SIEM Implementation and Tuning
Data Source & Asset Prioritization
We begin by engaging IT platform stakeholders to communicate the future state of your SIEM based on discussion of objectives and data sources. We prioritize data sources and develop a plan for integrating them. We then work with stakeholders to help identify critical assets including servers and workstation groups which require increased monitoring. We design how voluminous server and workstation events might be consolidated and triaged prior to ingestion.
Data Source, Assets and Threat Intelligence Integration
We coordinate IT platform owners to help integrate data sources, testing event source feeds according to their priority and verifying correct ingestion into the SIEM. We design watch-lists and groups within the SIEM to facilitate future use cases to monitor critical assets. We also integrate threat intelligence feeds and verify that threat intelligence is correlated against event data and correlation rules.
SIEM Use Case Development and Testing
We define priority attack use cases and their associated test cases which must be reliably detected and addressed in the incident response workflow. Use cases take into account critical assets & groups as well as our extensive experience executing proof of concept penetration testing including external network and application reconnaissance, brute force attacks, web server exploitation, spear-phishing, anti-virus bypass, lateral movement, privilege escalation, unauthorized data access and data exfiltration. We draw from our extensive pre-existing library of SIEM Priority Use Cases to bring you constantly updated expertise.
We implement rules and watch lists and verify the alerting and data arriving in the SIEM management console is actionable. We work to tune out “white noise” data in order to enable more efficient detection and response activities. We design and implement custom correlation rules.
We configure and test priority use cases and test them through simulated attacks. We tune configurations and iterate simulations to ensure that the SIEM correctly alerts on incidents.
Incident Response Workflow and Documentation
We work with Security and IT to define the target Incident Response Workflow (IRW) to be built on the SIEM or a separate IRW tool like Resilient, Cybersponse or others. We connect security and IT activities to other processes such as command center/crisis management and corporate communications.
We document and test how security incidents will be detected, investigated, prioritized and escalated and remediated. We also design reporting formats to identify trends and needs as your process matures.
We test the IRW with stakeholders and train your team to transition and maintain the process. We propose metrics to collect and report on a regular basis, and assist you in creating an executive summary presentation of the monitoring & Response program, its capabilities, benefits and deliverables.
We document the solution environment, including technical requirements and dependencies for smooth operation, train and transition the solution to your resources.