Netsecurity Security Operations Center

Netsecurity Security Operations Centre (NSOC) provide comprehensive and effective security services from vulnerability analysis to event management and reporting.

Most organisations and businesses have been or will be exposed to cyber-attacks and it is expected that the risk associated with these attacks will increase in the years to come. Although most people have been exposed to attacks, this happens most often without the attacks being detected or evidence being secured.

"Norway is facing increasing risk of being hit by security-threatening events. This is due to persistent, new and a rapidly increasing number of vulnerabilities, especially within the digital domain. At the same time, we see a negative trend in the threat picture. This can lead to increased risk of incident caused by malicious activities”

Source: National Security Authority (NSM), "Risk 2018" (translated from Norwegian)

Attacks and espionage occur even though most organisations and businesses today are concerned about ICT security. The main reason for this is the lack of effective strategies, experience, expertise, resources and solutions to protect businesses and employees against internal and external threats.  This “knowledge” gap is growing giving the attackers and edge, increasing risk for businesses.

Effective protection against attack requires both active and passive strategies. Particularly important is vulnerability scanning, collecting log and event data as well as traffic flow information. This involves collecting and analysing large amounts of data. However, the main challenge with analysing threat indicators is not the large number of events and data but complex relationships between different events and traffic patterns that may be indicators of upcoming, ongoing or implemented attacks.

Netsecurity specialises in interpreting relationships between events and relevance for the individual customer.  This way we can provide relevant guidance for mitigation  and reduced risk. Our goal is zero false positives.

Early detection reduces risk

The purpose of the service is to detect attempted attacks early, such that they can be prevented or the damage caused by attacks can be limited and evidence can be secured to reestablish normal operation and investigation.

Netsecurity Security Operations (NSOC) receives, analyses and stores security and traffic information from different sources at the customer.

The service involves automatic and manual analysis of data and displaying status, event information and reports in a customer portal available to authorised personnel from the customer.

Holistic protection

Data attacks know no limits, and attackers use multiple attack methods and  vectors for advanced persistent attacks (APT) which can last for a long period of time.

Netsecurity Managed Detection and Response can combine monitoring and data retrieval from multiple networks for more comprehensive analysis and more effective detection and protection against data attacks. Data is collected, correlated and analysed over extended periods of time such that correlations between security incident indicators across different networks and services can be identified.

Active testing of network nodes, services, and web pages to identify known and unknown vulnerabilities. The purpose of vulnerability analysis is to detect vulnerabilities that can be exploited by attackers or otherwise pose a risk to the business. Businesses often require continuous, automated, vulnerability scanning to meet internal or external compliance requirements such as ISO 27001, PCI-DSS and HIPAA.

Monitoring

Active and passive mapping and monitoring of nodes in the network. This is often combined with ongoing automated vulnerability scanning to uncover systems that have known vulnerabilities. Monitoring can also include APT detection to identify and eliminate advanced persistent threats.

Logging

Logs are received from sensors, network equipment and servers. The logs are signed, hashed to secure and stored so they become searchable and usable.

Correlation

Information received from sensors, network equipment and servers is correlated to provide an overview and understanding of how different events are related. Logs are interpreted and processed for assessment of risk and consistency in the various events. The information is presented in a graphical interface that shows which status the organisation has at any given time.

Analysis

Security events are analysed by SOC analysts who assess the different events and how they should be addressed, ie by activating CSIRT or reporting to respective resource owners. In case of identified threats, the SOC analyst will create entries in the threat database. The notifications contain "indicators of compromise" and other forensic data that help identify and limit threats to the rest of the network. Event information is exchanged with external threat databases.

Incident Response

Events are handled by activating the incident response team, CSIRT. Our team is trained and experienced in event management, to ensure predictability and quality. The CSIRT team uses an industry-standard 6-step methodology.

Reporting

Log and event information can be automatically extracted as the basis for reports. Reports can also support regulatory requirements, such as ISO 27001 or industry-specific requirements.