Learning Your Environment
Gaps in alerting can cause significant issues for organizations looking to report on security events, incidents or even breaches. Without the correct information being retained or, logged your reporting process can quickly work against you. Lack of information can work against you in a number of ways. 1) responding to incidents, 2) legal, 3) compliance (local / federal laws), 4) containment, 5) System / User isolation are just a few.
We have more than two decades of SOC, SIC and SOAR experience. Combined with Incident Response and, Forensics (DFIR) we not only have the expertise to help but the understanding that comes with it. From logging that lacks fields or important pieces of information to creating meaningful reports from those details and logs.
Our experience also extends into regulatory (SOX, PCI/DSS, etc.) where data retention, fields and reporting are a necessity for companies that need to fall in line with local and federal laws. With emphasis on the DFIR process we can quickly gauge the information needed and provide meaningful feedback before, during, after and from previous incidents or breaches.
The Process
Once we enter your environment we will look at your log sources and the platform(s) you utilize to sort or collect those logs. Whether it be splunk, QRadar, Graylog or others. Then, we will look at the sources that are generating your logs. E.g: Windows, Mac, Linux endpoints / servers, network equipment (Pan, Source fire, Umbrella and more) and other devices that your environment depends upon. From this point, we will leverage your SIEM and help you see where the gaps are, or where crucial information is missing.
After the information has been collected, we will review past incidents or breaches and apply where those gaps may have impacted your response process and help the organization justify why those points of data are required. From this point, we will work with your engineering team to get those changes implemented and work with your SOC leads to develop a response process for your analysts.
How it Works
-
Alerting is Analyzed
Your system is re-configured with a "save state" hard drive that contains all the critical applications, tools and data your business relies upon. The system is returned to you the next business day with no modifications or interruptions.
-
Review of Log Sources
Log sources are reviewed from your endpoint to server and your network devices (Cisco, Palo Alto, Zscaler, etc) and are checked for all fields. If fields are identified that need to be added, this request will then be submitted to your engineering team for processing or ingestion.
-
Justification of Alerting
After building an adequate review of your log sources and collections we will utilize past incidents in tandem with the current state and our proposed changes. Those changes will provide vital feedback regarding the data, its importance and how it can lead to a faster (Mean Time to Respond / Mean Time to Recover) thus saving the business in wasted costs.
-
Review of Past Incidents
While the justification is being built we will also work with the security team to review past incidents. From this prospective we will mockup how the currently deployed and suggested recommendations can assist in time savings to contain and stop the bleeding on an incident. Once a baseline is established those findings will also be included within the final reporting.
-
SOP Creation & Training
After all the suggestions have been implemented, we will work closely with your security team to produce Standard Operating Procedures for your environment with the new alerts and logs. Once this is conducted your environment will have a new set of actions to take with the newly created logs and points of interest and how to respond to them.
