Managed SIEM / SOC
What is SIEM?
Cyber Security products such as firewalls, antivirus software, IDS etc. are indispensable, however come with limitations. For example firewalls safeguard an organization from malicious incoming traffic but are usually not helpful when traffic first originates from within the organization, which is the case with most malware infections, phishing, social engineering and more.
Antivirus solutions are mostly definition-based, which means that their functionality is based on detecting an infection that has had its first (probably successful) outbreak somewhere else.
Most threats however generate log creation. Different security modules are able to register activity from cyber security threats, even if they won’t always identify them as a threat. For example in case of a malware outbreak that is not detected by the antivirus, there will be logs generated by the server OS that was first infected, showing patterns of privilege escalation or other suspicious activity, malware will try to enumerate the network and spread, so there will be relevant logs from an IDS solution, and when the malware connects to its command and control server, there will be outgoing firewall traffic to an IP address that may be blacklisted.
Correlating logs from different log sources to detect suspicious patterns, utilise threat intelligence and ultimately offer an early warning of an otherwise undetectable cyber incident unfolding within the organizations, is the goal of a SIEM (Security Information and Event Management) system.
A SIEM solution will:
- Allow you to detect an attack that could go totally unnoticed.
- Allow you to detect an attack at its beginning, giving you time to contain it before it
spreads or causes damage. - Allow you to detect attack attempts, which will enable the protection of your assets
before the attack even succeeds. - Assist you in fulfilling compliance requirements
A successful SIEM implementation:
- Involves 24/7 SOC monitoring of the SIEM deployment and its derivatives.
- Requires logs to be properly parsed instead of just being collected.
- Is constantly updated, maintained and optimised.
- Utilises threat intelligence feeds. (i.e. IP blacklists)
Who needs SIEM & SOC?
A common misconception is that only large organisations will gain value from a SIEM deployment and SOC monitoring. Cyber Security is for everyone. This is apparent as many small businesses have suffered severe cyber security incidents.
Falling costs of SOC monitoring in the past few years make managed security a very smart choice for all companies, increasing their security, credibility and competence when it comes to policy and compliance aspects.
An inexpensive SIEM solution developed by CYGNUS
CYGNUS has created a cloud-hosted SIEM solution based on open source software, allowing significant reduction of cost (up to 80% down when compared to commercial solutions).
Our SIEM and SOC service includes:
24/7/365 monitoring of logs, alerts and offences
1
Threat credibility assessment and false positive elimination
2
Solution optimisation and maintenance
3
Log parsing optimisation
4
Host-level monitoring for every workstation
5
Reporting to customer, on a per-incident basis and on agreed timeframes
6