Enterprise Cyber Security Audit and SOC Implementation for a Large NBFC

The Challenge

The NBFC had grown rapidly through acquisitions, resulting in a heterogeneous IT environment with multiple legacy systems, inconsistent security configurations, and no centralised security monitoring. The company processed over ₹500 crore in digital lending transactions monthly — making it a high-value target for cybercriminals.

A near-miss incident — a phishing attack that was caught by a vigilant employee rather than a technical control — had prompted the board to commission a comprehensive security review. An initial assessment by the company's internal IT team had flagged concerns but lacked the technical depth to identify specific vulnerabilities or prescribe remediation.

The Reserve Bank of India's IT risk guidelines for NBFCs had also been tightened, and the company's upcoming regulatory audit included a cyber security assessment component. The NBFC needed to both remediate existing weaknesses and demonstrate a mature, documented security management capability to the regulator — and they had six months to achieve it.

Our Solution

UDS deployed a team of CISSP, CEH, and ISO 27001 Lead Auditor certified consultants for this engagement. The project began with a 4-week comprehensive security assessment covering network penetration testing, web and mobile application security testing, Active Directory security review, cloud configuration audit (AWS and Azure), and employee phishing simulation exercises.

The assessment identified 47 critical and high-severity vulnerabilities, including unpatched remote code execution vulnerabilities in two internet-facing applications, misconfigured AWS S3 buckets with customer data exposure risk, weak domain administrative controls allowing lateral movement across the network, and absence of multi-factor authentication on privileged accounts.

UDS developed a prioritised remediation plan addressing critical vulnerabilities in the first 30 days. Our engineers worked alongside the client's IT team to implement fixes, harden configurations, and validate remediation through retesting. Simultaneously, we began the ISO 27001 implementation programme — mapping the client's existing controls to the standard, identifying gaps, and building the documentation framework required for certification.

The centrepiece of the long-term security programme was the establishment of a 24/7 Security Operations Centre. UDS deployed a SIEM platform, integrated log sources from 140+ network and application sources, built detection rules aligned to MITRE ATT&CK framework, and staffed the SOC with trained analysts operating in rotating shifts.

Results

• All 47 critical and high-severity vulnerabilities remediated within 60 days
• ISO 27001:2013 certification achieved in 6 months — passed first-time with zero major non-conformities
• 24/7 SOC operational with <15-minute mean detection time for high-severity alerts
• RBI regulatory cyber security audit passed with commendation from the examiner
• Two active threat intrusion attempts detected and contained in the first 3 months of SOC operations
• Employee phishing simulation click rate reduced from 34% to 4% following awareness training

Technologies Used