Managed SIEM service

A Security Information and Event Management (SIEM) solution takes log data from various sources within your network and identifies any suspicious activity. If a security event is spotted, an alert can be raised so that remedial action can be taken.

An outsourced managed SIEM solution will proactively monitor and investigate network activity on your behalf. Any security events or outcomes are escalated directly to you, instead of floods of alerts.

Choosing to outsource SIEM to a third party can be seen as the most balanced option in comparison to building your own solution or buying an off-the-shelf product.

A managed SIEM service allows you to save time and resource by letting a third party proactively look for threats on your behalf. You’ll also benefit from no dedicated hardware or support contracts to manage and access to a wider variety of threat intelligence.

By using a managed SIEM solution such as Defense.com, you can combine the best of technology and human expertise for 24/7 threat monitoring.

For collecting logs within your network, we will provide you with the scripts and documentation for setting up a collector using Ubuntu, which needs to be installed on a standalone virtual or physical machine inside your network.

Once this is complete, we'll then ask you to deploy a couple of agents on your client devices (Winlogbeat & Filebeat) which will send the logs from these devices to the collector on the Ubuntu machine. Your logs will then be encrypted and sent to our Defense.com SIEM platform for processing.

For cloud environments like AWS and Azure we can usually collect logs via the provided API. Our team will work with you to ensure that you are collecting logs from all necessary areas of your environment. If we do not currently have an integration with your particular vendor or device then we will either find a workaround to bring the logs in or look to develop a custom integration.

We can ingest almost any source of log data that provides security value, regardless of the vendor or product.

This can include high-fidelity logs such as:

• IDS/HIDS logs
• WAF logs
• Endpoint protection logs either from your existing solution or via the Defense.com agent

As well as additional low-fidelity logs that have less context on their own such as:

• Firewall logs
• Switch logs
• Flow logs

These additional log sources help to detect attempts to laterally move to higher value assets such as Active Directory servers. This could occur when lower value assets are compromised such as workstation devices or lower criticality servers. These types of sources also provide indicators of attacks that can often not be detected using logs alone.

The more log data that we can ingest into Defense.com the more we can build a clearer picture of your environment and correlate information from different sources to drive informed decision making.

Alerts come through as a security event in your Defense.com account, which provides the details of what we have detected and answers the 'who, what, when and how'. We also create a threat connected to the security event, which provides clear remediation advice on how to address and contain what has been found.

Runbooks are used to standardise incident response processes and to ensure that the appropriate steps are taken to contain, eradicate, and recover from security incidents.

Our runbooks include the following elements:

1. Process overview: The steps taken to perform incident triage, incident escalation, and gives guidance on incident resolution.
2. Containment procedures: The steps that should be taken to contain a security incident, such as isolating affected systems, shutting down access to affected systems, and implementing other containment measures.
3. Eradication procedures: The steps that should be taken to eradicate a security incident, including identifying and removing malicious software, patching vulnerabilities, and implementing other remediation measures.
4. Recovery procedures: The steps that should be taken to recover from a security incident, including restoring systems and data, and conducting a post-incident review to identify areas for improvement.
5. Monitoring and detection procedures: The steps that we will be taking to detect and monitor security incidents, including configuring and maintaining our platform, and analysing log and event data.

Our SOC team assesses and prioritises all alerts and performs threat hunting and investigation in order to reduce false positives. The analyst will then either raise the security event or use it to further tune the environment. All events that are false positives are still recorded for audit purposes.

A well-documented profile is critical to our detection capabilities. We create a profile during your onboarding process and define runbooks specific to your environment to ensure that false positives are kept to a minimum. This is a standard process of our onboarding and ongoing service to reduce alert fatigue.

SIEM SOC refers to the combination of a Security Information Event Management (SIEM) platform, managed by a Security Operations Centre (SOC). A SIEM SOC service will typically involve proactively monitoring and investigating network activity on your behalf, with any security events being escalated to you directly.

Outsourcing your SIEM SOC operations to a third party helps you to make your budget go further, without compromising on security coverage. Having your SIEM monitored 24x7 by a SOC team also frees up your internal resources to focus on other tasks.

The pricing for Defense.com Managed SIEM is calculated primarily on the number of log sources you would like to cover. Unlike many other vendors, Defense.com Managed SIEM pricing isn't based on log volumes or daily ingestion rates. This keeps the pricing for your SIEM service predictable and scalable.