Detection and response testing for Elisa CSOC
Client need
Ensuring high performance of cyber attack detection and response solutions
As a critical infrastructure operator, Elisa has a great responsibility to ensure the cyber security of its network in all circumstances. They need to detect and respond to cyber attacks as accurately and swiftly as possible. For this purpose, they have in-house CSOC services and supporting SIEM, MDR, and EDR solutions.
To ensure that their cyber security operations work as expected, Elisa started continuous testing, also known as Purple Teaming with Fraktal in 2019. Purple Teaming testing is based on continuous attack simulation, response, and validation. Everything is done in close cooperation, which enables an iterative approach to developing CSOC operations and related incident management processes.
From yearly testing to Purple Teaming
Many companies test their cyber security center with penetration testing or Red Teaming. However, this is usually done as yearly spot checks. This requires a lot of planning, and the results are limited to that time and the chosen target areas. Also, retesting requires a huge effort and is generally left waiting for the next annual test. This kind of testing became too stiff and ineffective for Elisa’s needs.
Elisa wanted to implement continuous testing that leads to rapid improvement of their detection and response safeguards. They also wanted their in-house defense team (blue team) to work closely with the attacking test team (red team) to learn and develop through close cooperation.
The solution that meets their security demands is Purple Teaming. Purple Teaming gives a clear and more real-time view of the cyber security level, enables fast reaction to possible cyber security gaps, and sets metrics for quality monitoring. It’s a flexible on-time testing model that gives impartial hard data and ensures development.
We delivered
Continuous improvement of cyber resilience
With Purple Teaming, Elisa can verify and improve its security posture monthly. The continuous model is based on attack simulation, response, and validation. Together the teams go through the results; were all the attacks detected or not, how were they responded to, and what can be improved. Everything is executed in close cooperation, which enables an iterative approach to developing security operations.
"If the testing shows that something doesn’t work as it should, we can plan corrective measures together with Fraktal and then do the testing again to make sure everything works properly. With the help of continuous testing, we have learned to detect attack methods, attack chains, attack goals, and attack targets even better than before. One of our specialists noted that this is the best thing after sliced bread!”, says Chief Information Security Officer Teemu Mäkelä from Elisa.
Detect, respond, validate, repeat
Purple Teaming takes into account different elements of cyber security; technology, processes, and human action. This way it supports Elisa’s cyber resilience comprehensively. It offers a clear view on their cyber security level and makes responding to possible cyber security gaps faster. If larger development issues arise, these can be prioritized according to their urgency.
This model of testing brings transparency to CSOC operations, and impartial monthly data helps validate and optimize cyber security capabilities. Purple Teaming has enabled Elisa to foster important themes such as competence development, continuous improvement, and growing a strong cyber culture within the company.
Technologies and methods
Targeted attack scenarios
We create targeted attack scenarios that we run in our client’s environments and against their services. These scenarios comprise multiple test cases that cover the whole life cycle of a cyber attack. The objective of the scenarios is to reach target data or system functions set together with the client as flags. Defining the scenarios also allows for easy retesting of improved defenses, validating the work of the client’s blue team.
Monthly walkthroughs
A key activity in our service is monthly walkthroughs with the blue team. This ensures that our testing activities are transferred into knowledge that the security and operations teams can use to improve their detection and response.
Dynamic dashboard
As a true Purple Teaming experience, the client gets full visibility through a dynamic dashboard. It includes all the performed tests and analysis on how the detection technologies and the blue team fared, as well as metrics set up together with the client.
Mapping to MITRE ATT&CK®
All our attacks and results are mapped to the industry standard framework. As the coverage is extended over time, confidence in continuous improvement also increases.