After a two-year implementation period, EU financial companies are obliged to implement the DORA (Digital Operational and Resilience Act) by the deadline of January 17, 2025.
At the heart of DORA is the identification and risk management of information assets that support critical or important business functions.
To this end, the accompanying RTS (Regulatory Technical Standard) on ICT risk management highlights various aspects of IT security throughout the entire IT infrastructure. It focuses on strong cryptography, network security and modern and comprehensive authentication and authorization systems.
However, the focus is also on monitoring and logging. The use of modern EDR, NDR, SIEM and SOAR systems to monitor central infrastructure components has become widely established in financial companies that were already heavily regulated in the past. With the entry into force of DORA, the focus is now shifting to a holistic and risk-oriented view of enterprise IT landscapes.
As a result, in addition to the central infrastructure components, more and more in-house and third-party tools – which fulfill critical business functions – are becoming the focus of security monitoring.
However, monitoring these in-house developments, or third-party applications, is much less standardized and is a major challenge due to the naturally greater heterogeneity. Nevertheless, SIEM systems can serve as the central solution component here.
The normalization of log data to a data schema plays an important role here. The normalization and mapping to this schema of information contained in log events can usually be carried out directly in the pre-processing of a SIEM system.
For companies that have a large number of in-house developments, it is also advisable to centrally develop a logging library that classifies security-relevant events as soon as they occur and transfers the necessary data fields into a structured format. This offers the possibility of a standardized log format for the security-relevant log information of similar applications in the company.
In the SIEM, cross-application rule sets can then be implemented for scenario-based evaluation of the log data. The selection of these SIEM use cases should be based on both the company-specific threat situation and the regulatory requirements.
DORA also already defines some security-relevant event categories. Most SIEM systems also offer statistical or machine learning-based anomaly detection methods for evaluating the diverse log data.
Such an approach allows some of the central challenges of DORA to be tackled in a scalable manner.
However, it remains essential to establish processes that ensure the continuous improvement of static and anomaly-based detection methods as part of use case lifecycle management.
SECUINFRA supports affected companies with experienced cyber defense consultants in the design and implementation of measures to meet the technical SOC and SIEM requirements stipulated by DORA. SECUINFRA also offers various services tailored to customer needs in the area of 24/7 managed and co-managed SOC operations.
