What Value does a Managed Security Operations Center Bring to Your Ecosystem?

Michel Ludolph

For many of today’s enterprises, the expanding cyberattack landscape is daunting. The complexity, frequency and high-value damage these attacks present to a company’s brand and bottom line seem overwhelming. Companies are trying not only to address greater cybersecurity risks and growing requirements, but they are also trying to get their arms around global data privacy and regulatory requirements, such as the European Union’s Global Data Protection Regulation. All of this drives greater security spending. According to Gartner, global spending on information security products and services will reach more than $114 billion in 2018, and by 2019, it estimates the market will grow 8.7% to $124 billion.

Managed security solution providers (MSSP), such as Motiv ICT Security in the Netherlands, provide hosted security operations center (SOC) solutions that help companies prevent cybercrime, data theft and data leakage. Since 1998, Motiv has been implementing, maintaining and managing innovative products that offer the safety of a guaranteed information stream combined with optimal information security. The Dutch MSSP is now an Equinix Cloud Exchange Fabric™ (ECX Fabric™) partner and reseller offering its Motiv SOC solution and services to customers in the Netherlands. The combined Motiv and Equinix solution provides businesses with access to multiple cloud, network and security services to support a variety of business use cases.

The Motiv security operations center on Platform Equinix

In the Motiv SOC, all activities on the application and associated data are collected, analyzed and correlated in a centralized manner for its customers, so deviations can be recognized quickly and reported. Initially, the SOC service was mainly reactive, but Motiv is now focusing on real-time alerting to provide faster insights for customers to immediately analyze and solve potential security breaches.

The strength of the Motiv SOC is that it links to all types of applications, servers, databases and other information sources. Motiv supports its customers by selecting the right sources that are linked to the SOC, depending on the business processes and the associated risk profile. Subsequently, on the basis of a large set of use cases or potential events, suspect patterns or deviations are recognized and analyzed automatically.

Platform Equinix® provides secure, private access into multiple public cloud providers (e.g., AWS, Google Cloud Platform, Microsoft Azure, Oracle Cloud, IBM Cloud) via global, software-defined interconnection that is enabled by ECX Fabric. By avoiding the internet, ECX Fabric seamlessly integrates public cloud platforms with on-premises infrastructures to create high-performance, scalable, reliable, and secure hybrid and multicloud environments. Cloud services buyers can easily and quickly create virtual circuits into multiple cloud services offered by cloud services sellers via an ECX Fabric customer portal. The first sellers on ECX Fabric were public cloud providers, but that has now expanded to providers of network and security services as well.

Motiv sees the following value-add of the ECX Fabric for its customers:

  • Optimized connectivity by reducing latency and avoiding the need for internet tunnels.

“Chatty” applications profit from this lower latency, and traffic is transported more efficiently as large maximum transmission unit sizes become viable.

  • Lower barriers to interconnecting with third-party services. Leveraging the ECX Fabric customer portal, customers can connect to clouds, networks and distributed denial of service protection infrastructures with a few mouse clicks.

Motiv/Equinix customer use cases

The following Motiv SOC and ECX Fabric customer use cases highlight a number of common security issues:

  1. DNS record monitoring: Whenever an unauthorized third party obtains access to the domain name system (DNS) records of a certain domain, it can conduct a “man in the middle” attack targeting the websites in the particular zone. This attack can be detected by periodically checking the DNS records for changes. The solution provided is a Python script that retrieves a domain-name list and queries the belonging records. The results obtained are then compared with the data in a trusted database. In case of discrepancies, an event is created in the Emergency Security Management system.
  2. Detection of outgoing SMB traffic: Server message block is not supposed to be forwarded to the internet via firewalls. Such occurrences are a sign of data exfiltration (the unauthorized transfer of data from a computer or other device) or a MITM attack in order to obtain user login credentials. Firewall logs will expose such an event.
  3. AD honey account: An active directory (AD) honey account is an account that is not being used. As a result, any usage identified is suspicious. Hence, creating an AD honey account and checking the Windows event logs for the usage of this account increases the detection of unwanted intrusions.
  4. Hosts being part of a crypto miner pool: This is a use case in which a customer wants to be warned that the company assets are being used to mine for cryptocurrency. Mining is repeatedly calculating the hash for a number of transactions until a hash is found that meets certain criteria.It is unwanted because it increases the electricity bill and lowers productivity. Miners use mining pools combining the computer powers of many hosts. Host abuse can be detected by collecting the IP addresses and domain names used by these pools.
  5. Office 365 bulk data access from OneDrive and SharePoint: A bulk data transfer is suspicious.By setting a threshold to the maximum amount of data that can be exported during a predefined time frame, data exfiltration can be detected, and confidential corporate data can be protected.

The attacks described above go unnoticed on a network using only a firewall monitoring basic connection states. Logging and data collection and correlating those to known attacks can prevent intrusion and data leakage and compromise. The SOC can prove to be a vital asset here in support of incident responses and compliance audits.

Motiv is excited to offer its services to its customers via ECX Fabric. Here are a few of the benefits the company is realizing and passing on to its customers:

  1. Increased performance: The F5 Silverline cloud-scrubbing center is directly connected to ECX Fabric. As a result, Motiv no longer needs to connect via GRE tunnels to the cloud-scrubbing center, but instead can have a private Ethernet connection. As a consequence, there are no longer any limitations in maximum transmission unit (MTU) sizes, resulting in a better performance throughput.
  2. Secure, private interconnection with public cloud providers: Now that both Microsoft Azure and the Motiv SOC are connected to the same ECX Fabric, Azure events produced by the Azure Security Center can be privately and securely routed into the Motiv SOC. This is easy, only requiring setting up the Azure Monitor and the virtual circuit into Motiv. Get for more information about Azure Monitor.

“Our security monitoring solution’s real-time alerting gets quicker insights to our customers so they can immediately analyze and solve problems,” said Maarten Lutterman, senior technology specialist, Motiv. “Equinix Cloud Exchange Fabric, with its fast and secure multicloud access, is the underlying interconnection platform that’s making it all happen.”

We are proud to announce that Equinix is the recipient of the MEF18 Fulfillment and Activation Implementation Project and IoT Network Platform Services Architecture awards for its Equinix Cloud Exchange Fabric™. Learn more about the ECX Fabric by viewing the video presentation below: