Skip links
SOC as a Service

Safetech SOC as a Service offers speed of response and accuracy in threat detection

Safetech SOC as a Service offers speed of response and accuracy in threat detection

Operated in-house or outsourced to a specialized company like Safetech Innovations, a Security Operations Center contributes significantly to improving an organization’s security posture and increasing cyber resilience. Essentially, Safetech SOC as a Service provides continuous (24/7) monitoring of an organization’s network, systems and data, identifying and addressing potential threats before they escalate. At the same time, because threats and attacks are constantly evolving, outsourced SOC services also contribute to aligning cybersecurity with the reality of the cybercrime environment.
By contracting the Security Operations Center services of Safetech, companies eliminate the problems generated by managing and remediating threats, hiring, training and motivating the necessary human resources and keeping costs under control.
Among the benefits offered by Safetech SOC as a Service, an important role is played by the systematic monitoring of the quality indicators of the security services provided and their continuous improvement. Within this objective, Safetech continuously aims to improve the accuracy of threat detection, thus reducing the rate of false positive and false negative detections. In this article, we will present a series of examples of improvement actions carried out by the Safetech SOC team and the results achieved.

Major benefits of using Safetech SOC as a Service

Safetech Innovations offers extensive coverage of cybersecurity risks, relying on the vast experience of its team and a diversified range of specialized services. With access to advanced tools and Threat Intelligence services, the Security Operations Center team, which currently investigates an average of 12,000 security alerts/month and handles an average of 150 security incidents/month, leverages the experience gained to proactively anticipate and manage similar risks. The expertise of the team of certified analysts ensures a complete approach to risks and helps clients maximize the value of existing investments in cyber protection solutions. At the same time, SOC services ensure non-stop monitoring, through a structured, organized and trained team of over 30 experienced specialists.
By outsourcing security operations to Safetech, companies benefit from financial predictability, eliminating the high costs associated with developing and operating an internal SOC. The quality of services is confirmed by prestigious accreditations and certifications, such as Trusted Introducer,
NICP, ISO 9001 and 27001, demonstrating a solid commitment to technical and operational excellence.
At the operational level, companies that have contracted Safetech SOC as a Service report:
  • Reduction in threat detection and response time. The Safetech SOC team uses advanced technologies such as machine learning and process automation to detect anomalies and threats in real time. These tools analyze large volumes of data and quickly identify unusual behavior patterns, thus reducing reaction time. Thus, attackers have less time to compromise systems, and the SOC team manages to neutralize threats before they have significant negative effects on the organization.
  • Improvement in threat detection accuracy. A quick response is useless if it is not correct. Safetech SOC as a Service continuously aims to reduce the number of false alarms, improving the focus on real threats. Thus, the loss of time and resources caused by false alarms is eliminated, improving efficiency and reducing the operational stress of security teams.
  • Improving the level of protection through proactive measures. The SOC services offered by Safetech can include advanced analyses and post-incident reporting that highlight the causes and propose measures to prevent similar incidents. Thus, the means and monitoring procedures of the clients are constantly updated and optimized, in order to obtain a high rate of identifying and blocking threats in their early stages, reducing risks and creating a safer IT environment.

Safetech continuously optimizes its SOC activity

Safetech applies an internal process of continuous improvement of the Security Operations Center services provided to its clients. Below we present a set of five examples of improvement actions recently applied within Safetech’s security operations center and the results obtained through these actions.

• Detection of polymorphic malware files by integrating advanced sandbox systems.

The SOC team noticed that certain malware files change their signature to avoid detection based on fixed rules (false negatives). To counter this, analysts configured a sandbox system that analyzes the behavior of files in isolated environments. The malware is executed and analyzed to identify suspicious actions (e.g. data encryption, connection to external servers). This action resulted in an increase in the detection rate of previously unknown malicious files by 70%.

• Correlating Alerts to Detect Slow and Persistent Attacks (Advanced Persistent Threat, APT)

The starting point for this effort was the understanding that advanced, slow and stealthy attacks can go unnoticed if each individual stage does not trigger an alert. Therefore, the SOC team developed a mechanism to correlate seemingly unrelated events from network, server and endpoint logs. For example, a subtle increase in the volume of exfiltrated data, combined with logins from unusual locations, indicates an APT. In this way, they achieved a significant reduction in false negative alerts associated with persistent attacks.

• Improving lateral movement detection by monitoring access to file shares

Another problem identified was that insider attackers or certain forms of advanced malware were using file shares to propagate themselves without triggering alerts. In response, security engineers at the SOC created detection rules that looked for unusual resource access patterns, such as a large volume of files accessed in a short time or multiple files being modified simultaneously by a single user. This resulted in 50% faster detection of lateral movements, preventing the spread of attacks.

• Improving RCE exploit detection through context analysis

Because alerts for Remote Code Execution (RCE) vulnerabilities generate many false positives from processing legitimate but complex HTTP requests, the Safetech SOC team sought a solution. This involved correlating alerts with web server logs to identify behavioral signatures associated with the actual exploit, such as shell command execution or suspicious file uploads. A filter was also added based on the frequency and sequence of abnormal requests. As a result, the accuracy of alerts increased by 45%, and the volume of manual work was significantly reduced.

• Reduction of false positive alerts in solutions based on behavioral anomaly detection

Data accumulated within Safetech showed that security solutions based on behavioral anomaly detection can generate false positive alerts when users perform unusual but legitimate activities. For example, an employee accesses an IT resource that is unusual for their role, as part of a temporary project. In the absence of specific context, these activities are flagged as possible security incidents, which consumes time and resources for investigation.

To contextually validate the activities, the SOC team integrated the detection system with internal applications, such as project management or human resources. This allows the solution to recognize situations where unusual access is justified by new responsibilities or changes in the user’s projects. Also, in order not to treat every anomaly as a potential threat, the team configured the system to check the user activity in the context of relevant data, such as the authentication location, recent password changes or the use of unknown devices. Thus, in the absence of other signs of risk, the monitoring system gained the ability to recalibrate the priority of the alert.

At the same time, a fine-tuning of the thresholds that define what is meant by “unusual behavior” was carried out to take into account recurring seasonal activities (for example, financial reporting periods, when users access more IT resources than usual). Another action aimed at creating a mechanism through which users can quickly confirm whether an activity is legitimate, providing feedback directly in the platform used by the Safetech SOC team. This information is subsequently used to automatically recalibrate the detection algorithms.

The measures presented have led to a reduction of false positive alerts by up to 50%.

Advantages of collaborating with Safetech

The SOC outsourcing services provided by Safetech have a granular structure, being specially designed to allow organizations to opt for only what they need. For example, companies can choose to only deliver recurring services (monitoring, scanning and vulnerability management with 24/7 coverage), with the possibility of periodic or on-demand access to complementary services (asset discovery, advanced investigations, etc.).

Delivered through Safetech’s Computer Emergency Response Team (STI CERT®), these services represent a complex package that includes specialized and certified personnel, state-of-the-art technology and tools, mature procedures and continuously updated best practices. Combined, all of this guarantees a superior level of security and predictability, in accordance with both an organization’s business objectives and the latest national and European regulations.

For more information about the Safetech SOC as a Service offer, we invite you to contact us by email at sales @ safetech.ro or by phone at +40 21 316 0565.