Modern enterprise security systems no longer focus solely on the perimeter but control and protect internal company resources. This is because no one can guarantee 100% perimeter security, and all malicious actions can take place within the network for months. Therefore, it is necessary to monitor the security status across the entire IT infrastructure of the company.

In modern enterprises, a security team is typically established to track all events and messages, both from specialised security devices and other IT infrastructure components. Often, malicious activity can be detected by atypical events occurring on the computing nodes of the information system, especially in the case of so-called "zero-day" attacks, which involve the latest techniques and methods previously undocumented.

To effectively process events and notifications of varying criticality from all systems, an analytical preprocessing and correlation of these millions of messages are required, enabling the security team to process and analyse the results in the form of security incidents and events.

The analysis of security incidents and the response to events are carried out by the security team based on developed processes and procedures for responding to various incidents of different criticality levels, as well as for performing routine event tracking and control procedures.

SNT Ukraine has developed a Security Operations System (SOS) that integrates into the customer's IT infrastructure and provides event collection and processing, incident analysis, response to evolving and successful attacks, and the execution of procedures to minimize damages from attacks.

The components of the SOS solution include a hardware and software complex of an analytical system based on Splunk products with over 2000 available processing and correlation rules, developed and configured processes and procedures, as well as a recommended schedule and requirements for each level of specialists or training programs.

As mentioned earlier, the technological core of the system is the analytical module, which processes events from the customer's IT infrastructure. This is why certain requirements are placed on the customer's existing IT landscape, i.e., on systems that can provide SOS with information from event logs.

The minimum system set includes: a next-generation firewall, intrusion prevention/detection system, endpoint protection system, and infrastructure servers.

Additional effectiveness for the solution comes from the presence of vulnerability scanning systems and specialised honeypots (Deception/HoneyPot) in the infrastructure. The advantages of implementing SOS include: improved visibility of processes and events in the infrastructure, faster response to security incidents, increased efficiency of the security service, formalization of procedures for information security, the ability to use an extensive analytical platform for analyzing technological and other events and processes.

The stages of implementing the SOS solution in the customer's infrastructure include: an audit, identifying the most dangerous attack vectors and the most vulnerable IT assets, determining the need and scope of network modernization for the customer, and the actual modernisation (if necessary), deploying a hardware and software complex for analysis and correlation and connecting it to existing event sources and reports, adapting the set of processing and correlation rules/creating new rules, creating and adapting procedures and policies for the security team, remote support for the solution (from the second to the third level of support or even outsourcing).