Is My Company Secure?

Is My Company Secure?

Saying “My company is secure” is like saying “My team scored 27 tonight”. The metric doesn’t matter if you have nothing to compare it against.

Enter the framework.

A framework is a standardized methodology for selecting, implementing, testing, and maintaining a set of security metrics, also called security controls. There are many frameworks to choose; NIST, ISO, NERC, PCI, etc., etc. The point is that you want to compare yourself against a known yardstick.

Without this comparison, it is very easy to enter a never-ending cycle of buying the next security wiz-bang product, implementing the wrong controls for your environment, or hiring a consultant to test something that really doesn’t need to be tested. Frameworks are like a lighthouse in the middle of fog as they help guide you to your objective, overall security, by steering you around would be obstacles. So how do you choose a framework?


Often the framework is chosen for you. Maybe you have credit card data (PCI), health information (HIPAA), or are a publicly traded company (SOX) in which it is mandated that you comply. There may be a push from upper management to appease a customer or the latest hack has scared them straight. In that case, you need to establish the framework that fits your corporation best. Choosing the framework is outside the scope of this article, but there are many sources on choosing a framework.

Once you have chosen a framework the real work begins. Each framework is unique, but they all follow the same basic pattern. Select the security controls for your environment, implement those controls, test the effectiveness of the controls, and finally make sure that controls are persistent as the environment inevitably changes.

Related: Security Benefits of Identity and Access Management

Selecting a Security Framework

In this portion of the process, we will be selecting which controls apply to your environment. For example, let’s say we process credit cards. While one company may take the credit card data and use it in a self-developed system to acquire information, another may never see that data by using a point-to-point encryption device. This would completely change how to apply the PCI framework to our environment. The framework will provide instructions and rules on how to apply the framework to your environment and what should be included or not but, ultimately it will be an interactive process with data owners and security.

Related: The Case for Cyber Threat Hunting


The rubber meets the road at this stage. Here we will be applying the security control requirements to the pertinent systems. This is not going to be a step-by-step guide. Remember the framework is built so that many different organizations with different technologies can apply the recommendations to their environment. This will require converting phrases such as “the organization approves and monitors non-local maintenance and diagnostic activities” into auditing SCOM events.


Far too many people jump to this stage of the process. Many consider testing the definition of information security. Penetration testing, vulnerability scans, and social engineering produce volumes of “look what we did” reports. However, a stack of paper defining what should be done at this moment is not a plan, it’s a band-aid. The question is, what is the use of trying to follow a framework and implementing a slew of security controls only to say, “I think it’s working”. We must verify.


Now for the boring phase. This is the day-to-day assurance that what you have put in place is working. Think “who watches the watchers”. We are wanting to put in place the tools that will alert us to any deviation to the plan. Perform security is not a point in time point-in-time is now, it is looking ahead to what could be and be planning for many contingencies as possible. Monitoring is a critical step in not only establishing our security program but, the success of that program over time.

By using a framework, we are converting information security from something that is at best a hodgepodge of duct tape into a strategy. The strategy takes us from reaction to prevention and that takes us from front news to boring company a that protects its customers. In security, you want to be boring.

Cybriant is a holistic cybersecurity service provider which enables small and mid-size companies to deploy and afford the same cyber defense strategies and tactics as the Fortune 500. We design, build, manage, and monitor cybersecurity programs. Follow Cybriant @cybriantmssp and cybriant.com.



Top Cyber Security Testing Tools

Related: https://cybriant.com/cyber-security-assessment/

Not sure where to start?

Schedule a conversation. We are really nice cybersecurity experts. We’ll walk you through the process and if you would like to use our services, great. If not, that’s fine, too. We are here to help.
Incredible Managed SIEM Use Cases

Incredible Managed SIEM Use Cases

Here are the top 4 SIEM use cases for managed SIEM. Many organizations are outsourcing to third-party vendors for faster and better cyber threat detection, and here’s why you should consider it as well.

Given the different challenges facing security departments, security monitoring is vital.  Security professionals now feel the deck is stacked against them as cybercriminals continue to attack. Many organizations are outsourcing to third-party vendors for faster and better detection.

siem use casesIn this article, we want to tackle the most important reasons companies outsource the management of their SIEM to professional security service vendors.  When it comes to a strong security program, we believe security monitoring is vital because it is the fastest way to detect anything that can compromise an organization’s systems. This means it is vital to make security monitoring the fundamental and core aspect of any security program.

Security Monitoring is the #1 Security Service to Outsource

According to this recent Forbes article, security monitoring is the top, most logical security function to outsource to a cybersecurity solutions firm. The article states:

Many organizations lack the budget or bandwidth to set up their security operations center to handle comprehensive monitoring and alerting services. Even large organizations with security teams in the double digits are often tackling other high-priority staffing and transformation projects that put dedicated security monitoring on the back burner.

Fortunately, security monitoring services are one of the commonly provided services by a managed security services provider (MSSP). There is an MSSP for just about every size and budget, but you get what you pay for. The onus falls on you as the customer to define what you need and to hold your provider accountable.

The other security services mentioned that make sense to outsource are incident response, security testing, assessments, and training – Cybriant can help with all of those as well.

Consider the Cost of Building a SOC Internally

siem use casesMany organizations set out on a course to build a security operations center or SOC internally. This makes sense for many companies. For most other companies the cost, resources, and other variables are entirely too high to consider building a SOC themselves.

We have gathered all the data, crunched the numbers, and made the comparison charts in this easy-to-read ebook: https://www.cybriant.com/insource-vs-outsource/  Take a look and let us know your thoughts. Do these costs compare to what you were thinking?

SIEM Use Cases for Managed SIEM with Security Monitoring

A SIEM is a complex tool that requires expertise to implement and maintain. To be effective, a SIEM must be constantly updated and customized because external threats and internal environments are constantly changing. It requires experienced security engineering to tune the SIEM to minimize false positive alerts and maximize the efficient detection of real breaches or malicious behavior.

Let’s look at top SIEM use cases that make security monitoring vital for an organization.

#1. Access to Extensive Cybersecurity Knowledge

Your organization can’t just throw people at security monitoring; you need the right people there. The right people are those with expertise in triaging alerts, closing complex problems, and understanding when they should alarm the incident response team. So if your organization has no sufficient internal expertise, you need a managed security monitoring organization that can handle the resourcing for you.

75% of organizations lack skilled cybersecurity experts. There are many training programs in colleges and universities, but there is still an experience gap. By outsourcing to a cybersecurity services firm, you automatically have a deeper bench of resources. You’ll also have access to security best practices, faster mean time to value, lower operational and labor costs, and improved security functions.

#2. Compliance Requirements

Virtually every regulatory mandate requires some form of log management to maintain an audit trail of activity. Ticketing and alerting capabilities also satisfy routine log data review requirements. Simply having a SIEM doesn’t mean it is effective, which is the point of the compliance requirement. Many companies prefer to outsource the management of the SIEM so it is used effectively. 

Companies often think that purchasing a SIEM technology and managing it internally will work for them and help them remain compliant. Unfortunately, SIEMs are complex to install and even more complex to manage. Once a SIEM is installed and connected to every device on your network, the flood of events and alerts is more than any one person can handle. Fine-tuning your SIEM will be key, and that is something that our experts can handle for you.

#3. Advanced persistent threats (APTs)

New attack vectors and vulnerabilities are discovered every day. Your organization likely has firewalls, IDS/IPS, and AV solutions installed that look for malicious activity at various points within the IT infrastructure, from the perimeter to endpoints. However, many of these solutions are not equipped to detect zero-day attacks and advanced persistent threats.

An APT is a very complex cyber attack that will invade traditional, signature-based security tools and then hang around in an organization’s environment undetected.  Advanced persistent threats can go undetected for months or more; during that time, attackers become intimately familiar with an organization’s network, its security controls, and the location of its sensitive data. APTs typically result in data theft. When you have a security expert watching for APTs around the clock, we can stop it before it causes any issues.

#4. Around-the-clock monitoring

If you want 24/7 security monitoring, you will need more staffing to carry out the job, but managed services already have employees monitoring their security monitoring platform 24/7. That is why managed service is the better option when it comes to round-the-clock monitoring. Check out our document Insource vs. Outsource, cost comparison for building a 24/7 security operations center.

By reviewing your security and event logs around the clock, you’ll be able to reduce your MTTD (mean time to detection). The average MTTD, according to the 2017 Ponemon Cost of Data Breach Study, for a survey of 491 companies was 191 days with a range of 24 to 546 days. Imagine the potential damage that could be done if a breach wasn’t detected for 546 days. By reducing your MTTD, you’ll also reduce your MTTR (mean time to respond). The MTTR in the Ponemon Cost of Data Breaches report found that the average for organizations was 66 days with a range of 10 to 164 days.

SIEM use cases where managed security monitoring is commonly used: 

  • Advanced threat detection
  • Device monitoring/alerting
  • Compliance reporting
  • And much more

No matter the size of your organization, you need to protect your data. And failure to protect your data puts the company at risk of financial issues, loss of goodwill, and legal liability.

Managed SIEM Benefits

The immediate benefits of outsourcing the management of your SIEM include:

  • Malicious activity will be identified and thwarted
  • Satisfy compliance requirements and reduce the expense
  • Awareness of any evolving cyber threats that may hit your organization
  • Improved use of SIEM technology investment
  • Dedicated security professionals review security logs and alerts in real-time
  • Security expenses are moved from capital to operational

That leaves only one question – WHY WAIT? Our team can have your organization onboarded in days so you can get started ASAP.  Go here for more information and to speak to an expert.  

Cybriant has worked with many clients to install and monitor their SIEM. Take a look at these specific managed SIEM use cases:  https://www.g2.com/products/cybriant/references/cybriant

How Does a SIEM Work?

SIEM provides two main capabilities to an Incident Response team:

  • Reporting and forensics about security incidents
  • Alerts based on analytics that matches a certain rule set, indicating a security issue

At its core, SIEM is a data aggregator, search, and reporting system. SIEM collects enormous amounts of data from your complete networked environment, consolidates it, and makes that data human-accessible. With the data classified and laid out at your fingertips, you can study data security breaches with as much detail as needed. A sample of Cybriant’s managed SIEM use cases can be seen at https://cybriant.com/client-use-cases/

However, experts say enterprise demand for greater security measures has driven more of the SIEM market in recent years. This is why Managed SIEM has gained popularity. Many IT departments are unable to spend the time necessary to draw the data out of a SIEM that will allow them to properly detect cyber threats.

Read more from our article, “How Does a SIEM Work?”

What is the Difference Between SIEM and a SOC?

A SOC – Security Operations Center – is a monitoring center. A SOC is typically comprised of skilled and knowledgeable security analysts that will examine the data coming in from your SIEM and determine if any critical or unusual is happening.

A SOC should have a SIEM to help pull together all the logs and build correlation rules around them.

Many organizations purchase a SIEM and use in-house resources that may not be prepared to handle all the data that comes along with a SIEM.

Based on a recent study on the State of the SOC, security practitioners from enterprise organizations are overwhelmed by the sheer volume of alerts and investigations that require their attention.  The results of the study indicate:

  • 60% of Security Operations Center analysts can only handle between 7-8 incident investigations per day. — Fidelis Cybersecurity, 2018
  • Only 17% of organizations have a dedicated threat-hunting team. — Fidelis Cybersecurity, 2018

Alert fatigue syndrome is a real issue, one of the many bad habits of cybersecurity professionals, and one that they must break to protect their organization. This syndrome means that security analysts may not respond to the security alerts because they are flooded with so many.

Read more about the difference between a SIEM and a SOC. 

Next-Gen SIEM

Should you consider a next-gen SIEM?

Next-Gen SIEM – will ingest both log and flow data – it uses threat models to determine the threats rather than a human brain.

These are complicated models that can detect and match threat behaviors to a particular type of threat such as a DDoS attack vs. a brute force attack, malware infection, APTs loss of credentials, or insider attack. It will leverage but not rely on the proper use of Machine Learning to pick out behaviors that are not normal for the device, application, or user, and correlate these events with other rule triggers that can be correlated into a threat model- once a match is found an alert is built that continues to aggregate individual threat behaviors under the Single Line Alert on the UI – this is vs. 100s to 1000s of lines generated by a SIEM beforehand filtering. Better yet this one line tells you the type of threat and the devices and/or users involved and what to do about it.

The best Next-Gen SIEMs will be architected to detect the threats within minutes of becoming active. Stopping Brute force attacks, compromised credentials, and insider threats before critical data is accessed. SIEMs can’t promise this.

Read more about Traditional SIEM vs. Next-Gen SIEM. 

Convince Your Boss You Need These Managed IT Security Services


Let's Talk About Managed SIEM Use Cases

GDPR: Steps to Help Your Organization Prepare

GDPR: Steps to Help Your Organization Prepare

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. If your business handles data on EU residents then you must abide by the GDPR regulation. 

The Information Commissioner’s Office (ICO) has released a checklist to help organizations prepare for the GDPR:

  1. Awareness: Make sure the decision makers and key people in your organization are aware that the law is changing to the GDPR.
  2. The information you hold: Your organization needs to document what personal data you hold, where it came from
    and who you share it with. You may need to organize an information audit across the organization or within particular business areas.The GDPR requires you to maintain records of your processing activities.
  3. Communicating privacy information: Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice.
  4. Individuals’ rights: Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Subject access requests: You should update your procedures and plan how you will handle requests to take account of the new rules: If your organization handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly.
  6. Lawful basis for processing personal data: Identify the lawful basis for your processing activity in the
    GDPR, document it and update your privacy notice to explain it.
  7. Consent: Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
  8. Children: Consider whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
  9. Data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Need help? Cybriant can help. 
  10. Data Protection by Design and Data Protection Impact Assessments: It has always been good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It
    also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
  11. Data Protection Officers: You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization ’s structure and governance arrangements.
  12. International: If your organization operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.

View the full checklist here. 

Need Help?

Your SIEM needs a Hedgehog!

At Cybriant, we are big fans of Jim Collins’s book, Good to Great. This is a classic book for business leaders that describes how Mr. Collins and his team researched 1,435 established companies to find common traits of those businesses that made a leap from average to great results. The principles that are discussed in the book include lessons on eggs, flywheels, hedgehogs, and other essentials of business.

Let’s talk Hedgehogs

In his famous essay “The Hedgehog and the Fox,” Isaiah Berlin divided the world into hedgehogs and foxes, based upon an ancient Greek parable: “The fox knows many things, but the hedgehog knows one big thing.” Mr. Collins asks in his book, ” Are you a hedgehog or a fox?”

Cybriant understands that when it comes to managed SIEM, we are hedgehogs. According to the book Good to Great, a hedgehog concept is a simple, crystalline concept that flows from deep understanding about the intersection of three circles: 1) what you are deeply passionate about, 2) what you can be the best in the world at, and 3) what best drives your resource engine.

We are hedgehogs because we are deeply passionate about understanding SIEMs – how they work, how to get the proper data out of them, and what to do with that data. We are the best in the world at this because we have the top talent on staff, of course! What drives our resource engine is SIEM, SIEM, SIEM. SIEM implementations, training, monitoring, and so much more. We live and breath SIEM.

So, why do you need a Hedgehog for your SIEM?

One of our partners, AlienVault, was included in the recent Gartner Magic Quadrant for SIEM. This is awesome news! If you already use AlienVault, you know that you are working with the best. But, not every company has the resources to make it (or whichever SIEM you chose) work properly for them.

According to Gartner, there are four “cautions” when it comes to AlienVault.  Here’s how a hedgehog, like Cybriant, can help assist with those potential weaknesses when it comes to your SIEM:

Caution #1: USM provides NetFlow capture, basic statistics, and context for assets, but cannot generate alerts from NetFlow.

With the recent 5.4.x AlienVault release the ability to generate alerts from NetFlow has been addressed, but we would always recommend using the right tool for the job.

AlienVault is a phenomenal correlation engine that can take a lot of data from disparate sources and discover threats from seemingly innocuous information.  It does this by taking data from Active Directory, antivirus engines, firewalls, intrusion detection, and/or anything that can produce a log message for analysis.  Each of these sources is simply a single slice of the pie just like NetFlow.  Additionally, there are technologies that specialize in analyzing nothing but NetFlow to discover behavioral events and how they may be a threat.  AlienVault will take those kinds of specialized tools and create a holistic threat analysis so that you get the whole pie and not just a single slice.

Caution #2: Integration of unsupported data sources is cumbersome compared with competing products. Alternatively, users can request AlienVault develop a plug-in to enable the integration.

The fact of the matter is that there is no data analysis engine that can parse and integrate every technology on the market without some sort of expertise, understanding of the data, and ability to create an integration.

Cybriant Engineers regularly write plugins and integrations for the AlienVault platform.  For simple products that are “unsupported” by AlienVault, it may take an hour to write a plugin.  For very complex products with hundreds (or more) of rule variations on messages in logs, it will take longer.  Through literally thousands of implementations, the Cybriant team has yet to find a product that cannot be integrated (or have a plugin created) as long as it outputs data.

Caution #3: Although identity activity can be linked with assets, USM provides only basic enrichment of event data with user context; and identity and access management (IAM) integration is limited to Active Directory and LDAP.

There are many tools that can integrate with AlienVault to provide enriched user data, and out of the box, AlienVault has some built-in IAM capabilities.  Additionally, the USM Anywhere product has advanced user enrichment functionality with lAM and IDM software.  However, when we encounter cases where a user had a problem with their SIEM we typically discover that one of a couple of things has occurred:

  • The necessary data isn’t being fed into the SIEM (either by lack of logging verbosity or other configuration issues).
  • The Security Analyst (or is more often the case:  Overworked Systems Administrator) performing the analysis doesn’t have the experience necessary to do a data deep dive.

Think of it this way, if you have a musical instrument and don’t correctly tune it then it will sound terrible.  Similarly, if the data isn’t correct being sent to the SIEM and the system isn’t tuned to excel at processing the data then a Security Analyst will get poor results.  Additionally, like a musical instrument, you could have the best-made instrument in the world, but if the musician doesn’t know how to play it then it will sound terrible.  With a SIEM, if the Analyst (Administrator/etc.) doesn’t have the experience and dedicated training required to be successful then the results will be poor.

At Cybriant our SIEM Analysts have a deep understanding of both how the SIEM should be configured and how to discover threats using the SIEM.  These are two distinctly different skills.  Additionally, our SIEM Analysts have direct and instant access to the rest of our team members who specialize in different fields (such as Implementations, Malware Analysis, Forensic Analysis, etc.).  This means that instead of a single Security Analyst who is hunting down alarms, Cybriant has an entire Security Task Force who is actively monitoring your infrastructure.

Caution #4: AlienVault’s workflow capabilities do not include integrations with external ticketing systems or role-based workflow assignments. 

The traditional AlienVault USM does not have integrations with external ticketing systems, and so the Cybriant Security Operations Center solves this issue by having rigorous Processes and Procedures in place.  Without Processes and Procedures, workflows and integrations are typically handled in a hodgepodge manner instead of a hedgehog manner.

Additionally, with USM Anywhere USM, AlienVault now has integrations with external ticketing systems.  And so Cybriant can simply utilize our already existing great Processes and Procedures along with the automation to keep costs low for our customers.

Learn more about Cybriant and let us know if you need a hedgehog for your SIEM!


Have you heard about PREtect?

Cybersecurity trends 2018: Cyberattacks will continue to surge

Cybersecurity trends 2018: Cyberattacks will continue to surge

To predict what will happen in 2018, let’s take a look at what happened in 2017. In the first six months of 2017 alone:

  • There were 918 data breaches that compromised 1.9 billion data records in the first six months of 2017, which is an increase of 164% compared to 2016.
  • Of these 918 breaches, 500 breaches had an unknown number of compromised records, while 22 of the largest data breaches involved more than one million compromised records.
  • Almost 2 billion data records around the world were lost or stolen by cyberattacks in the first half of 2017 and the number of breaches reported by companies looks set to rise.
  • Governments around the world are introducing legislation that will force more companies to disclose data breaches.

Take a look at just a few of our top predictions for cybersecurity trends in 2018:

Companies will feel more pressure to be transparent and reveal data breaches

New regulations such as the U.K. data protection bill, the European Union’s General Data Protection Regulation (GDPR), and Australia’s Privacy Amendment (Notifiable Data Breaches) Act are set to come into force in the coming months and years and will push firms to disclose hacks and security breaches.

Hackers will move to more profitable targets

The hope is that the profitability of traditional ransomware will decline as cyber risk protection, user training, and corporate cybersecurity strategies improve. This means, however, that hackers will move to more profitable targets like high net-worth individuals, connected devices, and businesses, according to McAfee’s Threat Predictions Report. 

There is no easy fix for cybersecurity. It’s important to create a “Zero Trust” mindset in your organization – including all employees, contractors, board members, and C-suite members – that hackers are constantly trying to access your data. It’s important to be vigilant. A dedicated, well-financed actor who is after something in your enterprise is going to get it, even if they use the weakest link–people–to do so. This means adapting your security setup to focus on detection, response, and remediation.

Companies will be judged based on their Cyber Score

After the largely publicized breaches in 2017, consumers and organizations alike will lean on a company’s cybers score to determine its security posture. According to TechRepublic, “Historically, organizations would go to credit rating agencies and find out the creditworthiness of their partner, but now that companies are handing out data to their partners, they need to understand what their posture is. For example, FICO offers an Enterprise Security Score for an objective measure of cybersecurity risk.

Tools like Artificial Intelligence (AI) and machine learning will become mainstream

Changes in cybersecurity will require new types of skills in data science and analytics. The general increase in information will mean artificial security intelligence is necessary. Adaptive skills will be key for the next phase of cybersecurity. The battle with hackers moves fast, so AI and machine learning can predict and accurately identify attacks quickly. See how Cybriant is using machine learning to protect our clients. 

Cybersecurity skills shortage will continue

If the trend continues as it is today, we have a global shortage of two million cybersecurity professionals, “The fastest growing job with a huge skills gap.” Security Analysts are the blockers or tacklers of cybersecurity. Many companies are finding ways to automate and outsource this skill. Cybriant has the best of the best when it comes to Security Analysts.

Here are a few trends that we hope will happen:

Companies will develop a common cybersecurity foundation

The government, cybersecurity experts, and many organizations are coming together to develop a common language around cybersecurity, NIST Cybersecurity Framework. This is a set of broad guidelines that will provide a secure foundation that will then allow you to refine based on your business functions, systems, and operating environment. Cybriant can help you develop this foundation to arrive at the right blend for your organization. Together, we will consider any regulations, emerging threats, new and legacy technologies, and systems, in addition to your business goals.

Managed Patching

Many data breaches in 20107 were the result of forgotten/failed/slow patches. This is an often ignored problem that has reaped a lot of damage in the past.Cybriant offers a patch management service which includes detecting and deploying missing patches on your system. This service will simplify patch management across your organization—even on remote and mobile endpoints.

Continuous Monitoring

Too often, companies think that security is a ‘set it and forget it’ operation. Your work is never done when it comes to cybersecurity because things change. You might adopt a new system, integrate a new third-party service, or change your business goals. To comply with your legal requirements, you need to be up to date with the latest regulations. And all the while, new software vulnerabilities are being discovered, and hackers are probing your defenses and developing new techniques to gain entry. This is where Cybriant comes in – read more about our continuous monitoring solution. 

Let's Talk