Many organisations do not have the resources to ensure that their cybersecurity event monitoring team is running uninterrupted. In such situations, entities often choose to outsource SOC.
ComCERT offers a solution based on event handling using a class solution provided by the Customer. The service involves monitoring and handling of incidents based on instructions agreed with the Customer as well as their qualification and prioritisation.
Event queue is handled remotely at the ComCERT location using a proxy station. In order to secure communication between the Customer’s environment and the ComCERT environment, a VPN tunnel is set up. ComCERT logs on to a dedicated proxy station Through the tunnel from where it is possible to access the console of the SIEM system.
The Security Operations Centre model proposed by ComCERT is based on the SOA (Service Oriented Architecture) approach and the comprehensive service consists of three parts:
- Event monitoring and detection
- Computer security incident response, and advanced analysis
- SOC management and maintenance
The security incident handling process proposed by ComCERT is based on the leading practices in computer incident response. The incident life-cycle and associated SOC activities are based on the “Good Practice Guide for Incident Management” (ENISA), the “Computer Security Incident Handling Guide” (NIST) and the ISO 27035(Information Security Incident Management) standard./
The service can be provided in any time regime (8/5, 24/7, or “after hours”) and it can include handling one or all support lines, according to the needs of the organisation.
1 SOC line/1 Linia SOC
- ComCERT expert support 24/7
- Response time: 15 minutes (from the moment the alert is detected until it is received by the Operator)
- Incident handling time: up to 15-60 minutes (according to the agreed scenario)
- Event monitoring and detection
- Triage
2 SOC line/2 Linia SOC
- Mode 8/5 with readiness to take action during the remaining hours
- Response time: 1 h
- Time to make recommendations: 8 hours
- Issue rectification time: until successful
- Log analysis
- Post incident analysis
3 SOC line – CTAC/3 Linia SOC – CTAC
- Mode 8/5 with readiness to take action during the remaining hours
- Time to respond: 8 hours
- Malware analysis
- ComCERT expert consultations
- Scenario management
- Security assessment
- Threat Intelligence source management