The digital era is characterized by a wide availability of computational power and heterogeneous data that is constantly produced and accumulated. The ability to analyze, compose, correlate and process these data can be decisive in identifying threats and vulnerabilities and predicting accidents in various contexts of critical interest in our society: cyber security, cyber warfare, anti-fraud, Critical infrastructures are major examples of Engineering's daily activities for its data centers and customer data centers.
Engineering.MO is currently ISO 27001 (information Security) and ISO 20000 (Service management) certified.
This mean that all internal processes, from Information Security Management, to Change Management, Incident Management, and Problem Management, are periodically verified by an external qualified auditor that checks if they are compliant with the above Standards.
Engineering.MO Cyber Security division is in charge of:
- Define the organization Security Policy;
- Define the security standards;
- Review the security related procedure developed by the Operations organization;
- Handle the security monitoring infrastructure;
- Periodically verify the state of security of the managed environments;
- Perform the Risk Assessment for the managed perimeter;
- Support security audits;
- Perform security training.
With the “Security Operations” definition we include all those task related to the ordinary and extraordinary maintenance of System and Security devices. This is mainly referred (but not limited) to the Incident, Change and Problem management processes. Those tasks are performed by technical specialists (firewall specialists, network specialists, system specialists, and so on) belonging to the operations teams, according with policy and procedure defined or validated by the Security team. The “core” component of the SOC Security monitoring capability (the log management platform, the physical access control systems, and the Access management platform, are in direct charge to the SOC team, (dedicated team with specific training in security compliance and in ethical hacking). It is committed to perform security surveillance on the involved perimeter.
Premises and infrastructure in the Data Centre are designed to ensure maximum continuity of service and provide the following systems:
- 24 hours/7 days Surveillance
- TVCC (with video recorded log)
- Intrusion Detection Systems
- Computerized Access Control
- Fire Exstinguishment Systems (detection and Exstinguishment by natural gas)
- Computerized plant monitoring and control system
Engineering Data Centers are built considering physical segmentation of the space in “security levels”, in order to ensure that only authorized people can physically reach the IT infrastructure. A secured, badge controlled door is operative between levels, ensuring that no unauthorized person can enter the level alone. By policy no external provider or any unauthorized person (including employees) can enter acentalone. Every guest must be accompanied in by an authorized internal referral with adequate data center authorization.
Periodical vulnerability assessments are performed on the infrastructure from the public Internet (for exposed systems). Internal vulnerability assessment is performed on a "per customer" scheduling. All evidence coming from the vulnerability assessment are collected by the centralized SOC infrastructure and then integrated through an automated process with the CMDB information to provide a clear map of the perimeter exposure level.
That information are then made available to the SOC in order to provide the capability to measure the risk present on the different areas, and to the Operation teams in order to let them to define and implement a consistent mitigation plan according with the service windows defined on each customer context.
The SOC infrastructure is also collecting all log information coming from security (firewalls, IDS/IPS, secure web gateways, etc.), from network devices (routers, switches, balancers, etc.) and from systems (OS logs, DB logs, Middleware logs, application logs, etc.) in order to be able to identify potential threats and then rising the needed alarms. This is performed through a SIEM platform, actually based on the Intel Security McAfee Enterprise Security Manager (ESM) solution providing collection, normalization, indexing, correlation and presentation
capabilities to the SOC operators. Once the correlation platform rise a Security Alarm, it's analysed by the Security Team and then, once confirmed, the Incident Response Team is invoked, according with the Security Incident Management procedure, under the coordination of the Security Officer, to perform the mitigation.
Network Security: IPS/IDS & Firewalls
The perimeter protection is implemented setting and configuring the HW devices at physical and logical levels.
- The Internet routers are configured for anti-spoofing prevention. Specific ACLs (Access Lists) can be activated in order to block IP addresses which are generating malicious traffic before they reach the internal network. The traffic shaper is also used to mitigate DDoS attacks finalized to bandwidth consumption/starvation.
- The Perimeter Firewalls are in a redundant configuration (hot-standby) performing access control, allowing only legitimate communications. Intrusion Detection probes combined with event correlation engines are set to detect anomalous activities and rising alarms in case of attack.
The Firewalls IPS/IDS architecture has been implemented to satisfy high standards in security, performance and reliability. Other characteristics are: scalability, quick installation/replacement and the possibility to statically distribute the traffic on both Appliances in order to have the maximum advantages from the bandwidth. Moreover, IPS/IDS, is a software add-on included with Firewall, actively protects the network by known and unknown attacks, using intelligence security technology.
The Engineering and the Cloud Infrastructure is periodically audited. This is necessary in order to identify security holes/vulnerability and to guarantee that the highest level of security is always in place.
The Vulnerability Assessment is performed using specific tools aimed to identify the vulnerability (exploit) of both Operative Systems and common applications (Web Server, DNS, SMTP, etc.). These vulnerability checks are aimed to find both intrinsic product vulnerability and configuration errors; for each identified vulnerability instance, a specific countermeasure (reconfiguration and installation of patches) is applied. Due possible over load on the infrastructure, those task are run in agreement with the customer and with the arranged policy level.