Frequently Asked Questions (FAQ)

1. Is log data stored on my local network?

• Log data is stored with the M-SOC provider. Regulator requires that M-SOC provides 6months online and 18 months offline. That is a total of 24 months worth of data storage. M-SOC is responsible and accountable for storing this data and provisioning it on demand to the exchange and/or auditors. REs may also access this data easily using thier own logins created using the self-service portal.

2. Will I have access to the logs OR only M-SOC has access?

• Yes, REs will have direct read-only access to the logs themselves. Infact, REs will have access to everything that an M-SOC analyst has access to including Logs, Dashboards, Tickets, Alerts, Incidents and reports.

3. How will you collect data from my environment?

• We only collect logs from your environment. These could be operating system logs, application logs, webserver logs, firewall logs, etc. The types of logs we collect depend on your organization's infrastructure and the security measures in place.

4. I want to only include some of my critical machines only. Is that possible?

• Yes, we can tailor the deployment to focus on critical machines based on your requirements. According to SEBI guidelines, this must be done in consultation with your SPOC or someone familiar with your infrastructure. If your critical machines are not on a separate zone or VLAN with strict access controls, it's generally not advisable to just include critical machines. all systems have to be included.

5. What is EDR and why is it needed?

• EDR (Endpoint Detection and Response) is similar to an antivirus system. It helps detect and respond to potential threats at the endpoint level, enhancing security on devices like computers and servers. Most Windows operating systems come with Windows Defender by default. In large complex infrastructures dedicated EDR tools that operate across windows and linux systems may be needed.

6. What is the onboarding process? and how long does it take?

• Step 1: Register on the portal with all the required details.

• Step 2: Upon login, you will be directed to a landing page with links to download the required lightweight agents that will forward the logs.

• Step 3: Follow the standard installation instructions provided on the portal page.

The entire onboarding process takes less than 10 minutes to complete. Installing log forwarding agents could take upto 5 minutes with required administrator privileges needed for install.

7. Can you send me the onboarding process and company details?

• The onboarding process includes:

• Registering on the portal.

• Downloading the necessary agents.

• Installing the agents as per the provided instructions.

8. In the case of an attack at BluSapphire, what will happen to my environment?

• BluSapphire ensures robust security measures to protect both our platform and your environment. We are an ISO27001 company and our data center is SOC2 type2 certified. Additionally, there is no inbound connectivity to your environment from BluSapphire, ensuring your environment remains safe at all times. In the unlikely event of an attack, our multi-layered security architecture minimizes risks to your data and operations.

9. What data/logs will be pushed from BluSapphire to my environment? Is it safe?

• For a list of the logs we collect, please refer to the "Logs Collected" section. All data in-transit and at-rest are encrypted and comply with industry standards to ensure your safety.

10. What kind of reports can I expect from BluSapphire?

• BluSapphire provides standard Monthly and Quarterly reports, which include high-level overviews of security posture, threat intelligence, and incident analysis.

11. What support can I expect if I struggle to download or deploy the solution?

• Our support team (support@blusapphire.com) provides end-to-end assistance during the download and deployment process. We offer 24x7 product services to help resolve any challenges.

12. What components will BluSapphire deploy for me? How can I opt for SOAR capabilities?

• For smaller infrastructures, we only install the log forwarding agents. BluSapphire will deploy a log-collector to in case of complex/mature infrastructure.

• If you are interested in SOAR (Security Orchestration, Automation, and Response) capabilities, please contact our sales team at sales@blusapphire.com to discuss customized options and pricing.

1. Is EDR (Endpoint Detection and Response) mandatory for the endpoints?

• EDR is not mandatory, but highly recommended for proactive cybersecurity.

1. Is Remediation part of the stakeholder responsibilities, or do they fall under BluSapphire?

• Remediation is the responsibility of the stakeholders. There will be a detailed RACI chart that will describe these responsibilities in greated detail. However, Remediation asisstance is available at an additional fee.

1. The Announcement says this is the Pilot and the actual go-live will be the 1st of April, will we be charged from now or from April

• The billing starts immediately. Invoicing and payment are upfront.

1. There is a mention of Pilot in the announcement

• Pilot is more to fine tune the engagement process between the MSOC and the exchange. For REs the compliance is due.

1. SEBI circular says the effective date is 1st April; we will get back to you in March

• Compliance to CSCRF is mandatory. April 1st is to finalize the notification requirements between SEBI, Exchange and MSOC. The On-Boarding should start as early as possible as we have a priority Onboarding Queue, and the system and processes will need a few weeks to stabilize on your environment.

1. If we have a VM and have multiple apps on it will it be counted as one device or multiple devices

• Our Response – VM will count as one endpoint along with its operating system logs. Each cover compliance app is counted as one endpoint.

  • Eg 1: if you have an email-server on a VM, the VM will be counted as one endpoint and email-server shall be counted as another endpoint.

  • Eg 2: consider an environment with the below infrastructure:

    • 20 laptops

    • 5 servers

    • Two web applications (hosted on two of the 5 servers listed above)

    • Two AWS instances

    In this case, the total number of endpoints counted are:

    • 20 laptops + 5 servers + 2 web applications + 2 AWS instances = 29 endpoints.

1. What is the log retention policy?

• All logs are retained for 6 months online and 18 months offline as per SEBI requirements. RE are not required to pay anything additional. The fee covers everything.

1. Will I have unlimited access to my logs?

• Yes, RE themselves will also have unlimited access to their logs. REs will also have access to all the published Dashboards always. However, RE will only have access to thier own data. The Dashboards will also only reflect thier own data only.

1. Who will be monitoring my logs for security alerts and incidents "Exchange" or "M-SOC"?

• M-SOC will be responsible for monitoring RE logs for security alerts and incidents. Once an incident has been identified, M-SOC and RE have to follow the incident management workflow and perform thier requisite duties to close the incident.

1. Who else will be aware of cyber security incidents on my environment?

• M-SOC will notify the RE of the security incident. Critical incidents are notified to CERT-IN as per SEBI requirements.

1. What is EPS? I hear other vendors offering based on EPS?

• EPS stands for Events Per Second. This is very dynamic and confusing for REs with little infrastructure. If you are an RE with less than 100 endpoints, then you are usually better served using per endpoint pricing model. REs with large scale complex infrastructure clearly understand EPS and may opt for it instead. Please reach out to msoc@blusapphire.com for pricing.

1. Will M-SOC provide VAPT and audit services also?

• Yes, M-SOC will provide VAPT and audit services at an additional pricing. Please refer to the document section of the portal and you will see a laundry list of all additonal services offered by M-SOC.

25. Do I have to declare assets in my infrastructure? Why is this needed?

• Yes, There is an "AssetInventory.xls" template file under documents in your onboarding portal. Please fill out the details of your assets that you are onboarding in the same format. List provided in any other format shall not be accepted.

• M-SOC will monitor these assets and notify non-availability of an asset OR if M-SOC stops receiving logs from an asset.

• Yes, REs can upload multiple versions of the asset list with updated assets any time they wish.