The new SOC Exprivia: between technology and territory

02/09/21

In this period, talking about Cyber ​​security is increasingly common, even if it is not always spoken about with full knowledge of the facts.

This time we thought of talking about it with Domenico Raguseo, in his capacity as director of the new Security Operation Center (SOC) of Molfetta.

What is a SOC? Why did you open a SOC, and then, why in Puglia?

A SOC is a center for the delivery of security services. A SOC deals with the monitoring of security events seven days a week and H24, infrastructure management, segmentation and micro-segmentation, identity management and governance, privileged identities and accesses, and so on. Modern SOCs also include proactive services, such as training and awareness programs, penetration testing and vulnerable assessment (VAPT) and our Center is also equipped with a "Computer Security Incident Response Team" (CSIRT). In fact, even if the best defense is prevention, in the event of an attack, making highly specialized personnel available in a short time makes the difference between a tragedy and a marginal damage.

In general, SOCs are focused on the IT perimeter, in our case we also deal with IoT and industrial systems, SCADA and PLC this because many of our customers belong to the industrial world and the future of cybersecurity lies in the IoT.

Not surprisingly, one of the use cases we use most is related to the cyber security of video surveillance systems. As the Mirai case teaches us, in fact, we should check that IoT devices are not used as bases for further attacks or lateral movements.

Our SOC is also used as a test bed, i.e. it is used to test and show customers the technologies we produce and use, as well as particular use cases (for example MIRAI).

Exprivia firmly believes in the value of sharing, so it collects, analyzes and then makes public data available relating to attacks, incidents and violations of privacy by drawing up a Report on cyber threats in Italy every three months.

We have a particular interest in digitization and innovation. How important can Machine Learning (ML) be in the context of AI in relation to cyber threat intelligence?

I will try to simplify the answer. We all know that the term hacker is used to identify a person who, thanks to his skills, is capable of improving the resilience of a digital system or correcting its vulnerabilities through specific activities. The bad hacker, on the other hand, is the one who tries to exploit the vulnerabilities of digital systems to his advantage.

Now, if the attackers use the ML, the good guys have to use the ML too. The possible applications are many. For example, ML is used to identify attack patterns or prevent an accident. Attacks can be carried out for months or years and it is therefore important to be able to identify an Indicator of Compromise (IOC) thanks to the rapid analysis of huge amounts of data.

One field of use is that of Anomaly Detection. Attackers often use different methodologies, so recognizing IOCs is getting more and more complicated. Thanks to ML, it is easier to identify "normal" behavior and, consequently, to understand anomalous behaviors.

Understanding which traffic is normal and which is not is one of the most common uses of Machine Learning.

In Operational Technology (OT) and Internet of Things (IoT) it is very common to resort to the Anomaly Detection technology based on behavioral analysis (UBA - User Behavior Analitics).

Also in Vulnerability Assessment and Penetration Testing it is possible to use Artificial Intelligence: for example, there are tools that teach how to use SQL Injection techniques, used to attack applications that manage data through relational databases using the SQL language.

In addition, there are ML tools that are able to identify the most likely vulnerabilities to exploit depending on the software.

However, we must not forget the cyber security of Artificial Intelligence systems: in this case we are talking about Adversarial Artificial Intelligence. In fact, if AI systems are powered by incorrect data we cannot be sure that AI behaves the way we want it to.

Could you explain us the use of the networks of cameras or other objects to make certain types of attacks, such as Mirai?

Let's talk about IoT for a moment and then we come to Mirai. The market approaches the IoT issue by thinking about the device that is compromised. If I have a network of cameras, for example, I think the service rendered may be compromised. In truth this is only one aspect of the problem.

There are devices of all kinds on the net, from cameras to watches, from washing machines to refrigerators including smart clothing. This means that a large number of objects are potentially used to conduct non-direct attacks on the service rendered by the objects themselves. There are also tools that help to find information about objects on the network without excessive costs and this facilitates attackers.

An example are video surveillance cameras. The Mirai attack uses the compromised cameras (which in the meantime continue to function correctly) but is aimed at other services not related to the functioning of the cameras. The bots installed on the cameras are used to do other things, without noticing the real damage. The problem with the IoT is that there are thousands of objects with very low security that, for example in the case of Mirai, can be used to make a Distributed Denial Of Service (DDOS) attack towards different targets.

It is certainly true that there are cyber dangers and risks associated with our model of society, but it is also true that these are often used as an excuse.

I often talk about cyber security with people of all kinds.

Sometimes it happens that mistakes are made, other times you are faced with someone better. Sometimes the difference between the two situations is very slight and therefore it is better to wait and understand.

When it comes to IoT security, on the other hand, two macro areas need to be addressed.

The first is the governance of the IoT. Often the security problem depends on the bad division of responsibilities within the organization. Taking responsibility for camera security, for example, comes at a cost; therefore someone must not only take responsibility but also bear the burden of the cost. There is no security at no cost.

The second point concerns the market. If devices such as refrigerators connected to the Internet are sold to the general consumer, the user cannot be expected to understand anything about cyber. The manufacturing company should take charge of the safety and certification of these products. This will most likely increase the cost of the product but I don't think it can be done without.

Another theme we care a lot about is related to research and training. What are the relationships between your SOC and universities, schools and research centers?

Our SOC was opened in the Exprivia headquarters in Molfetta, but our staff is distributed all over the world. Having the opportunity to collaborate with universities, both for research activities. both in the selection of talents, is one of our priorities.

The industry always has the sad problem of being under the threat of return on investment, so considering that attackers invest in research and development, we must too.

We also participate in various projects with universities, including ECHO, a European Union project that aims to increase the cyber resilience capacity of the member countries. All of this helps us to reduce the gap between attackers and defenders.

Exprivia has also launched an Academy that allows us on the one hand to relocate staff with new skills useful for staying on the job market, and on the other to train new staff.

With the introduction of Artificial Intelligence, the times for the attack and the identification of a defense strategy are getting shorter and shorter. How can you use AI to defend yourself?

AI is mainly used to identify an attack and suggest the best moves to respond. AI can help but today everything also depends on the technology used in the systems, on the people and their preparation and on many other elements.

In general, however, we must speak of an accident and not an attack.

When there is an accident, after a first analysis it is already possible to understand if an attack is in progress and the AI ​​can help both in the analysis and in the elaboration of adequate countermeasures in the shortest time.

However, we must remember that, in general, there is no valid type of defense always and for every type of attack, so you should not make the mistake of thinking that AI is the solution to all types of attack. Fortunately, however, there are tools that use Artificial Intelligence in different ways.

In general, cyber security is very complex and depends on many factors; Artificial Intelligence can help, but it can also prove useless or dangerous. Much still depends on people's ability.

What are the new cyber security solutions?

Today there is a lot of talk about micro-segmentation, a very useful technology thanks to which two users can talk only on specific channels, on particular services or on particular topics, not on everything.

Moving to the Cloud is also one of the issues that are still much discussed, but often little understood; the Cloud can certainly help improve security, but the important thing is that it is used correctly.

Domenico, you did a nice overview of SOC and the technologies that can be used, but we still have a curiosity, so, to close, let's go back to the first question: why in Puglia?

Exprivia, a company founded by its current president Domenico Favuzzi, listed on the stock exchange and with about 2400 employees, has its headquarters in Puglia.

So the most reasonable thing seemed to us to open the SOC in this region also to contribute to the development of the territory. It is clear that we provide services everywhere, in Italy and abroad; a lot of staff is from Puglia, but the professionals who work with us come from different regions, also working remotely and not with Italian and foreign clients.

Alessandro Rugolo, Maurizio D'Amato, Simone Domini

To learn more:

- Exprivia - Future. Perfect. Simple

- Exprivia Threat Intelligence Report 2Q 2021

- Cyber ​​security: what is a SOC? - Online Defense

- ECHO Network

- What is SCADA System? - Basics of SCADA - InstrumentationTools

- What is PLC? Programmable Logic Controller - Unitronics (unitronicsplc.com)