Cyber Security
Fusion Center

The Black Cell Fusion Center is an extension of the SOC service matrix with the ability to involve different IT security platforms, on which we deploy advanced detective and reactive use cases

Fusion Center

At the heart of the Black Cell Fusion Center lies its ability to bring together disparate IT security platforms, seamlessly bridging the gaps between different systems. This integration creates a cohesive and comprehensive security ecosystem that enhances visibility, agility, and response capabilities. By leveraging the power of this unified environment, organizations can effectively detect and neutralize potential security breaches, minimizing the impact on their critical systems and data. 

The Black Cell Fusion Center service is an extension of the SOC service matrix with the possibility to integrate different IT security platforms, on top of which more advanced detective and reactive use-cases are implemented. We provide our customers with an on-premise solution with a web front-end or an online platform served from our secure cloud, where they can monitor cyber incidents and the status of performance indicators for the development of defined IT security maturity levels, in addition to the above-mentioned functions.

Conceptually, Fusion Center is as close as possible to transparent, real-time communication between the security provider and the customer, and provides the most holistic view of the customer’s cybersecurity ecosystem. FC is all about cybersecurity solutions, products and services based on and aligned with IT security maturity, objective cybersecurity events, quantitative and qualitative metrics, centralised on a single platform.

Clients are provided with a web based platform, where they can track key information, such as incidents or the performance indicators relevant to acheiving a higher maturity level. It enables transparent, real time communication between the client and service provider. It also provides excellent insight into a clients cybersecurity ecosystem, its current maturity level and its progress towards a higher level.

The Fusion Center provides a more unified and proactive approach for responding threats in the infastructure and IT landscape, by providing knowledge sharing and cooperation possibilites between IT departments (Operations, Security, Compliance). This is especially true for hybrid-cloud or full-cloud infrastructures. Black Cell Cyber Fusion Center is fully compatible with Microsoft Azure.

While the role of a SOC typically focuses on detecting, identifying, investigating, and responding to incidents, a Cyber Fusion Center takes this one step further by improving the overall security profile and capabilities of the organization.

SOC as a Service

Black Cell SOC is a managed Cyber Security Operations Center which is suitable for all kind of organizations – we work with SMEs, large corporates, governmental and critical infrastructure organizations – regarldess of their size. SOC helps keeping your business information secure, as we provide a complex service package that covers all the necessary IT security tools, devices, technologies and knowledge.

What is SOC?

A Cyber Security Operations Center, or SOC is a dedicated IT security unit within the organization, with one primary task: to prevent and eliminate cyber-security incidents. Whether it’s protecting a critical infrastructure or complex enterprise, government environment, our incident response team has specialized experience to provide for our clients.

 

The primary mission of the SOC is to prevent, detect and handle cyber security incidents. Accordingly, many preventive controls should be implemented during the design phase to reveal and eliminate known attack paths. Blind spots are eliminated by a variety of technical and logical solutions, so detection capabilities will be more efficient, faster, and the time needed to investigate events will minimized. Our company’s SOC-as-a-Service package is specifically designed for infrastructures over 500 IPs. 

Cost-effective

Our monthly fee structure provides a flexible and cost-effective solution.

Effective resource allocation

Reducing the cost of IT security devices, licensing, deployment, training and continuous education of employees.

Insurance

Because 100% protection can not be guaranteed, our special liability insurance will also cover the remaining gap on the shield.

What are the key steps?

A Security Operations Center (SOC) as a service offers a comprehensive and proactive approach to safeguarding organizations against cyber threats. It involves a series of key steps designed to detect, analyze, and respond to security incidents in real time, providing continuous protection for critical systems and data.

 

Step 1 - Assessment

Based on Crown Jewels analysis or on existing risk assessment, we conduct a technology survey of the security toolkit associated with the systems concerned, to determine their effectiveness and maturity.

Step 2 - Detection capabilities

As a result of the assessment, we create a detection capability matrix using a “top to bottom” or “bottom to top” approach, that is, to either tailor technologies to business needs, or to align with the needed coverage requirements based on available technologies and their maturity.

Step 3 - Hardening

With hardening, the systems’ exposure to cyberattacks and vulnerabilities can be substantially reduced.

Step 4 - SIEM implementation

The purpose of SIEM and similar systems is essentially to centrally store and analyze logs (events) and any relevant security data from hardware and software devices, operating systems and applications, to ensure that security-threatening events, malicious acts are discovered. For a list of our supported SIEM systems, see the portfolio of our VAR division.

Step 5 - Use Cases

Use Cases (and related playbooks) means planned reactions and sequences of alarms that indicate a cyber-security incident and require immediate human or automated intervention. Our company has over 100 unique Use Cases that can be customized and also automated with a SOAR platform.

Step 6 - Triage

We define the steps for triaging in the Use case matrix and the associated command register, together with IT security and operation stakeholders. These steps, actions, specific commands and queries can be performed outside the SIEM system but on the connected data sources in case if further validation or more data is needed regarding the incident.

Step 7 - Monitoring

Our dedicated incident management (CSIRT) team is organized on three levels (L1-L3) and are available 24/7/365 for effective IT security oversight and responsiveness. We provide 99.9% * availability for the devices we integrate and manage.

Step 8 - Report & trackback

Incident management and reporting is provided by a framework that adapts to the customer’s technological and administrative capabilities. Regular reports, technical and executive reports on the performance and quality of the service provide a comprehensive overview.

Step 9 - Lessons learned

There may be cases for which there is no Use Case or so far unknown, and therefore we must update the rules, preventive and detective controls, and service defining documents to detect and respond to similar events in the future.

SOC building

Black Cell has already been involved in the organization and the management of many national, multinational and intercontinental SOC events, and gained outstanding experience from the managed SOC operated by our company, which we provide in Hungary and other European Union Member States.

We recommend this service first and foremost to organizations and large companies who have or plan to set up an in-house incident management team.

Our company is also at the disposal of our clients in the design, implementation and testing of SOC.

Key elements of the process

The SIEM (Security and Information Events Management) system of the SOC is based on a holistic view of the corporate infrastructure. Our company can implement any brand independent solution, complemented with detection tools on client, server and network side.

One of the main pillars of the SOC construction is creating the use case matrix and the corresponding playbooks after the detection capabilities have been assessed. For the use cases, see the sample below. We also suggest appropriate tactical and operational actions and strategies, and support the development of an IRP (Incident Response Plan).

Assessment

We assess the internal and external factors of security monitoring and prepare a feasability study on SOC deployment.

i

Reaction plans

We prepare the use cases and playbooks, taking into account the capabilities and structure of the organization.

Training

We train security analysts and experts from Level 1 to 2. We will teach you how to get the most out of the toolset you choose.

Procurement support

We enable data driven decisions not only on products but holistic security solutions.

Incident response

We contribute to the development of an effective incident response plan (IRP).

Z

Trackback & validation

We assess the internal and external factors of security monitoring and prepare a feasability study on SOC deployment.

OT SOC

Industrial networks include thousands of OT and IoT devices from a variety of vendors. Unfortunately, most of these devices are not designed for the level of security required in the world of IoT, and active scanning, let alone penetration testing, is NOT recommended in OT networks. Here, the list of devices is compared with vulnerability catalogues. From this data, we can create a vulnerability validation roadmap and management program.

MITRE ATT&CK Framework

To properly track the traction of the maturity of an ICS/OT organization we adopted a special MITRE ATT&CK framework that consist of a merged version of ICS and Enterprise is one of the most comprehensive catalogs of possible attack scenarios to respond to and to address the challenges of industry 4.0. Our continuous assessment based on relevant procedures and NOT on techniques alone. If the inspection is performed only on the basis of techniques, it can result in a false sense of security.

Detection capabilities

To properly develop detection capabilities, we are working with passive network monitoring and native client side log enrichment.

s

Early warning system

In a certain level of maturity we implement a so called early warning system that consist a bunch of deceptive detection workarounds.

Evaluation

Our KPIs is based on certain metrics DWEL time and the coverage of the hybrid MITRE ATT&CK framework.

Fusion Center
Enterprise Security Module

Overview

Enterprise security visibility is a critical component of an organization’s overall security strategy. It refers to the ability to gain comprehensive insights into the security posture and activities across the entire enterprise network, systems, applications, and data. By implementing an enterprise security visibility module, businesses can enhance their ability to detect, analyze, and respond to security threats effectively. This module incorporates various tools, technologies, and processes to provide a holistic view of the organization’s security landscape.

Key Features

Monitoring and Logging

The visibility module collects and analyzes logs, events, and activities from different sources, including network devices, servers, endpoints, and applications. It enables centralized monitoring and logging, allowing security teams to identify and investigate potential security incidents or anomalies.

Threat Detection and Analysis

Through advanced analytics and machine learning algorithms, the visibility module identifies patterns, anomalies, and indicators of compromise (IoCs) within the network and system logs. It enables real-time threat detection, aiding in the early identification and mitigation of security breaches.

Incident Response and Forensics

The module supports incident response efforts by providing comprehensive visibility into the incident timeline, affected systems, and the actions taken by adversaries. It allows security teams to conduct in-depth investigations, perform digital forensics, and gather evidence for legal or regulatory purposes.

Compliance and Audit

Enterprise security visibility assists organizations in meeting regulatory compliance requirements by providing detailed logs and reports. It enables the monitoring of security controls, policy enforcement, and adherence to industry standards such as PCI-DSS, HIPAA, or GDPR.

Visualization

The visualization capabilities enable presenting security data in a user-friendly and visually appealing manner. It offers dashboards, charts to provide executives and stakeholders with a clear understanding of the organization’s security posture, threat landscape, and ongoing security activities.

Benefits

Early Threat Detection

By leveraging advanced analytics and real-time monitoring, the visibility module helps organizations identify security threats before they cause significant damage, reducing the time to detect and respond to incidents.

Improved Incident Response

With comprehensive visibility into security events and incidents, security teams can rapidly investigate, contain, and remediate security breaches, minimizing the impact on business operations.

Compliance and Risk Management

The module facilitates compliance with industry regulations and enables organizations to proactively manage risks by identifying vulnerabilities, security gaps, and non-compliant activities.

Enhanced Decision-making

By providing actionable insights and visual representations of security data, the visibility module empowers decision-makers to make informed choices about security investments, resource allocation, and strategic planning.

Increased Operational Efficiency

Centralized visibility and streamlined monitoring processes reduce the complexity of managing security across distributed systems and networks, enhancing operational efficiency and resource utilization.

Options

Both deployment options offer benefits depending on the organization’s existing security infrastructure, budget, and specific requirements. Whether organizations choose to integrate the visibility module as an add-on or deploy it as a stand-alone solution, the ultimate goal is to enhance security visibility, threat detection, and response capabilities across the enterprise network.

o
Add-On Deployment

In this deployment option, the enterprise security visibility module is integrated as an add-on to an existing security infrastructure or platform. Organizations already utilizing security solutions such as SIEM (Security Information and Event Management, e.g., IBM QRadar, Splunk Enterprise, Microsoft Sentinel) systems or network monitoring tools can incorporate the visibility module into their existing setup. The module integrates seamlessly with the organization’s security ecosystem, leveraging the data and insights already generated by the existing tools. This deployment option offers the advantage of enhancing the capabilities of the current security infrastructure, providing an additional layer of visibility and advanced analytics without the need for a complete overhaul. It is a cost-effective solution that allows organizations to leverage their current investments while improving their security posture.

n
Stand-Alone Solution

In a stand-alone deployment, the enterprise security visibility module is implemented as a dedicated solution independent of any existing security infrastructure. This option is suitable for organizations that do not have a comprehensive security ecosystem in place or prefer a specialized solution focused solely on visibility and threat detection. The stand-alone module incorporates all the necessary components, including data collection agents, analytics engines, visualization dashboards, and reporting functionalities. It can be deployed on-premises or as a cloud-based solution, depending on the organization’s preferences and requirements. By opting for a stand-alone deployment, organizations gain the advantage of a dedicated and specialized solution tailored specifically for enterprise security visibility. This allows for greater customization, scalability, and flexibility in meeting the organization’s unique security needs.

Managed Enterprise Security Module:
Strengthening Your Network Defense

In today’s digital landscape, organizations face increasingly sophisticated cyber threats that can jeopardize sensitive data and disrupt business operations. To safeguard against these threats, robust network security solutions are vital. Our managed Enterprise Security Module is a comprehensive security monitoring and intrusion detection system, emerges as a reliable and powerful ally in defending your network infrastructure.

  • Integration with various security tools
  • Access to a team of security experts
  • Prompt intervention
  • Real-time visibility
  • Valuable insights
  • All without investing in expensive security resources

Access to a team of security experts

Managed ESM takes this exceptional security solution to the next level by providing a fully managed service, freeing your organization from the burden of deploying, configuring, and maintaining the system. With our service you can rely on a team of dedicated security experts who ensure the system’s continuous operation and keep it up to date with the latest security patches and enhancements. Our security professionals possess deep expertise in threat intelligence, incident response, and network security. They stay abreast of the latest security trends and best practices, ensuring that your network defense remains robust against evolving threats.

Prompt intervention

Upon detection of a potential security incident, the team promptly investigates the issue, analyzes the impact, and provides actionable recommendations for containment and remediation. This proactive approach minimizes the time between detection and response, reducing the potential damage caused by an attack.

Integration with various security tools

At its core, it is a modified open-source platform designed to provide real-time visibility into network activity and detect potential security breaches. It integrates various powerful security tools, including Suricata, Zeek, Strelka, Wazuh and a deception stack. This integration allows for advanced threat detection, analysis, and incident response.

Real-time visibility

One of the key advantages of managed ESM is its ability to identify and respond to emerging threats in real-time. By monitoring network traffic and analyzing security logs, it can detect suspicious activities, malware infections, unauthorized access attempts, and other indicators of compromise. The system uses sophisticated algorithms and signature-based detection methods to identify known threats, while also employing behavioral analytics to detect anomalies that may indicate new or zero-day attacks.

Valuable insights

Furthermore, managed ESM provides comprehensive security reporting, allowing you to gain valuable insights into your network’s security posture. Through customized dashboards and visualizations, you can monitor network traffic patterns, identify potential vulnerabilities, and track the effectiveness of your security measures. These insights enable you to make informed decisions regarding your organization’s security strategy and allocate resources effectively.

Black Cell MISP

Strengthening Threat Intelligence and Security Operations with SIEM, IDPS, and SOAR Integration

In the realm of cybersecurity, staying one step ahead of malicious actors is crucial. To effectively combat threats, organizations rely on comprehensive threat intelligence platforms like BC-MISP.

BC-MISP, short for Black Cell MISP, is a powerful open-source platform designed to facilitate the sharing, analysis, and correlation of threat intelligence. By collecting and consolidating data from diverse sources, BC-MISP provides organizations with real-time insights into emerging threats, enabling proactive defenses.

Key features of BC-MISP

 

  • ATO data: information about compromised user credentials
  • TTPs: tactics, techniques, and procedures used by threat actors
  • YARA repository: custom rules for detecting patterns of malware
  • Integration of malicious databases: IP, URL, domain, and hash
  • Seamless integration options with SIEM, IDPS, and SOAR solutions

This managed service enhances your security operations by integrating various threat intelligence components such as ATO (Account Takover) data, TTPs (Tactics, Techniques, and Procedures), a private YARA repository, a malicious IP, URL, domain, hash database, and network signatures. Additionally, BC-MISP offers seamless integration options with SIEM, IDPS, and SOAR solutions, further bolstering your organization’s defense capabilities.

ATO data

One essential component of BC-MISP is ATO data, which refers to information about compromised user credentials found on the dark web or other illicit platforms. By integrating ATO data into BC-MISP, organizations can check whether their users’ credentials have been compromised, mitigating the risk of unauthorized access and data breaches.

TTPs

MITRE ATT&CK based TTPs, another critical element of BC-MISP, provide detailed information about the tactics, techniques, and procedures employed by threat actors. This intelligence helps organizations understand the methods employed by attackers, allowing them to proactively defend against known attack vectors and tailor their security measures accordingly.
Learn more about our MITRE based solutions

YARA repository

BC-MISP also incorporates a private YARA repository, enabling organizations to create and maintain custom rules for detecting specific patterns and characteristics of malware. By leveraging YARA’s powerful capabilities, security teams can develop and deploy custom signatures that align with their specific threat landscape, enhancing detection capabilities and reducing false positives.

Integration of malicious databases

The integration of a malicious IP, URL, domain, hash database, and network signatures further enhances the threat intelligence capabilities of BC-MISP. These databases contain information about known malicious indicators, such as IP addresses, URLs, domains, and cryptographic hash values associated with malware. By cross-referencing network traffic, file hashes, and other indicators against these databases, BC-MISP can quickly identify potential threats, block malicious communications, and mitigate the impact of attacks.

Seamless integration with SIEM, IDPS & SOAR solutions

BC-MISP offers seamless integration options with SIEM (Security Information and Event Management), IDPS (Intrusion Detection and Prevention System), and SOAR (Security Orchestration, Automation, and Response) solutions. This integration allows organizations to enrich their security infrastructure and leverage the power of BC-MISP within their existing security ecosystem.

SIEM (Security Information and Event Management)

By integrating BC-MISP with SIEM solutions such as Microsoft Sentinel, Splunk Enterprise or IBM QRadar, organizations can centralize and correlate threat intelligence data with other security event logs, providing comprehensive visibility into potential threats. This integration enhances detection capabilities, enabling security teams to identify patterns and indicators of compromise (IoC) more effectively.

IDPS (Intrusion Detection and Prevention System)

Integration with IDPS empowers organizations to automate the blocking or containment of identified threats. BC-MISP can provide real-time threat intelligence feeds to IDPS systems, allowing for proactive threat prevention and timely response to malicious activities.

SOAR (Security Orchestration, Automation, and Response)

The integration of BC-MISP with SOAR platforms enables security teams to automate and orchestrate response actions based on threat intelligence. By leveraging BC-MISP’s enriched data and analysis, organizations can streamline incident response processes, automate threat hunting, and enhance overall operational efficiency.