The ST Digital SOC, an operational center for security incident detection in Africa

Perimeter-only protection of corporate networks and information systems is a thing of the past. While the implementation of filtering barriers between the company and the outside world — and in particular the internet (with traffic filtering, virus or malware detection, etc.) — remains an essential element of protection, such measures alone do not guarantee the company against all cybersecurity threats to the availability, integrity, and confidentiality of sensitive corporate data. Here is why.

​

1. Attacks are increasingly complex and can bypass conventional protections.

​

2. Increasing openness to the outside world has become inevitable.

With employee mobility, the need to communicate with clients and suppliers, and the growing consumerism on the internet, protecting one's information system is becoming increasingly complex.

​

3. Because, and this is by no means the least important reason, the threat can come from within, particularly through the deliberate or unintentional actions of company employees.

​

In this context, it has become imperative to complement perimeter protection mechanisms with a system for monitoring malicious activity within the corporate network itself. This is precisely the objective of the SOC: to supervise the company's critical assets in real time and detect any action that could compromise their security.

​

How does it work?

​

The primary mission of the ST Digital SOC is to monitor the company's information system and rapidly detect any security incident, 7 days a week, 24 hours a day.

To this end, it retrieves data in real time (generally equipment logs) across the entire Information System.

​

All of this data is correlated (and sometimes with external data, such as lists of malicious URLs) according to pre-defined detection scenarios corresponding to anticipated attacks. This correlation is also performed in real time, and if the collected elements match one of the known scenarios, an alert is immediately sent to the ST Digital SOC for analysis and processing. The tool used to perform these real-time correlations is called a SIEM (Security Information & Event Management).

​

Let us take the example of a server containing sensitive information whose access is restricted to certain individuals within the organisation. When building detection scenarios, the ST Digital SOC will focus not only on the logs of the relevant server (is the user authorised to access the server and are they properly authenticated?) but also on all logs that can be used to reconstruct the behaviour of the user accessing the data.

Did the user access this information from their workstation, via a standard path or through lateral movement across other equipment? Are they working remotely (from abroad?), and did they previously attempt to access other servers repeatedly?

​

This touches on a key point of the ST Digital SOC's activity, as in order to be effective, the ST Digital SOC must have precise knowledge of the organisation's sensitive assets, but also of the way in which these assets are used (or expected to be used) — that is, the "who, what, when, where, and how".

​

The missions of the ST Digital SOC

​

First and foremost, the ST Digital SOC is involved in modelling the detection system. This system will be broken down into as many macro-scenarios (which we will call use-cases) as there are identified risks. In this regard, it is essential to carry out an upstream risk analysis to define threat scenarios and then detection scenarios.

​

Once the use cases have been modelled, it is necessary to run them under real conditions for a few weeks in order to refine the scenarios and reduce the number of false positives (alerts that do not correspond to an actual incident). At this stage, only a report is generated when a detection is made. This step makes it possible in particular to confirm or deny the expected behaviour of users (often with a few surprises). When this "tuning" phase is complete, the use case is put into operation and triggers an alert when the modelled case is encountered.

The ST Digital SOC provides 24x7 security incident monitoring. When an alert is received, an operator acknowledges the alert and creates an incident ticket. The operator then performs an initial qualification and analysis based on reflex sheets defined for each use-case.

​

Depending on the case, the incident ticket may be handled autonomously by the operator or will need to be escalated to the security analysts for detailed analysis.

​

Security analysts work in close collaboration with the teams managing the equipment or the relevant perimeter. They provide assistance and guidance to teams for conducting on-site analyses or remediation. They may also request that technical teams perform data collection to supplement their analysis. They generally do not intervene directly in remediation. They may liaise with technical teams to stop or filter an attack, or rely on a team specialised in incident response (CSIRT - Computer Security Incident Response Team).

​

Security analysts may also call upon security experts for complex incidents requiring, for example, in-depth analysis, replay on a test platform, or specific expertise.

The modelling of a detection system must be viewed as a dynamic system. Threats evolve, the supervised perimeter evolves as well, and the detection system must be refined over time. It is therefore imperative to have a continuous improvement process. This process includes regular review of past incidents as well as assessment of the effectiveness of the detection model in place.

​

The organization of the ST Digital SOC

​

The organisation of the ST Digital SOC must enable it to fulfil its various missions. For the RUN phase, the ST Digital SOC is structured, in the classic manner, into 3 distinct layers:

​

Level 1 (operators) acknowledges alerts and performs an initial diagnosis.

Level 2 (security analysts) carries out detailed analysis of alerts, communicates with the relevant teams, supports incident handling and, in some cases, may implement remediation measures.

Level 3 (security experts) takes over from Level 2 for in-depth analyses or those requiring specialist expertise. Level 3 is also involved during the Build phase for use-case modelling. Drawing on the risk analysis, they propose and implement use-cases, relying in particular on a catalogue of use-cases covering a wide range of threats. If a use-case is not already present in the catalogue, Level 3 is responsible for developing it to meet the specific requirement.

​

Finally, the Security Manager serves as the orchestrator of the improvement process, by steering the effectiveness of the detection model and proposing enhancements. He or she may propose the creation of new use-cases, the removal of existing ones, or the implementation of improvements.

​

ST Digital SOC services

​

The core activity of the ST Digital SOC is the implementation and management of security monitoring solutions based on a SIEM solution (using correlations).

However, the ST Digital SOC is attentive to any service that enables the identification of a security incident. In this capacity, it may intervene in a targeted manner to monitor incidents reported by intrusion detection probes, application filtering systems, DDoS attack detection probes (attacks designed to render servers, such as web servers, unavailable), or even vulnerability scanners.

​

The range of possibilities is very broad… as broad as the imagination of the attackers themselves.

Protect your system before it is too late!

Contact us starting today to assess your needs and strengthen your cybersecurity posture.