Through our strong exper­i­ence in pen­et­ra­tion test­ing, we devote a lot of energy to ana­lyz­ing the traces left by attack­ers on an infra­struc­ture. Based on this exper­i­ence, we believe that effect­ive mon­it­or­ing of the Win­dows infra­struc­ture is a key factor in detect­ing mali­cious activ­ity in the enter­prise.
Thus, to provide effect­ive detec­tion and warn­ing cap­ab­il­it­ies, SCRT offers its SIEM solu­tion focused primar­ily on sus­pi­cious beha­vi­or in the Win­dows envir­on­ment. In addi­tion, to get the most out of the logs, a robust, cent­ral­ized log col­lec­tion infra­struc­ture must be installed.

To sup­port this approach, SCRT chose Splunk Enter­prise, deployed in the cus­tom­er envir­on­ment, enabling integ­ra­tion with its infra­struc­ture and provid­ing all the power needed to ingest and ana­lyze data and then dis­play valu­able inform­a­tion for anom­aly detec­tion.
In addi­tion to Splunk, take advant­age of SCRT secur­ity apps for Splunk, bring­ing use cases and pre­defined and rel­ev­ant dash­boards.

SCRT proposes an architecture that has been designed around the following 3 modules:

This mon­it­or­ing infra­struc­ture will then be made access­ible – via secure chan­nels – to SCRT’s team of ana­lysts, in charge of its oper­a­tion from our premises (Switzer­land).

Our secur­ity oper­a­tions cen­ter is made up of sev­er­al teams involved in spe­cif­ic activ­it­ies such as sup­port, SOC, and incid­ent response.

The incid­ents repor­ted by the sur­veil­lance infra­struc­tures installed at our cus­tom­ers are firstly filtered by a first level of ana­lysts, in order to exclude false-pos­it­ives and to col­lect inform­a­tion rel­ev­ant to the invest­ig­a­tion of the incid­ents prov­ing to be jus­ti­fied. . These incid­ents are then trans­mit­ted to the second level for invest­ig­a­tion and ana­lys­is.

Our cus­tom­ers have access, at all times, to the details of their incid­ents and the actions taken to deal with them as well as the abil­ity to inter­act with SCRT ana­lysts work­ing on them.
As a pre­ferred secur­ity part­ner, when we con­firm an incid­ent as mali­cious, we will obvi­ously provide you with spe­cif­ic remedi­ation tips as well as com­pre­hens­ive secur­ity recom­mend­a­tions to avoid future occur­rences.

Our Forensic Incid­ent Response and Sup­port Ser­vice includes sev­er­al post-incid­ent oper­a­tions such as evid­ence gath­er­ing, mal­ware scan­ning, and con­tain­ment and sup­port pro­pos­als.

You can get addi­tion­al details on IRFA in its ded­ic­ated sec­tion.