Managed SIEM UK – Managed SIEM service & 24/7 SOC monitoring

Detect cyber threats with managed SIEM

Complete coverage

Ingest logs from all sources including applications, endpoints, servers, network devices and cloud environments.

Identify threats

Never miss a genuine security threat with our team of SOC analysts monitoring your network 24/7 on your behalf.

Prevent breaches

Quickly respond to threats and protect your business with clear, step-by-step remediation actions.

Stay compliant

Meet the requirements of PCI DSS, GDPR and other regulatory standards with proactive monitoring and reporting.

Collect and search logs

With Defense.com managed SIEM you can send security logs from any device or system to maintain complete visibility over your environment. We use machine learning and human expertise to analyse your logs and detect any threats on your behalf.

If you need to, you can quickly search up to 90 days of logs at any time, plus get up to 1 year of archived as standard for no extra cost.

Tailored security alerts

Our experienced SOC team will eliminate alert fatigue by proactively monitoring your network for suspicious activity and only bringing genuine security concerns to your focus.

Know exactly where to focus your attention with automatic alert prioritisation, a clear overview of the event details and the steps you need to take to remediate the threat.

Actionable advice

Spend less time investigating each alert with detailed remediation guidance. From multiple failed logins to unauthorised software installation, when a security event is triggered you’ll get step-by-step advice about how to combat each threat, helping you to remediate them quicker.

Start seeing immediate security value with our default list of alerts, or create your own custom versions to get notified to other types of activity in your network.

Managed SIEM service highlights

Defense.com Managed SIEM delivers everything you need to detect cyber threats and prevent breaches.

24/7/365 monitoring of systems, networks, applications and users

Ingest security logs from any device, system or vendor

Simple and automated deployment for on-premises devices

Support for cloud services including Azure, AWS, GCP and Salesforce

Get real-time threat intelligence data from multiple sources

Scalable pricing model that isn't based on log volumes

Learn more about our Managed SIEM service

Features

24/7 protection and support from experienced analysts
Proactive threat hunting
Threat intelligence
MITRE ATT&CK framework mapping

Integrated machine learning
90 days of immediate log searching with up to 1 year in archive
Service aligns to the cyber kill chain and operates to SANS incident response best practices

Log types

We can ingest logs from any system or vendor that provides security value, including:

WAF, Load Balancers, etc.
Office 365
Firewalls, switches and routers
AV/endpoint
Windows/Linux servers

All AWS services (EC2, Lambda, CloudWatch, etc.)
All Azure service (Event Hubs, AD, ATP, etc.)
Custom application logs
Custom cloud services (GCP, Mimecast, Salesforce, etc.)

Runbook examples

Here are just some examples of the runbooks that will determine what actions are taken for different types of events and alerts.

Microsoft 365 + Active Directory

Potentially malicious URL click detected
Creation of forwarding/redirect rule
Unfamiliar sign-in properties observed
Atypical travel

Endpoint protection

AV/malware alert seen
Malware clean failed
Malware clean successful

Servers/applications

Privilege escalation
Vulnerability being exploited
Multiple failed logins
Malicious PowerShell usage

Network/UEBA

DoS/DDoS behaviour
Large transfer of data, especially during out of office hours
Sudden deviation from the baseline level of observed traffic
Suspicious internal activity

Onboarding process

Our team will guide you through your SIEM deployment to help you get onboarded quickly and start seeing immediate security value.

Kick off

We’ll work with you to build a profile of your company to help tailor our managed SIEM service to your requirements. This will include defining a list of assets, network diagrams, maintenance schedules and escalation points. We’ll also provide an interactive onboarding tracker that outlines the process from start to finish, so you can keep track of progress throughout.

Implementation

When you’re ready to start, we’ll assist you with all aspects of the SIEM deployment process. This will include setting up log collectors for on-prem sources and making sure that any API calls are in place for cloud-based systems. Once that’s done, we’ll verify that everything is logging into the Defense.com SIEM platform correctly before moving into the baseline phase.

Baseline

At this point, you’ll get introduced to our SOC analysts who will serve as an extension of your internal team. First, we’ll monitor the activity in your environment to define what ‘normal’ looks like. We’ll then use machine learning to tune your SIEM alerts and eliminate any false positives, ensuring that you’re only getting notified about genuine security threats.

Live service

Once your environment has been baselined, our SOC team will deliver tailored alerts and flag any suspicious activity in your network, giving you actionable remediation advice for any threats. We’ll continuously tune your runbooks in line with your business priorities and schedule regular service reviews to ensure that you’re always getting the maximum amount of value out of your SIEM.

Why choose Defense.com?

A key component of our Managed SIEM service is our in-house Service Operations Centre (SOC) with 24/7 coverage across the UK and US.

Our experienced analysts will become an extension of your team, proactively looking for malicious activity in your network and taking full ownership of your SIEM service.

Unlike most other solutions on the market, Defense.com delivers clear, step-by-step remediation advice whenever there is a security event so you can fix issues fast and get back to other tasks.

Protect your business from cyber attacks

With Defense.com Managed SIEM, your network will be monitored 24/7/365 for suspicious activity, helping to identify threats and prevent breaches. We’ll help you quickly improve your security posture with our fully managed service.

Get a quote

Here’s what our customers say about us

I couldn’t have been more pleased with the service from Defense.com™, the team are always on hand for support and are quick to respond. I found the digital reporting through the platform particularly beneficial as it enabled us to clearly understand the risks, and quickly remediate them with the helpful guidance provided.

Frequently Asked Questions

A Security Information and Event Management (SIEM) solution takes log data from various sources within your network and identifies any suspicious activity. If a security event is spotted, an alert can be raised so that remedial action can be taken.

An outsourced managed SIEM solution will proactively monitor and investigate network activity on your behalf. Any security events or outcomes are escalated directly to you, instead of floods of alerts.

Choosing to outsource SIEM to a third party can be seen as the most balanced option in comparison to building your own solution or buying an off-the-shelf product.

A managed SIEM service allows you to save time and resource by letting a third party proactively look for threats on your behalf. You’ll also benefit from no dedicated hardware or support contracts to manage and access to a wider variety of threat intelligence.

By using a managed SIEM solution such as Defense.com, you can combine the best of technology and human expertise for 24/7 threat monitoring.

For collecting logs within your network, we will provide you with the scripts and documentation for setting up a collector using Ubuntu, which needs to be installed on a standalone virtual or physical machine inside your network.

Once this is complete, we'll then ask you to deploy a couple of agents on your client devices (Winlogbeat & Filebeat) which will send the logs from these devices to the collector on the Ubuntu machine. Your logs will then be encrypted and sent to our Defense.com SIEM platform for processing.

For cloud environments like AWS and Azure we can usually collect logs via the provided API. Our team will work with you to ensure that you are collecting logs from all necessary areas of your environment. If we do not currently have an integration with your particular vendor or device then we will either find a workaround to bring the logs in or look to develop a custom integration.

FWe can ingest almost any source of log data that provides security value, regardless of the vendor or product.

This can include high-fidelity logs such as:

IDS/HIDS logs
WAF logs
Endpoint protection logs either from your existing solution or via the Defense.com agent

As well as additional low-fidelity logs that have less context on their own such as:

Firewall logs
Switch logs
Flow logs

These additional log sources help to detect attempts to laterally move to higher value assets such as Active Directory servers. This could occur when lower value assets are compromised such as workstation devices or lower criticality servers. These types of sources also provide indicators of attacks that can often not be detected using logs alone.

The more log data that we can ingest into Defense.com the more we can build a clearer picture of your environment and correlate information from different sources to drive informed decision making.

Alerts come through as a security event in your Defense.com account, which provides the details of what we have detected and answers the 'who, what, when and how'. We also create a threat connected to the security event, which provides clear remediation advice on how to address and contain what has been found.

Runbooks are used to standardise incident response processes and to ensure that the appropriate steps are taken to contain, eradicate, and recover from security incidents.

Our runbooks include the following elements:

Process overview: The steps taken to perform incident triage, incident escalation, and gives guidance on incident resolution.
Containment procedures: The steps that should be taken to contain a security incident, such as isolating affected systems, shutting down access to affected systems, and implementing other containment measures.
Eradication procedures: The steps that should be taken to eradicate a security incident, including identifying and removing malicious software, patching vulnerabilities, and implementing other remediation measures.
Recovery procedures: The steps that should be taken to recover from a security incident, including restoring systems and data, and conducting a post-incident review to identify areas for improvement.
Monitoring and detection procedures: The steps that we will be taking to detect and monitor security incidents, including configuring and maintaining our platform, and analysing log and event data.

Our SOC team assesses and prioritises all alerts and performs threat hunting and investigation in order to reduce false positives. The analyst will then either raise the security event or use it to further tune the environment. All events that are false positives are still recorded for audit purposes.

A well-documented profile is critical to our detection capabilities. We create a profile during your onboarding process and define runbooks specific to your environment to ensure that false positives are kept to a minimum. This is a standard process of our onboarding and ongoing service to reduce alert fatigue.

Managed Security Services

Other Services