had several consultations explaining how SOC would benefit each team member personally before the project went live.”

Oleksii Sevonkin, BDM Octava Defence


In addition to fulfilling the explicit purposes for which the launch of the SOC was intended, namely:

  1. To provide independent external audit and control of the infrastructure.
  2. To create a mechanism for accumulating information about events occurring on the network, including the actions of system administrators.
  3. In addition to realising the explicit purposes for which the SOC was intended to be launched, viz: To move the escalation process on requests to a system-wide, external system format for the internal IT department.
  4. To relieve system administrators of the routine task of monitoring network events.
  5. To gather information about network events in a single window,

I have had a very positive and, most importantly, unexpected effect during the first six months of use.
Analysis of the event logs, which are now systematically collected and analysed, revealed deficiencies in the configuration of the IT infrastructure itself.
For example, we detected a number of “clear text notification” events on the network, the transmission of passwords within the corporate network in clear text. It turned out that decades ago, someone had spelt out passwords in clear text in the network configuration. It was forgotten, partly unaware because people changed and the network grew. We changed the configurations and prevented the risk of accessing network configurations in time, e.g. via a backup.
Another case is related to a SharePoint farm deployed in the group. Analysis of the events allowed identifying problems in the settings of one of the servers, which provoked failures in the authorisation of accesses to the server. As a result, the speed of user interaction with the portal was reduced. It was only because the cyber security system considered unsuccessful authorisations as hacking attempts that we identified the problem and eliminated its causes.
Of course, we can’t ignore the direct effect obtained, a significant increase in cyber resilience.
I will tell you about two cases in a string of events where we managed to identify a problem early on and prevent it from developing. The first is hacking into an external website. The criminals attempted to penetrate further into the infrastructure through it. Thanks to traps set with Cyber Deception class solutions, we detected an attempt to move deeper into the network. Correctly configured SIEM platform controls signalled the potential threat, and Octava Defence cyber analysts and our administrators mitigated the attack.
The second case is from the category of insider actions. A member of the team was caught intently examining the net. The fact was recorded and there was a conversation with him. The man managed to justify himself but was put under monitoring. Unfortunately, as the further course of events showed, his actions were not accidental or well-meaning, so we had to fire him after his next attempt to examine the profiles of system administrators.
Both incidents could have gone unnoticed and escalated into a serious problem if it hadn’t been for the staff at Octava Defence and the SOCaaS service.

What’s next?

Of course, given the rapid development of the cybercriminal economy and the appearance of new threats, we regularly review controls for adequacy. Cybersecurity policies must change dynamically, and periodic review of the status quo must become a regular practice.

“We recommend that all of our clients have a closer look at Threat Hunting class services as the next step in realising cyber security. It involves analysing indicators of compromise, deeper analysis of current threats, and retrospective analysis to implement proactive policies.”

Oleksii Sevonkin, BDM Octava Defence

Checklist: launching SOC as a service

  1. Conduct an audit of defence objects, highlight crucial services.
  2. Conduct a cyber defence audit.
  3. Create a risk map and vulnerability model.
  4. Evaluate the effectiveness of key security solutions and improve as necessary.
  5. Implement additional “SOC-ready” solutions to ensure the entire infrastructure is monitored.
  6. Organise the collection of event logs and their storage.
  7. Analyse the operation of security objects based on event logs.
  8. Analyse deviations in the operation of security objects and ensure normalisation.
  9. Create rules for monitoring and correlation of events (controls).
  10. Establish processes to receive messages in real time.
  11. Establish basic investigation and response processes.
  12. Form CSIRT/BLUE TEAM, a unified response team “Customer — Octava Defence”.
  13. Create playbooks for different types of incidents.
  14. Agree on the format and frequency of reporting.


Tags :