The main tasks of the Information Security Department of any organization, as well as the Security Operations Center (SOC), are continuous monitoring of security incidents, analysis and study of the details of detected incidents, elimination of false positive alerts generated by various information security systems, detection of complex and targeted attacks, repelling of detected attacks and restoration of IT infrastructure elements affected by the attack to their initial working state. For successful implementation of these tasks, Information Security and SOC specialists have to use information security systems that will provide the collection of the necessary information from the entire IT infrastructure, the analysis of this information, and maximally automated measures to respond to detected incidents and attacks. For the effective implementation of the above mentioned tasks, GREENNET suggests using SIEM, SOAR and XDR class solutions.

SIEM (Security Information and Event Management) is a class of information security systems designed to collect and analyze information from security logs of network devices, end-point devices, operating systems, applications, etc. The collected information is converted to a unified format, enriched through integration with Threat Intelligence systems, filtered and recorded in a single repository. The built-in correlation algorithms analyze various information security events received from various sources and, based on the analysis performed, identify facts of attacks on the IT infrastructure of the victim organization from a huge number of disparate events.

SOAR (Security Orchestration, Automation and Response) is a class of information security systems designed to orchestrate security systems, that is, their coordination and management. SOAR class solutions allow you to collect data on information security events from various sources, process them and automate typical response scenarios. SOAR class solutions integrate other security ones into a single system, eliminating the need for security specialists to manage each of them separately, and help to focus on the analysis of complex incidents. Based on information about the incident, SOAR takes a set of actions necessary to eliminate the threat or minimize its consequences. These can be commands to other information security products, remote removal of malicious objects, restoration of registry keys, and other actions. SOAR works mainly on signatures and typical response scenarios and provides reactive protection.

XDR (eXtended Detection and Response) is a class of information security systems designed to automatically proactively detect threats at different infrastructure levels, respond to them and counter complex attacks. XDR includes a wide range of tools that integrate with other existing information security systems and provide data monitoring at the endpoint, network, cloud and email servers, as well as analytics and automation to detect and eliminate current and potential threats. Unlike SOAR and SIEM, XDR collects a wide variety of telemetry from integrated information sources, primarily from endpoints, tightly integrates with EDR systems and provides pro-active protection for the IT infrastructure.

GREENNET provides our customers with the implementation, configuration and maintenance of SIEM, SOAR and XDR systems in any combination of these solutions, depending on the tasks and interests of the customers.

One of the main goals of attackers, after successfully penetrating the infrastructure of the victim organization, is to steal essential, valuable confidential information. The same goal is pursued by insiders, who may be disloyal employees or agents embedded in the organization. One of the most important tasks of the organization's information security specialists is to arrange its effective protection from leaks of confidential information.

To solve this problem, we offer our customers to use DLP (Data Loss/Leak Prevention) systems. DLP systems create a secure digital "perimeter" around an organization by analyzing all outgoing, and in some cases, incoming traffic. This controlled information should include not only Internet traffic, mail traffic, IM traffic, but also a number of other information flows: documents taken outside the protected security “perimeter” on external media, printed out, sent to mobile media via Bluetooth, documents sent and processed on mobile devices, etc.

DLP systems have built-in mechanisms for determining the degree of confidentiality of a document detected in the intercepted traffic. As a rule, there are two common methods: special document markers analysis and document content analysis. A full-fledged DLP system consists of at least two architectural components: a gateway component that runs on intermediate servers and analyzes all the traffic redirected and passed through it, and a host component (agent) that runs directly on employees’ workstations and servers.

Since the usage of mobile devices to work with corporate content is an intensively developing trend, we also use UEM (Unified End-Point Management) class systems to ensure the protection of corporate information on our costumers’ mobile devices and of the said devices themselves.

GREENNET provides implementation, configuration and maintenance of DLP and UEM systems, as well as the development and automation of rules and security policies used by DLP systems to detect leaks of confidential information.

As a rule, in the process of implementing complex and/or targeted attacks, cybercriminals try to gain access to privileged administrator and service accounts. After gaining access to passwords, SSH keys, secrets of privileged accounts, the access to target important systems and applications becomes a very easy task for an attacker to implement. For effective protection against the use of privileged accounts, we suggest using PAS (Privileged Accounts Security) class security systems. PAS systems provide reliable storage of passwords, SSH keys, secrets of privileged accounts in an isolated secure storage; issuing them only in accordance with the regulations agreed upon by security policies; periodic passwords, SSH keys, and secrets change and rotation; monitoring, analysis and recording of privileged sessions; analysis of abnormal illegitimate use of privileged accounts, etc.

Moreover, all these functions are implemented practically without making uncomfortable changes to the modus operandi of privileged users and allow the latter to use their usual utilities and programs for target systems administration.

Architecturally, PAS systems are an intermediate software service layer providing the necessary security between privileged users and service accounts and target systems: network devices, hosts, applications, databases, etc.

GREENNET provides our customers with consulting, determination of the list of required PAS system components for solving a specific task, implementation, configuration and maintenance of PAS systems, development and automation of rules and policies for using privileged accounts in a customer’s specific infrastructure.

Many organizations are largely concerned about the potential for targeted attacks that increasingly use a combination of common threats, zero-day vulnerabilities, unique malware-free designs, fileless methods and more.

The use of solutions built on the basis of preventive technologies, as well as systems aimed specifically at detecting complex malicious activities only in network traffic, cannot be sufficient to protect an enterprise against complex targeted attacks. Endpoints, including workstations, laptops, servers, and smartphones, are critical targets of control as, in most cases, they remain relatively simple and popular entry points for attackers, which increases the importance of control over them.

Endpoint Protection Platforms (EPP), which are usually present in most organizations’ infrastructure, perfectly protect against massive, familiar, as well as a number of unknown threats, though, in most cases, those built on the basis of previously encountered malware. Over time, cybercriminal attack techniques have evolved significantly. Attackers have become more aggressive in their approaches and more sophisticated in organizing all of the process’ stages. Therefore, a large number of companies, despite the use of endpoint protection solutions (EPP), are still compromised.

This means that organizations today already need additional tools to help them effectively detect the latest, more complex threats, which traditional security features, not originally developed against such threats, are unable to tackle. Although traditional defenses detect incidents at the end points, they are usually unable to determine that incoming alerts may be parts of a more dangerous and complex scheme that may cause significant damage to the organization. Modern endpoint protection needs to adapt to the current landscape of complex threats and must include functionality to detect complex attacks directed at endpoints and be able to quickly respond to incidents found.

To solve these problems, GREENNET recommends our customers to use EDR (Endpoint Detection and Response) systems, which allow to provide real-time monitoring of endpoints and present a full visualization of the activities of all workstations and servers in the corporate infrastructure of a unified console; effectively detect and prioritize information security incidents as they occur at endpoints; record and store information on activities at endpoints for subsequent investigation of complex incidents; provide information security specialists with necessary information for prompt investigation of incidents; respond to incidents, ensuring their containment, as well as help restore workstations to their original, before-the-incident state, and maintain interoperability with EPP class solutions.

GREENNET provides our customers with the implementation, configuration and maintenance of DAM/DBF systems and their integration with the customer’s IT security systems.

One of the most important IT assets of almost any organization are databases containing the data, crucial to its functioning. Therefore, it is very important for cybercriminals to gain access to database servers and databases.

This is why the protection of database servers and the databases themselves is an important part of building an information security system. Specialized database protection solutions have more efficient functionality than standard DBMS tools.

Specialized database security systems mainly include DAM (Database Activity Monitoring) and DBF (Database Firewall) class solutions. DAM systems monitor user activity in database management systems. At the same time, the systems do not require changing the settings or configuration of the DBMS themselves, they can work independently of them. DAM processes a copy of the traffic without affecting business processes. DAM systems allow you to classify SQL queries by belonging to certain groups, analyze the traffic of user interaction with databases, and conduct a full audit of SQL queries and responses to them.

In addition, DAM systems have a deep filtering system that allows you to identify potential incidents in a huge number of requests and save a complete archive of user actions. DBF system is, in fact, a kind of network gateway, which can be built into the gap or operate in a passive mode to process a copy of the traffic. This system allows you to block unwanted requests.

GREENNET provides our customers with the implementation, configuration and maintenance of DAM/DBF systems and their integration with the customer’s IT security systems.

The specifics of cybercriminal attacks detected and studied in recent years shows that cybercrime uses a multi-vector approach in attacking the IT infrastructure of a victim organization. Cybercriminals are looking for an opportunity to penetrate the internal network, using all of its touch points with the outside world. Attempts to hack into the network, using web and mail traffic to penetrate the IT infrastructure of the victim organization; hacking or massive DDOS attacks on the organization's Web resources; hacking cloud resources or applications - all these facts make us look at the task of protecting the organization’s network and perimeter (which can be “blurred” due to the abundance of remote work opportunities and cloud resources) as one of building an integrated layered security system that combines security systems of different classes.
To solve these problems, we use solutions of the following classes:

• Next Generation Firewall/Next Generation IPS - for network protection and intrusion prevention
• Web Application Firewall - to protect Web-applications from intrusions and DDOS attacks by analyzing HTTP/HTTPS traffic and XML/SOAP semantics
• Web-gateway and Mail-gateway - to provide secure access to Internet resources, control web and mail traffic in order to prevent malicious code infiltration and intrusion, control the presence of malicious URLs in traffic, filter malicious and unwanted traffic, etc.
• Network Traffic Analyzer - for analyzing traffic anomalies in the internal network of an organization, identifying signs of malicious code activity in network traffic and signs of an attack by intruders
• Cisco Identity Services Engine (ISE) - to create an organization-wide trusted environment based on a single, centralized information security policy for all types of users, devices, and connections.
• Cloud Access Security Broker - to control activities and enforce security policies and rules in the cloud infrastructure.

GREENNET provides our customers with the implementation, configuration, and maintenance of all of the above mentioned systems individually or in combination, depending on the IT infrastructure architecture and identified information security issues.

GREENNET provides our customers with a set of services that will allow them to assess the degree of security of their IT infrastructure, the degree of its vulnerability, the degree of effectiveness of the existing information security system, the need to implement new information security systems, the degree of compliance with security standards and regulatory requirements, protect IT assets from sophisticated and targeted attacks. The services offered include information security consulting and auditing, vulnerability analysis, penetration tests (both manual and automated), evaluation of the effectiveness of existing protection tools, and a service for protecting against targeted and complex attacks based on XDR class systems.