Case Study · Managed Security Services · SOC
24/7 SOC Deployment, SIEM Onboarding, and CERT-In Compliant Incident Detection for a Payments Infrastructure Company
Home → Case Studies → Managed Security Services → 24/7 SOC Deployment, SIEM Onboarding, and CERT-In Compliant Incident Detection for a Payments Infrastructure Company
Engagement Background
The Situation When We Were Engaged
A Hyderabad-based payments infrastructure company holding a Prepaid Payment Instrument (PPI) licence from the RBI was processing ₹2,400 crore in monthly transactions across merchant acquiring and corporate payroll disbursement. The company had no dedicated security operations function — a single IT manager handled all security matters reactively.
Following RBI’s Master Direction on Information Technology Framework and the CERT-In notification mandate under the IT Amendment Rules 2022, the company faced a compliance deadline. RBI’s IT examination framework required a documented SOC function and 6-hour breach notification capability. The company engaged SIRI Law LLP to design, deploy, and operate a managed SOC within 30 days to meet the regulatory deadline.
Within the first week of SOC operation, 14 critical security alerts were identified — including a credential stuffing attack against the merchant portal and anomalous API calls consistent with account enumeration. Neither had been detected prior to SOC deployment.
Client Profile
Assessment Scope
Full-Spectrum SOC Build and Operate
SIEM Design & Onboarding
Log source identification across payment switches, API gateways, cloud infrastructure, and endpoints. SIEM rule set aligned to NPCI security requirements and RBI IT framework. 72-hour full onboarding target.
24/7 Threat Monitoring
Round-the-clock analyst coverage. Alert triage, incident classification, and escalation procedures. Threat intelligence feeds tuned for payments-specific attack patterns — credential stuffing, API abuse, and transaction manipulation.
CERT-In Compliance Framework
6-hour notification workflow designed and tested. Incident classification matrix mapping CERT-In reportable event categories to SOC alert types. Runbooks for breach notification, regulatory liaison, and legal privilege invocation.
Key Findings
What We Found
Each finding documented with evidence. Root cause and remediation guidance provided for every item.
Log correlation revealed an ongoing credential stuffing campaign against the merchant portal that had begun 11 days before SOC deployment. 847 accounts attempted; 23 successful authentications from anomalous geolocations. No prior alert had been raised. Immediate forced re-authentication and CAPTCHA deployment executed.
API gateway logs showed systematic account enumeration attempts — sequential merchant ID probing at 3,200 requests/hour from rotating IP ranges. Consistent with pre-fraud reconnaissance. API rate limiting was absent. Immediate throttling rules deployed; pattern reported to NPCI fraud intelligence unit.
SIEM correlation detected a privileged database administrator account logging in at 02:14 IST from a new device fingerprint — the account holder was on annual leave. Incident escalated immediately; session terminated within 4 minutes. Privileged access management (PAM) gap remediated with same-day just-in-time access controls.
Log retention audit revealed transaction logs retained for 45 days and access logs for 30 days — far below the 180-day minimum required by CERT-In IT Amendment Rules 2022. Cold storage archival pipeline deployed within 48 hours. All historical logs recovered from backup tapes and ingested into compliant retention.
Engagement Timeline
Phase-by-Phase Execution
Log Source Discovery & SIEM Architecture
Complete inventory of all log-generating systems: payment switches, API gateways, cloud platforms (AWS), endpoint agents, network devices. SIEM architecture designed with payments-specific correlation rules. Data normalisation and pipeline testing.
SIEM Deployment & 72-Hour Onboarding
SIEM deployed and all priority log sources onboarded within 72 hours. Baseline alerting active. Payments-specific threat detection rules tuned — credential stuffing, API abuse, transaction anomalies, privileged access monitoring.
CERT-In Compliance Framework Implementation
Incident classification matrix mapped to CERT-In reportable events. 6-hour notification runbook drafted, reviewed by qualified advocates, and tested with a tabletop exercise. RBI breach notification template prepared under legal privilege.
Continuous Monitoring & Incident Response
24/7 analyst coverage active. First 14 critical alerts identified and triaged in Week 1. Credential stuffing and API enumeration incidents investigated and contained. Privileged access incident escalated and resolved within 4 minutes of detection.
Legal & Regulatory Risk Analysis
Why This Mattered Legally
CERT-In 6-Hour Notification — IT Amendment Rules 2022
Failure to notify CERT-In of a qualifying cybersecurity incident within 6 hours carries regulatory consequence and reputational risk. The pre-SOC environment — with no detection capability — made compliance with this timeline structurally impossible. Any breach in that period would have triggered a reporting failure.
RBI IT Framework — SOC Requirement
RBI’s Master Direction on IT Framework for regulated entities requires a documented security operations function. An RBI IT examination finding of non-compliance could result in business restriction, enhanced supervision, or licence conditions — directly threatening the PPI licence.
NPCI Security Standards — Merchant Data Breach
The credential stuffing attack, if it had resulted in merchant financial loss, would have triggered NPCI investigation and potential suspension from the acquiring network. Merchant liability for security failures in acquiring agreements created direct financial exposure to the company.
DPDPA — Customer Data Breach Notification
A successful account takeover exploiting the credential stuffing attack would have compromised customer personal data — triggering DPDPA breach notification to the Data Protection Board and affected data principals. The 14 critical alerts identified in Week 1 represented real breach-prevention value.
Outcomes & Remediation
What Changed After Our Assessment
CERT-In 6-Hour Notification Capability Operational
Full notification runbook deployed and tested. SIEM alert-to-notification workflow validated — detection to drafted CERT-In notification achieved in under 90 minutes in tabletop test.
Credential Stuffing Attack Contained — 23 Accounts Secured
Affected merchant accounts forced re-authentication. CAPTCHA deployed. Attack campaign blocked. NPCI fraud intelligence unit notified. No financial loss from the identified accounts.
Log Retention Compliance — 180 Days Active
Cold storage archival pipeline deployed. Historical logs recovered and ingested. Full CERT-In compliant 180-day retention active across all log source categories.
RBI IT Examination Readiness — SOC Documentation Package
Full SOC documentation package prepared for RBI examination: SOC charter, SIEM architecture, incident response procedures, CERT-In runbooks, and 30-day incident log demonstrating operational effectiveness.
Compliance Frameworks
Standards Applied in This Engagement
Why Choose SIRI Law LLP
Unique Advantage
Qualified advocates — legally privileged incident handling from first alert
CERT-In notification drafting is a legal function — we do both technical detection and legal notification
RBI, NPCI, and payments-specific rule sets — not a generic SOC
24/7 analyst coverage with escalation to senior legal counsel
Director GRC & Legal — Adv. Chetan Seripally
Related Services
Need a CERT-In Compliant SOC — Operational in 72 Hours?
Contact SIRI Law LLP for a confidential scoping call with our legal and technical experts.