fbpx

Your SIEM needs a Hedgehog!

At Cybriant, we are big fans of Jim Collins’s book, Good to Great. This is a classic book for business leaders that describes how Mr. Collins and his team researched 1,435 established companies to find common traits of those businesses that made a leap from average to great results. The principles that are discussed in the book include lessons on eggs, flywheels, hedgehogs, and other essentials of business.

Let’s talk Hedgehogs

In his famous essay “The Hedgehog and the Fox,” Isaiah Berlin divided the world into hedgehogs and foxes, based upon an ancient Greek parable: “The fox knows many things, but the hedgehog knows one big thing.” Mr. Collins asks in his book, ” Are you a hedgehog or a fox?”

Cybriant understands that when it comes to managed SIEM, we are hedgehogs. According to the book Good to Great, a hedgehog concept is a simple, crystalline concept that flows from deep understanding about the intersection of three circles: 1) what you are deeply passionate about, 2) what you can be the best in the world at, and 3) what best drives your resource engine.

We are hedgehogs because we are deeply passionate about understanding SIEMs – how they work, how to get the proper data out of them, and what to do with that data. We are the best in the world at this because we have the top talent on staff, of course! What drives our resource engine is SIEM, SIEM, SIEM. SIEM implementations, training, monitoring, and so much more. We live and breath SIEM.

So, why do you need a Hedgehog for your SIEM?

One of our partners, AlienVault, was included in the recent Gartner Magic Quadrant for SIEM. This is awesome news! If you already use AlienVault, you know that you are working with the best. But, not every company has the resources to make it (or whichever SIEM you chose) work properly for them.

According to Gartner, there are four “cautions” when it comes to AlienVault.  Here’s how a hedgehog, like Cybriant, can help assist with those potential weaknesses when it comes to your SIEM:

Caution #1: USM provides NetFlow capture, basic statistics, and context for assets, but cannot generate alerts from NetFlow.

With the recent 5.4.x AlienVault release the ability to generate alerts from NetFlow has been addressed, but we would always recommend using the right tool for the job.

AlienVault is a phenomenal correlation engine that can take a lot of data from disparate sources and discover threats from seemingly innocuous information.  It does this by taking data from Active Directory, antivirus engines, firewalls, intrusion detection, and/or anything that can produce a log message for analysis.  Each of these sources is simply a single slice of the pie just like NetFlow.  Additionally, there are technologies that specialize in analyzing nothing but NetFlow to discover behavioral events and how they may be a threat.  AlienVault will take those kinds of specialized tools and create a holistic threat analysis so that you get the whole pie and not just a single slice.

Caution #2: Integration of unsupported data sources is cumbersome compared with competing products. Alternatively, users can request AlienVault develop a plug-in to enable the integration.

The fact of the matter is that there is no data analysis engine that can parse and integrate every technology on the market without some sort of expertise, understanding of the data, and ability to create an integration.

Cybriant Engineers regularly write plugins and integrations for the AlienVault platform.  For simple products that are “unsupported” by AlienVault, it may take an hour to write a plugin.  For very complex products with hundreds (or more) of rule variations on messages in logs, it will take longer.  Through literally thousands of implementations, the Cybriant team has yet to find a product that cannot be integrated (or have a plugin created) as long as it outputs data.

Caution #3: Although identity activity can be linked with assets, USM provides only basic enrichment of event data with user context; and identity and access management (IAM) integration is limited to Active Directory and LDAP.

There are many tools that can integrate with AlienVault to provide enriched user data, and out of the box, AlienVault has some built-in IAM capabilities.  Additionally, the USM Anywhere product has advanced user enrichment functionality with lAM and IDM software.  However, when we encounter cases where a user had a problem with their SIEM we typically discover that one of a couple of things has occurred:

  • The necessary data isn’t being fed into the SIEM (either by lack of logging verbosity or other configuration issues).
  • The Security Analyst (or is more often the case:  Overworked Systems Administrator) performing the analysis doesn’t have the experience necessary to do a data deep dive.

Think of it this way, if you have a musical instrument and don’t correctly tune it then it will sound terrible.  Similarly, if the data isn’t correct being sent to the SIEM and the system isn’t tuned to excel at processing the data then a Security Analyst will get poor results.  Additionally, like a musical instrument, you could have the best-made instrument in the world, but if the musician doesn’t know how to play it then it will sound terrible.  With a SIEM, if the Analyst (Administrator/etc.) doesn’t have the experience and dedicated training required to be successful then the results will be poor.

At Cybriant our SIEM Analysts have a deep understanding of both how the SIEM should be configured and how to discover threats using the SIEM.  These are two distinctly different skills.  Additionally, our SIEM Analysts have direct and instant access to the rest of our team members who specialize in different fields (such as Implementations, Malware Analysis, Forensic Analysis, etc.).  This means that instead of a single Security Analyst who is hunting down alarms, Cybriant has an entire Security Task Force who is actively monitoring your infrastructure.

Caution #4: AlienVault’s workflow capabilities do not include integrations with external ticketing systems or role-based workflow assignments. 

The traditional AlienVault USM does not have integrations with external ticketing systems, and so the Cybriant Security Operations Center solves this issue by having rigorous Processes and Procedures in place.  Without Processes and Procedures, workflows and integrations are typically handled in a hodgepodge manner instead of a hedgehog manner.

Additionally, with USM Anywhere USM, AlienVault now has integrations with external ticketing systems.  And so Cybriant can simply utilize our already existing great Processes and Procedures along with the automation to keep costs low for our customers.

Learn more about Cybriant and let us know if you need a hedgehog for your SIEM!

 

Have you heard about PREtect?

Why do you need a Managed Security Service Provider (MSSP)?

Why do you need a Managed Security Service Provider (MSSP)?

MSSPs today offer extremely advanced tools and possess the expertise needed to run them. But, it’s understandable that your company may have some concerns about turning over any security-related functions to an outside provider.

An Enterprise Strategy Group survey reported that 57% of 340 surveyed IT and security professionals reported that they are currently using an MSSP in some capacity to protect their company. The reasons may include the fact that many internal security initiatives struggle to get adequate funding and teams often lack the skills, tools, and people to deploy security programs to their enterprise.

According to Tech Target, the pros of outsourcing security services to an MSSP include the following:

  • Capital expenditures are kept to a minimum.
  • There’s a dedicated expert staff for the protection of critical assets.
  • Typically, the largest expenditure—for IT personnel – is greatly reduced.
  • There is continuous security monitoring.
  • Enterprises do not have to spend funds on training, office space, equipment, software tools, and other operating costs.
  • The cost of a managed service is significantly less than maintaining the same level of service in-house.

While the financial benefits are significant, your organization will still need a foundational security program, like NIST CSF.

NIST CSF is guidance, based on standards, guidelines, and practices, for organizations to better managed and reduce cybersecurity risk. The recommended cybersecurity framework includes 5 functions:

Identify – develop the organizational understanding of managed cybersecurity risk to systems, assets, data, and capabilities.
Protect – Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.
Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Find out more about our managed services. 

Have you heard of PREtect?

Why use a Managed Security Service Provider (MSSP) for your cybersecurity?

Why use a Managed Security Service Provider (MSSP) for your cybersecurity?

Cybersecurity Insiders along with AlienVault recently released the Cybersecurity Trends Report with a highlight on the benefits, challenges, and trends of using a Managed Security Service Provider (MSSP).

According to the report, “Our research shows that about half of organizations deploy a mix of in-house and outsourced IT security. Companies turn to outsource and managed security services providers to alleviate the pressures they face, such as assessing and using security devices remediating against new types of attacks, protecting their organization against data theft,  addressing skills shortages, and filling resource gaps.”

“Managed security services are provided by a third party (MSSP) on behalf of the client, including 24/7 network monitoring and management of network security and controls, overseeing patch management, and responding to emergencies.”

Key Survey Findings

  1. The predominant driver for organizations to consider managed security services is the lack of internal security resources and expertise (39%) to cope with the growing demands of protecting data, systems, and applications against increasingly sophisticated threats
  2. Security expertise (71%) is by far the most critical capability organizations look for in MSSPs, followed by cost (54%) and breadth of capabilities (50%).
  3. The most requested security capabilities offered by MSSPs are security monitoring (54%), event correlation and alerting (52%), and intrusion detection and prevention (IDS/IPS) (49%).
  4. Sixty-five percent of organizations confirm they achieve a better security posture through partnering with a managed security provider.
  5. About a third of organizations predict a budget increase for managed security services over the next 12 months.

What are Managed Security Services?

Managed Security Services (MSS) is a type of service offered by a Managed Security Service Provider (MSSP) to provide security services to an organization with cyber security services, such as monitoring, identifying any malicious activity, and protecting against data breaches.

This type of service allows organizations to outsource some or all of their IT security needs to a virtual private network, providing them with cost savings and improved security measures. The MSSP will typically monitor a company’s network for any threats or breaches, and then take the necessary measures to mitigate them. They may also provide additional services such as malware protection, vulnerability management, and data encryption.

By taking advantage of MSS, companies can trust their security needs to an expert provider, ensuring that they are always up-to-date with the latest threats. MSS can be tailored to meet the specific needs of any organization in house cybersecurity team, whether they are a small business or a large enterprise. In addition, the MSSP can provide training and education on cybersecurity best practices, helping organizations stay up-to-date with industry standards and regulations.

Why Managed Security? 

The predominant driver for organizations to consider managed security services is the lack of internal security resources and expertise (39%) to cope with the growing demands of protecting data, systems, and applications against increasingly sophisticated threats. This is closely followed by a desire to reduce the cost of security (36%), move to continuous 24/7 security coverage (31%), have security leaders improve compliance (27%), and increase the speed of response to incidents (19%).

Improved Security with MSSPs

Sixty-five percent of organizations confirm they achieve a better security posture through partnering with a managed security provider. Improved quality of protection (52%), accuracy detect threats (43%), and regulatory compliance (36%) round out the top four benefits.

 

Read more at Cybersecurity Insiders. 

Cyber Security Managed Services

Cyber security managed services are a specific type of service that helps businesses protect their computer networks and data from cyber-attacks. These services can include things like security monitoring, vulnerability assessment, and incident response. By outsourcing these services to a third party, businesses can reduce the risk of cyber-attacks and ensure that their networks are kept safe.

What is MSSP in Cyber Security?

In short, it is an organization or a service provider that specializes in providing managed security services. This helps organizations reduce their risk of security breaches and remain compliant with regulations and industry standards. It can also be a security operations center that provides additional support for identifying and addressing cyber threats quickly and proactively.

Overall, Managed Security Services can be extremely beneficial to organizations looking to outsource their information security needs. It can provide organizations with a cost-effective way to improve their data security and posture, as well as ensure they are staying up-to-date with the latest risks and regulations. Additionally, by outsourcing these services, companies can focus on their core business objectives rather than worrying about information security threats.

Managed Security Service Provider (MSSP)

Managed security solutions providers offer a range of services that help businesses protect their computer networks and data from cyber-attacks. This can include things like security monitoring, vulnerability assessment, and incident response. By outsourcing these services to a third party, businesses can reduce the risk of cyber-attacks and ensure that their networks are kept safe.

fingerprint, unlock, network

Cyber Security MSSP

Cyber security MSSPs, like Cybriant, are companies that offer specialized services to help businesses protect their computer networks and data from cyber threats. MSSPs can provide a wide range of cybersecurity services to, including security monitoring, vulnerability assessment, and incident response. By outsourcing these services to a third party, businesses can reduce the risk of cyber-attacks and ensure that their networks are kept safe.

Related: Why CISOs Need to Care about Compliance Regulation in Cybersecurity

Managed Security Services

Managed security services are a specific type of service that helps businesses protect their computer networks and data from cyber-attacks. These services can include things like security monitoring, vulnerability assessment, and incident response. By outsourcing these services to a third party, be it a service provider, businesses can reduce the risk of cyber-attacks and ensure that their networks are kept safe.

There are many different types of managed security services, but they all share the same goal: to help businesses protect their computer networks and data from cyber-attacks. Some of the most common managed firewall services include security monitoring, vulnerability assessment, and incident response.

Security monitoring is a service that helps businesses detect and respond to security threats. This can include things like monitoring network traffic for signs of malicious activity and running regular vulnerability scans.

Vulnerability assessment is a service that helps businesses identify and fix security vulnerabilities. This can include things like security audits, conducting penetration tests, and performing code reviews.

Incident response is a service that helps businesses respond to security incidents. This can include things like investigating incidents and providing support during a crisis.

Managed security services can be provided by a number of different types of companies, including managed service providers (MSPs), managed security service providers (MSSPs), and cyber security firms.

Businesses have many different options when it comes to choosing a managed security service provider. Some factors that businesses should consider include the type of services offered, the size of the company, and the location.

The type of services offered is an important factor to consider when choosing a managed security service provider. Some internet service providers will offer a wide range of services, while others specialize in one or two specific areas.

When it comes to choosing a managed security service provider, businesses have many different options. It’s important to consider the type of services offered, the size of the company, and the location when making a decision.

Best Practices when Working With Managed Security Services Providers

When working with a managed security service provider, there are several best practices that should be followed in order to ensure an optimal experience.

First and foremost, it is essential to understand the services that are being offered. This includes both the technical details of the services as well as any associated costs. It’s also important to make sure you have established clear goals and expectations for the project, as well as a timeline for when results will be achieved.

It’s also important to ensure that you have established a good communication system between yourself and the MSSP. This not only helps ensure all parties remain on the same page but also helps build trust and transparency throughout the process.

By taking all these factors into consideration, you can be sure that you are getting the most out of your managed security service provider. With the help of a reliable MSSP, you can rest assured that your security needs are taken care of and your data is safe and secure.

Managed Services Offered by Cybriant

If you are looking for an information and security program or service provider to help reduce your information security risks, consider Cybriant.

We not only offer exceptional customer service, but we also offer the following security functions:

  • Managed SIEM
  • Managed Detection and Remediation
  • Vulnerability Management
  • CybriantXDR
  • Compliance Assessment Services
  • Automated Penetration Testing

Why use a Managed Security Service Provider (MSSP) for your cybersecurity?

Find our more about our Managed Security Service