The Black Cell Fusion Center is an extension of the SOC service matrix with the ability to involve different IT security platforms, on which we deploy advanced detective and reactive use cases.
Cyber Fusion Center
Black Cell’s Fusion Center is a quality expansion of the original SOC service.
The fundamentals of the solution is based on our uniquely designed processes and methods mapped for MITRE ATT&CK framework. This goes beyond traditional Threat Hunting, integrating Threat Intelligence; Machine Learning and deception based detection methods to provide the upmost level of security.
With sufficient log sources connected, the platfrom’s topmost layer utilizes Machine Learning algorithms to find anomalies in the incoming telemetry and metadata. This technology provides protection for industrial control systems and cloud based systems in addition to traditional IT systems.
Clients are provided with a web based platform, where they can track key information, such as incidents or the performance indicators relevant to acheiving a higher maturity level. The Fusion Center concept enables transparent, real time communication between the client and service provider. It also provides excellent insight into a clients cybersecurity ecosystem, its current maturity level and its progress towards a higher level.
A kind of fusion of offensive and defensive aspects of cybersecurity is the service, which manifests itself in an interactive web application. In addition to aggregating security events and alerts from client-side IT security solutions, the platform is where:
- The special rights required for incident management can be approved.
- You can view incidents and the status of their investigation, and download reports
- Under the Cytrac (Cyber Traction) module and its sub-feature the responsibles can check the status of KPIs defined for security maturity level improvement.
- Alarms can be reviewed based on and mapped to the MITRE ATT&CK framework
- Support tickets can be raised for the solution involved in the support contract
- The operation and effectiveness of individual detection rules can be checked
- The level of security awareness can be assessed and traced
- Generic and targeted phishing campaigns
- Malware analysis is possible
- Sandbox for investigation and forensics purposes
- Compliance services are available
- Third-party IT security solutions are available
- Under the OT and Cloud modules, specific detections, alarms and incidents can be viewed and new use-cases can be planned with the help of an expert team
- Under the managed vulnerability assessment module, the investigation of the infrastrucures’s current status can be launched and be tracked
- Under the threat intel module, the online threat exposure of the company can be checked
- Trend analyzes can be performed
The platform provides a number of channeling options through APIs, such as
- Log management solutions from major vendors (SIEM Systems)
- Orchestration and automation solutions (SOAR systems)
- Biggest Threat Intel vendors
- Vulnerability scanners and management tools
- IDPS systems
- EDR systems
Cybersecurity through performance indicators
Maturity, steps forward and continuous improvement. These are the most important keywords in modern incident management. It is a kind of “hand-crafted” safety oversight concept that goes beyond commercial devices. The essence of the system is to determine the maturity level of cybersecurity based on the scoring system, by which the current state and the improvements can be continuously monitored. The module supports the continuous development of use cases using the MITRE ATT&CK framework.
The solution is based on the MITRE ATT&CK framework, which aims to identify and rank defects in cybersecurity detection capabilites based on relevant attack tactics, techniques and procedures used by attackers. The most common problem with this type of estimation and automatic mapping techniques is that the coverage estimation is based solely on the techniques. This is problematic for several reasons. On the one hand, it gives a false sense of security, as each attack technique may involve a number of procedures that are not taken into account. And if it can be detected by only one procedure, it marks the whole technique as done. On the other hand, such an assessment may also indicate a technique for mitigation that does not involve any infrastructure element. This can result in a waste of resources, or even an attacker may exploit an area that the organization considers secure.
- Assessing Existing Infrastructure: In order to filter out attack procedures that do not apply to the organization, detailed information about IT systems, networks, security solutions and system components is required.
- Assessment of detection capabilities: It is absolutely necessary for visibility, the detection of attacking activities. One of the objectives of the audit is to improve detection capabilities. During the assessment, the SIEM / SOAR / IDPS / NSM / EDR systems are examined on technical and at process level.
- Mapping phase: based on the available information, the system matches the attacks with the procedures, assigns them to the appropriate technique and then to tactics.
- Validation of Detection Capabilities: The offensive security team simulates cyberattack procedures where a detection capability has been marked.
- Content of reports:
- Detected and verified detection gaps
- A sector-specific ATT&CK heatmap-based, prioritized action plan
- Recommended performance indicator system based on staff competences and infrastructure condition.
- Technical fixes: SIGMA / YARA / SNORT / SURICATA / ZEEK rules and other recommended parameterization of vendor specific solutions.
- Creating Hypothetical Scenarios: For organizations where capability and maturity levels exceed simple reactive – alerts returned by IT security systems and their associated analysis and responses – activities and the staffingis is suitable for threat hunting, there is a use case-based list will be defined so that these proactive processes also take place within an accountable and controllable manner
- Continuous remediation testing of detection capabilities
OT Fusion Center
- Continuous Device Discovery – To properly create rules and policies, we configure a dynamic inventory of OT and IoT devices. Network device identification is achieved through passive devices (TAP; SPAN; Packet broker) that allow us to work with information such as device name, type, serial number, firmware version, and components; device metadata; GeoIP information, name, IP address, MAC address and availability, embedded devices such as PLCs and their internal components; subsystems of logic nodes, measurement points, operating system and installed software applications with version numbers
- Identifying and Ranking Vulnerabilities in OT Devices – Industrial networks include thousands of OT and IoT devices from a variety of vendors. Unfortunately, most of these devices are not designed for the level of security required in the world of IoT, and active scanning, let alone penetration testing, is NOT recommended in OT networks. Here, the list of devices is compared with vulnerability catalogs (NVD; CVE). From this data, we can create a vulnerability validation roadmap and management program.
- MITRE ATT&CK based gap analysis – A plan is recommended, a strategy, that includes key performance indicators. The MITRE ATT&CK framework is one of the most comprehensive catalogs of possible attack scenarios to respond to. However, it is recommended that the assessment be based on relevant procedures and NOT on techniques alone. If the inspection is performed only on the basis of techniques, it can result in a false sense of security.
Cloud Fusion Center
The fusion center provides a more unified and proactive approach for responding threats in the infastructure and IT landscape, by providing knowledge sharing and cooperation possibilites between IT departments (Operations, Security, Compliance).
This is especially true for hybrid-cloud or full-cloud infrastructures. While the role of a SOC typically focuses on detecting, identifying, investigating, and responding to incidents, a cyber fusion center takes this one step further by improving the overall security profile and capabilities of the organization. Black Cell Cyber Fusion Center is fully compatible with Microsoft Azure.
Why choose us?
Black Cell Ltd. was founded in 2010 in Hungary. The team has proven to have the right skills, competencies, and knowledgebase to successfully run and maintain a Cyber Security Operations Center. We have a strict service contract regulating our operations and also have a $1 million liability insurance. We’re operating non-stop and provide live monitoring and alarm system on each day of the year.
Our CERT team has been certified by Carnegie Mellon University. Our incident response team is made up of four experts from different IT security fields who are simultaneously serving in the SOC. These areas consist of offensive security (ethical hacking), defensive security (log analytics), threat hunting and cyber threat intelligence (CTI). In addition, our network security and product-specific support staff are also available.