Cyber Security


Cyber  Security



Cyber security encompasses the technologies, processes and practices that are put in place to provide protection from cyber-attacks that are designed to inflict harm against a network system or access data without authorisation.

The very best kinds of IT security for your business will offer a comprehensive solution to protect against a diverse range of issues. Ideally, your solution needs to include a firewall, anti-virus, anti-spam, wireless security and online content filtration. Discover how your business can benefit from a layered security approach with 3i Solutions Cyber Security.



The SOC is primarily focused on the detection of potential threats within corporate networks, ranging from hackers and malware to employees who consciously or intentionally seek access to confidential information that is not intended for their eyes.
Our SOC is designed to create a very high security level for organizations.
Datacenters in the cloud are generally very secure, but cloud providers often have little to say about what is happening in that cloud. Organizations unfortunately underestimate the specific cyber security challenges of a cloud environment. We believe that together with datacenters, we can provide a unique service that is crucial for a comprehensive cyber security strategy.
With our SOC-as-a-Service you can benefit from our cyber experts to design and deliver extraordinary high-tech cyber security solutions.


Securing enterprise identities against cyber threats that target today’s hybrid IT environment of cloud, mobile and on-premises is a must.

Your IAM should protect you against the leading point of attack used in data breaches – compromised credentials – by securing an enterprise’s users as well as its privileged accounts.

The thing that needs to be taken into consideration is that IAM is not only great for security purposes, but also is an excellent business tool. It allows business to share their applications with any other partner in the corporate world through a secure channel. This means that both, companies and partners, would be on the same page in terms of security and would be able to conveniently plan and grow business together. The question you might ask next is how information security can be ensured without compromising on job performance and productivity of employees? Is there an end to cyber policing? Yes. You can relieve your business from the everyday hassle of user management and security challenges with an identity and access management solution. Even though it may sound complex and too-tricky-to-handle for some, it is crucial for secure and sustainable business. Instead of giving into the darkness of cybercrimes, identity and access management (IAM) brings torch to the looming challenges of organizational security.

An (IAM) infrastructure should include a technical solution, as well as supporting business processes to enable seamless identity life-cycle management.

A Distributed Denial-of-Service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.

Our advanced DDoS solutions protect against the most common one to sophisticated multi-vector and application layer attacks.

Computers are very useful tools, but they are only secure when they can identify and distinguish between users in a reliable and secure way. What if someone steals your password, looks over your shoulder while you type it, or you simply use the same password for every service (which is a really bad idea, don’t do it!)?
Your PC just forwards the password to the service, and It checks if it matches the one on your account, if so that must be you. As far as the service is concerned, anyone who has your password is you and can act on your behalf.

A great and widely used solution to this problem is two factor authentication, which most often uses an external device alongside your password to verify your identity. This device can be your smartphone, a dedicated controller, or even a smartcard.
The service will (depending on the 2FA method) either generate a random string, to be verified by the device when the user interacts with it, or request an additional user input displayed on the device of usually 5-7 digits, which change every 30 seconds or so. This way the user can prove, beyond reasonable doubt, that they are who they say they are.

2 Factor authentication is being adopted by more and more companies as password-only authorization systems are proving to be insufficient for any normal level of security.

A next-generation firewall (NGFW) is the third generation of firewall technology, combining a traditional firewall with other network device filtering functionalities like application firewall using in-line deep packet inspection (DPI), intrusion detection or prevention system (IDS/IPS), TLS/SSL encrypted traffic inspection, website filtering, malware inspection and so on.

With the integration of NGFW you get a complete network visibility and extra layers of security.

  • Application Visibility and Application Control even on encrypted traffic like HTTPS
  • Identity Awareness (User and Group Control)
  • Integrated protection (IPS, Anti Malware, Web filtering, Data Leakage Protection),

Next-generation firewalls are more intelligent and can recognize an application or website regardless of IP address or port numbers. The advanced filtering technology looks deep inside packets of an application and can analyze and make intelligent decisions about which content and packets to block.

Aspects of ATD solutions are truly many – they can protect web, email, endpoints, network traffic, files shares and much more, from advanced threats. There might be multiple deployment options, like on-premise, cloud deployments, hybrid and so on. You might use just ATD for web, or web and email, include it also at the endpoints, file shares or orchestrate everything together in one giant well performing, integrated solution, well back-up by intelligence and services.

What’s the most important, irreplaceable thing in your possession? The memories of the experiences you had. If you took photos of your wedding, or a video of your child’s first steps, you trust your hard drive to store this data. For businesses, the retention of data is not only regulated by law, but these days, an increasing number of business processes are conducted via the computer and are operated/saved to digital mediums. In the event of disk/device failure, backups are key in guaranteeing business continuity.

The statistics on hard drive failure seem disheartening. A study conducted by BackBlaze found that 10% of hard drives fail after three years, and 20% after five years. Therefore, backups should be a key element in your IT security infrastructure.

For an outside cyber-criminal to steal data, she or he first has to gain access to a network and more common gain of access are through phishing and exploits. Nowadays there are almost weekly updates of OSs, office applications, internet browsers, because new software vulnerabilities are discovered almost daily, and must patched.

The fastest and cheapest way to prevent exploits is to discover them in the source code. And repair them before putting applications in production. Later this is harder and the costs of remediation or damage grow exponentially. But developer teams don’t have trained engineers specialized for security analysis. There are no people who would search for vulnerabilities and recommend changes. Developers don’t have time for that, modern DevOp teams must release multiple new application versions often daily.

But we can automate application security testing. Two well known brands are Checkmarx and MicroFocus Fortify. Those are tools or services that scan source code in different languages, or are integrated with scripting code or app servers, some even monitor running applications. Sometimes they integrate (Web) Application Firewalls. They have databases of hundreds of source code vulnerabilities, can discover them in source code, and they recommend changes to remove them. Not by searching for fixed code patterns but by intelligently following data input, processing, output, variable and memory usage, libraries and function calls, arguments passing etc. They find many more vulnerabilities much faster than a team of security analysts would.

Your people are your greatest strength, but they can also be your greatest weakness. How will you prevent critical data and assets from being compromised by your users?

To stop insider threats in their tracks, your organization must continuously monitor all user activity.

3i-solutions monitors and audits all actions taken by employees on a company’s systems to protect data and reduce risk. We identify and eliminate insider threats from employees and guarantee that your organization has clear visibility into who is doing what, when, and why.

How can we make sure you will be informed well to make good decisions? Fast decisions? Right decisions? You already have your data sources, the battlefield. And then you must install good subordinates through which this data will flow. Based on the data, they will give you battlefield intelligence. You will decide. A battle will be won. One step closer to winning a war.

SIEM is your battlefield intelligence officer. It collects data from all the assets in your corporate network – network equipment, servers, applications, security solutions etc. IT filters data, enriches it, aggregates it, stores it in a central location. It correlates data from multiple source types and builds actionable intelligence. It alerts you to priority issues and reports on ongoing situation, in detail or, in general. It does most of the work for you. Then you only need to make appropriate decisions. Hire Micro Focus ArcSight or McAfee SIEM as your main battlefield intelligence officer!

Cloud Access Security Broker is a new kind of security solution located between corporate users and cloud applications. It allows us to detect, monitor and control the cloud services usage much more granularly and efficiently as a web security proxy would. It is more tightly integrated with most common cloud services through public APIs or development partnership, therefore being much more capable in data protection. We can put in place security policies that protect business data even when that data is already stored outside corporate premises, in a cloud; with traditional web security solutions that is not possible. CASBs also lessen the security impact of Shadow IT. Because they are related, CASB products are often developed from scratched or acquired through company acquisition by vendors of traditional web security solutions like McAfee and Forcepoint.

Unintentional data breaches are usually caught by DLP solutions. Intentional insider attacks are more sophisticated and harder to detect. For that we need other types of solutions besides DLP. One is direct user activity monitoring. Another one is User & Entity Behavioral Analytics or UEBA.

User monitoring tools monitor single sessions. But a sophisticated attacker might perform a malicious activity in such a way, that is not directly visible in a single session to a single system. He might do a little bit on one server, a little bit on another. Then he would lay low and do some changes on a database later or in a couple of days. And in a week he would put his findings in a file and send it via email out of the network. Such activities are impossible to catch through session monitoring tools. So UEBA tools were developed. They gather and correlate input from lots of different sources – system and application logs, security solutions, SIEM, user directories, orchestration tools, even workstations. Sophisticated algorithms and machine learning is used to define normal activities of users and entities, a kind of a very advanced baselining. Then they can detect and alert on anomalies, or security analytics can work interactively to search for something strange. What is an anomaly? Let’s say a server has 100Mb of traffic daily with internet, there is a business reason for that. Than on one day there are 5 communication sessions with 100Mb each. A UEBA tool could detect that, that is an entity anomaly. Another anomaly is a user who connects daily to his workstation and a web server, because he is a company blogger. But then one day suddenly he access a database server and on the next day he sends out a large ZIP file. That is strange and can be detected with UEBA tools.

Web Application Firewall, or WAF, is an additional security solution to protect the traffic between your (usually) internal web application server, and the rest of the world. It’s important in environments, where the applications are available from anywhere in the internet, even though the actual application access is allowed only for authorized users.
A WAF needs to be directly in front of web server, as close to it as possible, maybe even on it.

WAF intercepts all the connections between a web server and users, who (try) to connect to it. It analyzes the data in the traffic and can detect advanced attacks, designed specially to break into applications. A WAF can also block attacks, report, and store audit trails of application access. Audit trails might be important, specially if you also have a SIEM, because lots of custom applications don’t create audit trails by themselves or not in a supported format. It also includes policy configuration for securing the traffic to web server.

One example of an attack, which WAF can easily detect, but not other security solutions, is SQL Injection. This attack exploits the vulnerability of applications, that do not check user input thoroughly. Because in the backend of a business application is often an SQL database, a hacker could hide an SQL query inside a normal input field in a web form. Through such a technique he could manipulate the data, or access parts of it, which should not be accessible.

Security solutions specialized for business data protection are known as Data Loss Prevention or DLP. They have three primary functions.

  1.  To recognize business data no matter the document type or the language in which the documents are written. This is where they perform data classification, categorization, fingerprinting, discovery, machine learning etc. Some types of data are pre-configured, like the formats of credit card numbers, keywords etc. For custom data we point the solution to an example document or lots of them and it is then scanned – DLP can learn how our business data looks.
  2.  To detect – discover – this data as it is being used, transferred or simply stored somewhere. We call this three – data in use, data at rest, and data in motion.
  3. To monitor and report about data, and most importantly to detect, alert on, and possibly block everything that is not according to pre-configured corporate security policies and business practices. For instance to block users from printing certain documents, or block a group of users from accessing a customer database, preventing any kind of document being sent by email except to white-listed addresses, or to completely block saving documents on USB media.

Additionally it is good to have advanced forensic capabilities on data incidents, those are detected events that are not in compliance with configured policies.

As we can see, this are usually quite “big”, complex solutions. They have a broad set of functionalities and must be able to “look” everywhere – monitor the networks, all the endpoints, applications, user directories, gateways to internet, storage archives etc. Most of the vendors have a complete DLP suite with an option to buy just a part of it. To get started with GDPR compliance companies could for instance use just a Discovery part of DLP solutions. Some customers need only endpoint monitoring, others don’t care about data usage on endpoints but need to monitor data transfers on local networks, web and email. Most of modern web and email content security solutions already include some DLP functionalities.

Security doesn’t come for granted, and criminals are hardly waiting to get into your system and network. They are after your data and they have a great (financial) motivation. When talking about Endpoint protection or endpoint security, we are referring to security of individual devices such as workstations, servers and mobile devices, from which a network is accessed.

They make your work more flexible and mobile, but many times they are overlooked entry vectors for threats to your infrastructure / network. Nowadays it is not enough for endpoint security solution to just block known malware, but it must also recognize suspicious behavior and raise an alert / action and if infection indeed happens, it should also be able to clean it.

All data is not equal. Some data is more important. Even the business data. We protect all the business data. But there is a small fraction of data, that is on a completely different level, much more important. It requires extra special security measures.

In a corporate digital environment HSM was developed as such a safe. Instead of a house we have corporate digital network, instead of belongings we have network assets and data. Data is secured in a network by regular security measures, but some data we will put in a safe, in an HSM or Hardware Security Module. Hardware – because it’s usually a physical device, an appliance or an extension card. Security – because it’s additionally secured, hardened on a physical, electronic and OS level. Hardening prevent unauthorized physical or electronic access to its contents, or shows immediate signs of tempering. A criminal trying to open it might for instance cause a destruction of its content instead of gaining access to it.

What kind of data do we store in HSM? Theoretically it could be anything that is precious to us. But most commonly it safeguards and manages digital keys and related stuff for strong authentication. That’s why modern HSMs are also powerful crypto-processing appliances. We use them to store encryption secrets and perform fast cryptographic operations like encryption, document signing, timestamping etc. Very often they are used to protect financial networks and transactions, we call them Payment HSMs. Others can be more broadly used for all kind of security and cryptographic purposes.

Data classification is the process of organizing data by agreed-on categories. Thoroughly planned classification enables more efficient use and protection of critical data across the organization and contributes to risk management, legal discovery and compliance processes.

There is no one “right” way to design your data classification model and define your data categories. For instance, U.S. government agencies often define three types of data: Public, Secret and Top Secret. NATO used a five-level scheme for the Manhattan Project. One option is to begin with a simple three-level type of data classification:

  • Public data — May be freely disclosed with public (e.g., customer service contacts)
  • Internal data — Has low security requirements but is not meant for public disclosure (e.g., organizational charts)
  • Restricted data — Highly sensitive internal data whose disclosure could negatively affect operations and put the organization at financial or legal risk (e.g., customer, patient, and employee personal information; authentication data such as logins and passwords).

Your organization can use these three categories to define an initial data classification model and later on add more granular levels based on data content (PII, PHI, etc.), relevance to compliance standards or business specifics, and other criteria.

As you can see, data classification is not a magic wand that secures data or ensures compliance with regulatory requirements by itself. Rather, it helps organizations improve their security posture by focusing their attention, workforce and financial resources on the data most critical to the business. Once you have prioritized your risks, you better understand how to ensure appropriate data protection and ongoing compliance with security policies and regulations.

In our region of the world, smaller countries of Balkan peninsula, we tend to associate digital forensics with law enforcement agencies only. But in a larger world they are more often than not done by private investigators in commercial sector. Corporations and larger organizations often find themselves in situations, were they need to do an electronic investigation by themselves, for their own needs. Or hire an outside company to do that. Be that because they are suspecting a breach, hacker intrusion, errors, malicious employee activity, or if they expect or have received a request on data from a law enforcement agency. Digital forensics will clear the situation – what was going on in an IT environment or on a single workstation. Such an investigation could result in a legal case, but that is not mandatory, so don’t associate this kind of solutions only with the kind of things that go on in criminal case thrillers on TV.

Generally we could organize digital forensics into three steps, which are actually quite analogous to steps of non-digital forensics.

A – Evidence collecting and preservation. Just as in physical world, the evidence must remain in its original form through the investigation process. Evidence is data on hard drives, sometimes in memory, in emails etc. Forensic tools collect this and store it internally in a form that never changes, it can only be read. Data on hard disk can change if the computer is being used, so forensic solutions include tools, which can make a perfect copy of data on it through different connectors, or through network.

B – Searching. Once an investigator has a copy of all the relevant data, he will use a forensic tool to analyze it, search for files, patterns, phrases, images, emails, copies of IP data, etc.

C – Case management. Forensic tools store multiple digital investigation cases and are multi-user oriented. They offer extensive case analysis and reporting and should guide a digital investigator from evidence collection, analysis, reporting and up to a legal case, if needed.

IPS or Intrusion Prevention System is a perimeter security solution, like a firewall for instance. Network perimeter is a boundary between an organizational local network and the rest of the world. Usually that’s a connection to Internet Provider, national network, another company or something like that. Often there are at least two connections, for redundancy.

A perimeter solutions ‘sits’ on the perimeter, where it can monitor and protect all incoming and/or outgoing traffic. Some perimeter solutions watch a specific traffic type like email or web security gateways, others monitor generally all the traffic, like a firewall and IPS.

Sometimes an organizational network is split into multiple networks with single connections between them, and also can have firewalls or IPSs on such points.

A modern IPS as actually a combination of IDS and IPS, where D stands for a detection and P for Prevention. Meaninng IDS were passive solutions that could only alert, but an IPS is an active solution that can block outside attacks and threats in general traffic. IDS and IPS functionalities are a kind of higher level, much advanced or evolved firewall functionalities. So both solutions can also be combined into what we call an Advaneced or Next Generation (NextGen) firewall, or UTM solutions (Unified Threat Management). If split into two, then IPS is closer to inside the network than a firewall, usually just behind it.

IPS detects more complex threats in traffic, that a simple firewall is not able to. Often they are also split because of performance – they are inline with traffic and must perform eaxh of its functions fast so that there is no significant lag in traffic. Combined solutions are more appropriate for small and middle sized companies.

IPS uses multiple tecniques to detect traffic, such as Signature-based detection, statistical anomaly detection, high speed SSL/TLS decryption and inspection, DoS detection, anti-bot defences, stream analysis, protocol anomaly detection etc.

Once IPS detects a threat, it takes automated actions on all traffic flows that enter the network like alarming administrators (that is an IDS function), dropping the malicious packets, blocking traffic from malicious source address, resetting connections etc. Because of this automated actions it is very important for IPS to have an extremly low false positives rate.