Frequently Asked Questions (FAQ)

1. Is log data stored on my local network?

• Log data is stored with the M-SOC provider. Regulator requires that M-SOC provides 6months online and 18 months offline. That is a total of 24 months worth of data storage. M-SOC is responsible and accountable for storing this data and provisioning it on demand to the exchange and/or auditors. REs may also access this data easily using thier own logins created using the self-service portal.

2. Will I have access to the logs OR only M-SOC has access?

• Yes, REs will have direct read-only access to the logs themselves. Infact, REs will have access to everything that an M-SOC analyst has access to including Logs, Dashboards, Tickets, Alerts, Incidents and reports.

3. How will you collect data from my environment?

• We only collect logs from your environment. These could be operating system logs, application logs, webserver logs, firewall logs, etc. The types of logs we collect depend on your organization's infrastructure and the security measures in place.

4. I want to only include some of my critical machines only. Is that possible?

• Yes, we can tailor the deployment to focus on critical machines based on your requirements. According to SEBI guidelines, this must be done in consultation with your SPOC or someone familiar with your infrastructure. If your critical machines are not on a separate zone or VLAN with strict access controls, it's generally not advisable to just include critical machines. all systems have to be included.

5. What is EDR and why is it needed?

• EDR (Endpoint Detection and Response) is similar to an antivirus system. It helps detect and respond to potential threats at the endpoint level, enhancing security on devices like computers and servers. Most Windows operating systems come with Windows Defender by default. In large complex infrastructures dedicated EDR tools that operate across windows and linux systems may be needed.

6. What is the onboarding process? and how long does it take?

• Step 1: Register on the portal with all the required details.

• Step 2: Upon login, you will be directed to a landing page with links to download the required lightweight agents that will forward the logs.

• Step 3: Follow the standard installation instructions provided on the portal page.

• Alternatively, you may watch this playlist of videos to guide you through the process OR refer to the step-by-step documentation on this site.

The entire onboarding process takes less than 10 minutes to complete. Installing log forwarding agents could take upto 5 minutes with required administrator privileges needed for install.

7. Can you send me the onboarding process and company details?

• The onboarding process includes:

• Registering on the portal.

• Downloading the necessary agents.

• Installing the agents as per the provided instructions.

8. In the case of an attack at BluSapphire, what will happen to my environment?

• BluSapphire ensures robust security measures to protect both our platform and your environment. We are an ISO27001 company and our data center is SOC2 type2 certified. Additionally, there is no inbound connectivity to your environment from BluSapphire, ensuring your environment remains safe at all times. In the unlikely event of an attack, our multi-layered security architecture minimizes risks to your data and operations.

9. What data/logs will be pushed from BluSapphire to my environment? Is it safe?

• For a list of the logs we collect, please refer to the "Logs Collected" section. All data in-transit and at-rest are encrypted and comply with industry standards to ensure your safety.

10. What kind of reports can I expect from BluSapphire?

• BluSapphire provides standard Monthly and Quarterly reports, which include high-level overviews of security posture, threat intelligence, and incident analysis.

11. What support can I expect if I struggle to download or deploy the solution?

• Our support team (support@blusapphire.com) provides end-to-end assistance during the download and deployment process. We offer 24x7 product services to help resolve any challenges.

12. What components will BluSapphire deploy for me? How can I opt for SOAR capabilities?

• For smaller infrastructures, we only install the log forwarding agents. BluSapphire will deploy a log-collector to in case of complex/mature infrastructure.

• If you are interested in SOAR (Security Orchestration, Automation, and Response) capabilities, please contact our sales team at sales@blusapphire.com to discuss customized options and pricing.

1. Is EDR (Endpoint Detection and Response) mandatory for the endpoints?

• EDR is not mandatory, but highly recommended for proactive cybersecurity.

1. Is Remediation part of the stakeholder responsibilities, or do they fall under BluSapphire?

• Remediation is the responsibility of the stakeholders. There will be a detailed RACI chart that will describe these responsibilities in greated detail. However, Remediation asisstance is available at an additional fee.

1. The Announcement says this is the Pilot and the actual go-live will be the 1st of April, will we be charged from now or from April

• The billing starts immediately. Invoicing and payment are upfront.

1. There is a mention of Pilot in the announcement

• Pilot is more to fine tune the engagement process between the MSOC and the exchange. For REs the compliance is due.

1. SEBI circular says the effective date is 1st April; we will get back to you in March

• Compliance to CSCRF is mandatory. April 1st is to finalize the notification requirements between SEBI, Exchange and MSOC. The On-Boarding should start as early as possible as we have a priority Onboarding Queue, and the system and processes will need a few weeks to stabilize on your environment.

1. If we have a VM and have multiple apps on it will it be counted as one device or multiple devices?

• Our Response – VM will count as one endpoint along with its operating system logs. Each cover compliance app is counted as one endpoint.

  • Eg 1: if you have an email-server on a VM, the VM will be counted as one endpoint and email-server shall be counted as another endpoint.

  • Eg 2: consider an environment with the below infrastructure:

    • 20 laptops

    • 5 servers

    • Two web applications (hosted on two of the 5 servers listed above)

    • Two AWS instances

    In this case, the total number of endpoints counted are:

    • 20 laptops + 5 servers + 2 web applications + 2 AWS instances = 29 endpoints.

1. What is the log retention policy?

• All logs are retained for 6 months online and 18 months offline as per SEBI requirements. RE are not required to pay anything additional. The fee covers everything.

1. Will I have unlimited access to my logs?

• Yes, RE themselves will also have unlimited access to their logs. REs will also have access to all the published Dashboards always. However, RE will only have access to thier own data. The Dashboards will also only reflect thier own data only.

1. Who will be monitoring my logs for security alerts and incidents "Exchange" or "M-SOC"?

• M-SOC will be responsible for monitoring RE logs for security alerts and incidents. Once an incident has been identified, M-SOC and RE have to follow the incident management workflow and perform thier requisite duties to close the incident.

1. Who else will be aware of cyber security incidents on my environment?

• M-SOC will notify the RE of the security incident. Critical incidents are notified to CERT-IN as per SEBI requirements.

1. What is EPS? I hear other vendors offering based on EPS?

• EPS stands for Events Per Second. This is very dynamic and confusing for REs with little infrastructure. If you are an RE with less than 100 endpoints, then you are usually better served using per endpoint pricing model. REs with large scale complex infrastructure clearly understand EPS and may opt for it instead. Please reach out to msoc@blusapphire.com for pricing.

1. Will M-SOC provide VAPT and audit services also?

• Yes, M-SOC will provide VAPT and audit services at an additional pricing. Please refer to the document section of the portal and you will see a laundry list of all additonal services offered by M-SOC.

25. Do I have to declare assets in my infrastructure? Why is this needed?

• Yes, There is an "AssetInventory.xls" template file under documents in your onboarding portal. Please fill out the details of your assets that you are onboarding in the same format. List provided in any other format shall not be accepted.

• M-SOC will monitor these assets and notify non-availability of an asset OR if M-SOC stops receiving logs from an asset.

• Yes, REs can upload multiple versions of the asset list with updated assets any time they wish.

1. How can we identify we fall under which category?

• Kindly refer to the SEBI CSCRF notification Section 2, page39+ for details.

1. How you guys will define the level of alert (Critical, high, med /low)??

• Kindly refer to the SEBI CSCRF notification Annexure -O for details.

1. Is M-SOC is mandatory for Stock broker doing only proprietary and institution trading ?

• Kindly refer to the SEBI CSCRF notification Section 2, Page 39+ for details.

1. What all will be done in User entity Behaviour analytics?

• <Describe UEBA and refer to the section>

1. We want to know that we are a member of BSE and Also Have CDSL DP and Research Analyst then we are lying in Mid REs or Small RE's?

• Kindly refer to the SEBI CSCRF notification Section 2, Page 39+ for details.

1. Can we have one SOC for all the exchanges and depository?

• SEBI has mandated BSE and NSE to provide M-SOC services. Other exchanges and depositories have the option of starting or just using the ones provided by BSE & NSE. You may choose one M-SOC for your compliance. There is no need to subscribe to multiple M-SOCs.

1. How logs will be collected? A syslog server is provided by MSOC or REs need to implement on their own?

• Depending on the architecture, logs are collected directly OR a Log Collector (syslog) will be provided by M-SOC. This has to get installed on hardware provided by RE.

1. We are an NSE registered entity. Can we use the M-SOC provided by BSE?

• Absolutely. There are no restrictions. You can onboard with BSE M-SOC and you will still be compliant.

1. If we are self-certified RE if we have SOC is it required to subscribe to M-SOC?

• If you already have a SOC and complies with all the requirements of CSCRF including SOC efficacy requirements, then there is no need to subscribe to M-SOC.

1. Log retention is mandatory as per regulatory req. then why is it under Optional service?

• Log retention of 6 months is mandatory as per regulator. BSE M-SOC provides this service as part of the proposed cost. No need for any additional cost. As per SEBI framework for M-SOCs, they may optionally provide the service.

1. For small sized REs who are part of global large banks who have access to group SOC , can they be exempted from Market SOC?

• Please work with SEBI for clarification. Kindly refer to the SEBI CSCRF notification Section 2, page39+ for details.

1. Is there any exemption provided to 100% proprietary trading broker?

• Please work with SEBI for clarifications. Kindly refer to the SEBI CSCRF notification Section 2, page39+ for details.

1. How is incident management run?

• The incident management workflow linked here is the agreed upon Incident WorkFlow for all M-SOCs. Any assistance needed outside of this may be availed at an additional cost.

1. Can you explore a bit more on SOAR?

• SOAR refers to Security Orchestration Automation and Reponse. Please review on OneFlow documentation. This describes our SOAR in detail.

1. What are the privacy / data protection policies for the logs?

• Logs are governed by the Data Protection, Localization requirement laid down by the regulator. M-SOC adheres to the regulatory requirements laid down in Cloud Security Framework and CSCRF.

1. Are optional services also mandated sebi for all or midsized small sized?

• No. Optional services are not mandated by SEBI. The exception is log retention. The regulator requires 180 days logs online and 18 months logs offline.

1. Do we have access to Centralized Dashboard? Read only?

• All logs once generated and consumed are immutable (strictly read-only) by definition. They cannot be edited by anyone. Yes, you will have access to centralized dashboards that pertain to your data only.

1. How to enrol and participate in test environment?

• You may enrol using the self-service portal and go live with no further assistance from M-SOC. If you need support, please reach out to msoc@blusapphire.com OR for existing customers (msoc_support@blusapphire.com).

• For customers with less than 200 systems, test environment is not available. For customers with larger than 200 systems please reach out to your sales representative or msoc@blusapphire.com and a testbed may be arranged for you. All testbeds are for a period of 10 working days.

1. Which SIEM tool , you will use and what will be the cost?

• For M-SOC all costs are included in the service.

1. Does threat intelligence include Dark Web Monitoring too?

• Threat Intelligence does not include Dark Web Monitoring. That is a separate service that M-SOC does not provide and will have to be sourced from a different vendor if needed.

1. How secure is this M-SOC ,technically it will collect logs of critical servers databases having clients Information , might be required to installs M-SOC log forwarder Agents for better visibility, does it follow or admit any NDA and Data will be maintained within India?

• Logs are governed by the Data Protection, Localization requirement laid down by the regulator. M-SOC adheres to the regulatory requirements laid down in Cloud Security Framework and CSCRF. Additionally, Logs are encrypted in-transit and at-rest. Encryption Keys used for encrypting logs at-rest are stored outside of the service provider. This is in compliance with Cloud Security Framework provided by SEBI.

• M-SOC is ISO 27001 certified and the data centre is SOC2 Type2 certified.

• Geographically, all logs are stored in Mumbai, India.

1. Is it possible to integrate application logs for monitoring purposes via MSOC?

• M-SOC is for security monitoring. Yes, it is possible for monitoring application logs for security violations/incidents using M-SOC.

1. If there is a need to integrate an additional system, such as a server or network device, what criteria and procedures should be followed?

• M-SOC can accommodate specific integration requirements outside of the default logs collected at an economical cost. Logs have to adhere to some guidelines viz., logs have to be text, each log line has to be on a different line and not mixed with one another, and the vendor/customer should be aware of the contents of the logs and be able to provide assistance for integration.

1. What about VMWare logs ?

• Yes, VMWare logs can also be ingested. Logs that are supported by default are here and here.

1. Can we register with only one M-Soc empanelled with either NSE/BSE?

• Yes. You have to register with only one M-SOC.

1. What is the contract period?

• Contract term will be 3 years. Either party may terminate the contract with 90 days notice period.

1. Are all logs stored for 180 days or only actionable events?

• All security logs are stored for 180 days online and 18 months offline.

1. In future, how we will be able to access the old logs if we start our own SOC ?

• Yes. Data Exfiltration costs apply.

1. We have multiple lines of business and membership under same entity for example Stock Broking, Depository Participant, PMS and also acting as Investment manager for an AIF. Do we need to register separately as per different licenses for the same entity?

• Licensing is based on per endpoint. So you may choose to license as one entity or multiple entities. It does not matter to M-SOC. In many cases, it also depends on how your internal billing works.

1. Is this only for Security Information and Event Management or does it also provide overall environment security?

• This applies to all compliance systems as identified by the regulator. Typically your IT environment at this point and not IOTs or ICT systems. Please check with your regulator for clarity.

1. Will SOC generate alerts in case on down time taken for critical systems?

• M-SOC will generate alerts for missing log sources (endpoints) within a given threshold. These thresholds are configurable as per each client requirements.

1. If web server is connected to internet through firewall ,how many end points will be there in this case?

• One for the operating system hosting the web server + one for the web server logs + one for firewall. So in this example, this will be 3 endpoints. Another example is given as response for Question 18.

1. Are netflow logs from firewall also collected in msoc?

• Yes. M-SOC has the capability to collect these logs by default. Others are listed here.