Chapter 2: ManageEngine's IT security command center

Our IT security command center is the central nervous system of our security operations, equipped with screens and alerting mechanisms to monitor our environment for any discrepancies or threats. The command center is the base of our security operations, where our teams monitor logs and events, respond to security threats, and analyze anomalies to take preventive actions against threats.

Security command center

Figure 1: Security command center structure at Zoho.

Security engineering

The security engineering team develops and maintains security libraries. These libraries are coded commands wrapped into packages that product teams use to secure our applications. The libraries are configurable, allowing the product teams to configure them in their codes. For instance, the security engineering team builds authentication features into these libraries as a group of controls so that the product teams can decide where to invoke authentication in their codes. Below is an overview of what security libraries do:

  • Shield our applications from attacks such as injection, spoofing, supply chain, and more.
  • Provide a baseline security for our applications, because the libraries define entry points. They allow information to enter an application only under specific criteria.
  • Define controls for responses from the application.
  • Help product teams build applications such that the other applications in an IT environment cannot read or access any information from ours.
  • Control the application data accessible to external entities. The security engineering team creates a set of values for responses inside the libraries to control the application information that’s accessible to external applications in a system.

Above all, the security libraries ensure that the product teams aren’t required to create security configurations. They only need to know when to apply these libraries in their code.

The security engineering team consists of smaller teams that handle individual aspects of security in our libraries as described below:

  • Code analyzer team: To build and maintain our in-house code analysis platform that spots vulnerabilities before the code gets pushed into the repository.
  • Malware team: To build and maintain the technology to scan each file that enters our IT environment for malware.
  • Encryption team: To build and maintain our encryption platform, and handle crucial functions like key management and rotation.
  • Logs team: To manage the collection and maintenance of logs in a central server. This team assists the security operations team in monitoring logs and spotting potential threats.

Red team (offensive operations)

They perform offensive operations to bring out the areas where IT security can be improved. They systematically attack our environment from the inside and constantly push our systems to be more secure. They also perform multiple inspections periodically to ensure no loopholes are hiding in plain sight. Here's what they do:

Activity Purpose
Validate external hackers

The red team regularly validates the inputs of external hackers who report bugs on our bug bounty portal. If valid, the red team conducts a more detailed analysis to provide recommendations on fixing the bug.

Validate solutions

The red team validates the solutions provided by the internal teams before concluding the reported bugs as "closed." The team then reattempts to exploit the bug to ensure the implemented solution is fully functional.

Reward external hackers

The red team rewards external hackers for the valid bugs reported based on the severity and impact of the bug. The red team understands the extent to which the reported security bugs can affect our IT environment. After analyzing these bugs, the red team suitably rewards the external hackers for reporting the bugs.

Assess security posture of applications

The red team periodically assesses the security posture of our applications. The red team continuously performs engineered attacks to expose the vulnerabilities in our applications. They do this based on security trends, industry updates, and changes in our applications.

Validate automated code scanners

The team validates the issues automatically detected on our source code scanner. We have in-house tools that scan the source code of all our applications. Though the tools mostly give us accurate results, there is always a chance of false positives. The red team analyzes these issues and handles them appropriately.

Review source codes

The team periodically conducts manual reviews of the source codes. There is always a chance that some vulnerabilities in code sneak through the automated scans. With their expertise in security vulnerabilities, the red team reviews source codes often to ensure such errors don't compromise the security posture of our applications.

Scan ManageEngine's assets

The team scans the company's assets (mainly devices) to detect vulnerability patterns. With tens of thousands of employees and more devices at our disposal, the attack surface increases constantly. The red team uses our in-house endpoint security solutions to scan our assets for vulnerabilities.

Perform social engineering attacks

The team performs social engineering to assess the security awareness of employees. The red team attempts phishing, fake calls, and more to ascertain how our employees respond to such cases. Should they succeed in deceiving some employees, they use the opportunity to educate other employees and improve awareness.

Test our network's security posture

The team attempts to steal credentials using packet sniffing, rogue authentication servers, and phishing. This activity further strengthens our network, as the red team attacks our environment from all fronts to steal valuable credentials that can get a malicious attacker into the sensitive areas of our environment.

Simulate attacks on assets

The team simulates attack on the company assets based on the possible vulnerabilities detected by our scanning tool. This simulation creates urgency and requires our defensive teams to stay alert. It also gives us insights into how well our defenses hold the fort when an attacker attempts to exploit vulnerabilities.

Educate employees

The team conducts workshops and educates employees by posting content about security.

Blue team (defensive operations)

This team performs defensive operations by monitoring our IT environment to spot potential threats and vulnerabilities and taking necessary action to prevent potential dangers. Their activities include the following:

  • Attend to security-related queries externally and internally.
  • Assess vulnerabilities of third-party tools employed in our IT environment and work towards fixing them.
  • Manage vulnerabilities found in our IT environment. They also coordinate with the concerned product teams and fix the vulnerabilities after review.
  • Inform concerned teams and external parties regarding patches and other security updates.
  • Monitor public blogs and other sources for newly identified vulnerabilities and analyze how they might affect our IT environment.
  • Manage our bug-bounty service by analyzing, treating, and fixing the bugs reported.
  • Manage our Host-based Intrusion Detection System (HIDS) by setting up the server, adding necessary configurations for generating alerts, installing HIDS agents where necessary, and updating security configurations to whitelist files.
  • Manage logs in our IT environment by analyzing them, parsing them, identifying anomalies, and taking necessary action. For a more detailed account of our logging practices, please click here.
  • Monitor our security operations console 24/7 and take immediate action when needed based on our security policies.
  • Monitor and maintain access to our secure environments by managing the identities of our employees who request access.
  • Ensure the product teams use our security libraries suitably by monitoring the usage and verifying the code.
  • Conduct awareness sessions for employees and educate them regarding data security, and privacy.

Security audit

The security audit team conducts a detailed security investigation for our web applications, mobile applications, and overall IT infrastructure. They systematically follow a schedule to ensure no component in our IT environment is left unaudited. However, they prioritize the audits based on factors like an upcoming release, new installation, and more. Below is a summary of their activities:

  • Verify requests for creating new domains, infrastructure components, and more, and validate their security posture.
  • Audit the new software packages, updates, and more, before installation in the IT environment.
  • Review data flow and architecture diagrams and discuss the necessary security controls with the concerned applications teams.
  • Analyze the impact of security incidents and review the solutions.
  • Audit our security tools and improve the guidelines on how to use our tools.
  • Review the automated reports generated by our tools and ensure the application teams fix any security issues reported.
  • Clarify security-related queries in our community of software developers.

Incident management

We have a dedicated process to handle security incidents, which includes detection, containment, coordination, and recovery processes that make our IT environment resilient against cyber threats. This process has helped us recover from security incidents by minimizing exposure time and the impact of security threats on data, applications, and our IT infrastructure. For a more detailed account of how we manage our security incidents, refer to the CyberSec section of our incident management handbook.

Putting together your sales enablement starter kit

Introduce your inbox to a whole new perspective

By clicking 'keep me in the loop', you agree to processing of personal data according to the Privacy Policy.