On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In) published the CERT-In_Directions_70B_28.04.2022 — a new document that imposes strict requirements on service providers, organisations, and cybersecurity teams. The new directions caused many controversies, leading to CERT-In publishing two supplemental documents: frequently asked questions on cybersecurity directions and No. 20(3)/2022 CERT-In.
The 2022 CERT-In Directions introduced a new framework that is supposed to fill the gaps in the current cybersecurity practices in India. Though there are some differences, the supplemental documents didn’t stray from the initial position of the CERT-In Directions.
The main concern with the new guidelines is that they put a lot of additional pressure on already overstretched cybersecurity teams. How can SOCs and SecOps respond to this new trial and meet the CERT-In 2022 compliance demands?
Learn how the Sumo Logic cloud-native SaaS platform enables you to:
Report an incident within the CERT-In’s required timeframe of 6 hours
Send information requested by CERT-In in near real time
Maintain secure, robust, and searchable log retention for 180 days as requested by CERT-In
With Sumo Logic, you can improve detection capabilities, reduce false positives, and create an incident response plan with structured procedures that allows you to follow the CERT-In guidelines in real time and quickly generate cyber incident reports.
The CERT-In Directions 2022 in depth
What new guidelines did CERT-In put forth, and what is so contentious about them?
The top three contended CERT-In Directions points
Though there are other noteworthy topics, the most disputed and controversial are:
CS (Cloud Service), VPS (Virtual Private Server), and VPN (Virtual Private Network) service providers, along with intermediaries, data centers, corporates, and government organisations, are obliged to produce reports on as many as 20 types of cyber incidents within the tight time frame of 6 hours of detection.
CERT-In can order you to follow the directions in real time, requesting you to take a specific action or supply certain information. The order may specify the information format and required timeframe, to which you should strictly adhere and comply. Failure to meet these distinct requirements would mean you weren’t complying with CERT-In.
All the legal entities mentioned in the first point are obliged by the directions to retain logs in India for 180 days and share them with CERT-In when requested.
By referring to subsection (7) of section 70B of the Information Technology Act, the directions originally implied that failure to comply with the new requirements could result in fines, imprisonment, or both. Nonetheless, the CERT-In qualified this statement in the FAQs by claiming that it would take a reasonable approach to penalties and penalise entities (only) if non-compliance is intentional. Considering how difficult it is to determine intent in general, let alone for these specific requirements, this is not as reassuring as we might hope.
Complicating things even more, CERT-In gave security and IT professionals only 60 days to implement the necessary changes to comply with the new guidelines. However, it is worth mentioning that the FAQs extended this timeline for micro, small and medium enterprises, data centers, virtual private server providers, cloud service providers, and VPN services from the initial June 28 to September 25, 2022.
Cyber incident types every cybersecurity team must report
We won’t enumerate all 20 incident types from the CERT-In Directions — the complete list is available on pages five through six.
Some of the security incidents it includes are:
Unauthorised access to IT systems
Identity theft, spoofing, and phishing attacks
DoS and DDoS attacks
Malicious code attacks like ransomware, crypto miners, trojans, and similar
The six-hour incident report deadline
To get even a vague idea of how much pressure just the six-hour condition can put on organizations and security professionals, the time window to report an incident in the US and Europe is 24 and 72 hours, respectively. Unsurprisingly, industry professionals were not exactly ecstatic about the new six-hour requirement.
Storing logs outside India
While the directions required legal entities to keep their log files in the country, the FAQs allowed storing logs outside India. The only prerequisite was that the log copies needed to be available when CERT-In asked for them.
Data retention and sharing
CERT-In’s data retention and sharing requirements make up another aspect of the directions that have received negative feedback, criticism, and even backlash, especially from privacy-oriented professionals and institutions. Many critics see these requirements as a threat to internet users’ privacy.
Sumo Logic and CERT-In Directions 2022
Sumo Logic Cloud SIEM and SOAR and CERT-In Directions 2022
Sumo Logic Cloud SIEM and Cloud SOAR can help you achieve compliance with the CERT-In Directions in multiple ways.
Report cyber incidents within six hours
Even the most skilled analysts suffering from alert fatigue can make an error and pass over a threat, regardless of their expertise. But not with Sumo Logic. With Sumo Logic, you can leverage automation to report cyber incidents, speed up detection and incident response by reducing false positives, and respond to every specific incident with an appropriate standard operating procedure (SOP).
At the core of Cloud SIEM is a correlation engine that gives you high-fidelity insights that reduce alert triage and threat investigation time by automatically correlating signals (alerts).
Send information to CERT-In in near real time
You can’t monitor what you can’t see. You need visibility across the board to monitor what is happening within the boundaries of your information system.
Sumo Logic connects disparate tools to automate incident response and leave time-consuming tasks behind. Cloud SIEM and Cloud SOAR highlight appropriate courses of action, reducing the time needed to remediate incidents.
Furthermore, for additional information requested by CERT-In and to ensure that you have a complete understanding of the state of your information system in one place, Sumo Logic offers a feature called Cloud SOAR War Room. It provides a detailed chronological picture of a specific incident process in a single view, resulting in more efficient communication between the SOC team members.
In the CERT-In Directions context, visibility and processes are crucial because they are the keys to prompt incident response.
Maintain secure, robust, and searchable log retention for the CERT-In’s required 180 days
Cloud SIEM allows you to enable and extract logs of all your critical systems, maintaining them securely for a rolling period of 180 days within the Indian jurisdiction. With variable retention, you can create index partitions and scheduled views to store your data as needed and set different retention periods. This way, you can keep the data you need for as long as required.
Six hours may be too soon to be sure what’s happening, whether it is a genuine incident that is taking place or not. Nonetheless, Sumo Logic Cloud SIEM and Cloud SOAR can boost your chance of meeting this new CERT-In requirement. They can also help you satisfy the log and data retention requirements and build the cybersecurity environment that the directions require no later than September 25, 2022.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.