Security Operation, Incident Response, Threat Management

Logs stored on system components are used for many purposes such as troubleshooting, security, evidence creation, and compliance. Log management is one of the most important components required to comply with regulations such as ISO 27001, GDPR, Law No. 5651, PCI DSS. Depending on the type of logs kept, it is possible to collect and record various information such as which systems users access and when, occupancy rates, performance levels, tables accessed in databases, and the changes made.

Although log management is necessary, it is not sufficient. The collected logs should be associated, archived, and reported. With Security Information and Event Management (SIEM) solutions, it is easy to find meaningful information from millions of lines of logs, suspicious events can be revealed, and strong security analyses can be performed.

It would take hours for a security analyst at the security operations center to initiate, contain and terminate an alarm response. This duration makes security orchestration and automation an important topic in incident response against cyber attacks, where we race against time.

Security orchestration and automation prevent the security analyst from spending so much time on repetitive manual processes. SOAR tools are becoming indispensable for today's modern security operations centers and cyber incident response teams. It allows for the automatic running of scenario-based event responses in a series of operations within a flow diagram. In the simplest scenario, it can prioritize an alarm that occurs within SIEM, enhance the alarm, and block and isolate in an IT system operating on the prevention layer.

Visibility and the quality of the detection mechanisms are some of the most important concepts in the security operation center. Organizations can increase the detection and visibility of advanced threats by further collecting, analyzing, researching, and reporting incidents that occur at endpoints. EDR technology is one of the most important solutions that can perform threat discovery, prioritization, analysis, and intervention with the data collected from endpoints. Thanks to its continuous monitoring, collection of user, file, registry, memory, network, and process activity information, it can detect a threat that may occur from inside or outside in near real-time, take actions at the relevant endpoint, or integrate easily and flexibly with tools such as SIEM and SOAR.

Attackers move within the network while performing their attacks. Sometimes they do it in a north-south direction, sometimes east-west. Malicious or untraceable activities at the BIOS level may not allow sufficient visibility to the mechanisms used to detect threats. On the other hand, attackers attack within a life cycle, and part of this cycle is their movement within the network.

NDR provides a solution for detecting advanced threats from attackers by collecting, processing, and analyzing all activities occurring in the network in data format. Thanks to its machine learning algorithms and advanced analytics capabilities, it is an essential tool in detecting attacks that bypass traditional intrusion detection systems. Integration with other important security solutions such as SIEM, SOAR, EDR, TI is also crucial.

User-based association on security event management and correlation systems is operationally very challenging. Profiling and user-based threat detection may mean entering dozens of different rule sets. UEBA technology can monitor the time-based activity of each user in the organization via a certain algorithm. This allows the detection of abnormal user activity, advanced malware detection, and user-specific threat hunting. Thanks to rule-based signature matching, pattern matching, and advanced analytical capabilities based on machine learning, incidents can be investigated.

By using trap systems, that is, trap and bait systems that deceive and collect information about the attackers or users who have unauthorized access to information systems, it is possible to better understand the attack techniques and take precautions before the systems are actually attacked. Deception technology distracts attackers and saves time until they get to your real systems.

Thanks to the traps and baits placed in the network, the attack is contained and continues only within the trap. In this way, the threat hunting surface will increase, and event monitoring and analysis can be further enhanced using more data.

Testing how systems will respond to a possible cyber-attack and determining the measures to be taken before the attack occurs constitutes an important set of solutions. These security tests, performed using current threat libraries and modern methodologies (MITRE ATTACK, Cyber Kill Chain, OWASP, etc.), constantly check security systems such as NGFW, IPS, WAF, EPP, SIEM, EDR, NDR to ensure that they are accessible and effective against current threats. Allows you to meet the regulation and compliance requirements.

In conventional methods of warfare, the more intelligence obtained from the opponents, the stronger the protection against the attacks. The same is true about cyber environments. Being aware of the preparations for a cyber attack on an organization or senior officials in advance provides a great advantage to protect against these attacks. In this way, necessary measures can be taken and attacks can be prevented. Through threat intelligence solutions, data collected from open or closed Internet sources is turned into useful information through machine learning and made available to the organization.

Information systems are built on asset management. Measuring, monitoring, and reporting the risk of each asset is critical both for compliance with laws and regulations and for a fundamental IT Risk management process. Measuring risks is possible by detecting vulnerabilities and gaps in information assets. Research shows that the vast majority of attacks exploit known vulnerabilities. The discovery, prioritization, analysis and, improvement of vulnerabilities, actively, passively, and continuously, and managing them in a life cycle minimizes the risks.

An important part of the incident response process is the analysis and examination of all relevant evidence. The network forensic analysis platform is built through full packet capture of the data collected on the network and storage of all the contents in a central unit. In this way, in-depth examination of case and evidence, root analysis of historical activities, abnormal behavior detection, and harmful content detection can be performed.

A cyber range is one of the core parts of the security operations center. It ensures that security analysts are ready to take action during a cyber attack, both with the training they will receive during the drills and through real-world scenarios they face in threat emulation environments.