By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

Co-Managed SIEM

The concept of SIEM has become a ubiquitous and mandatory element of any modern security program, collecting data and providing visibility of security events

FAQ

What does the acronym S.I.E.M. stand for?

SIEM stands for Security Information and Event Management.

What is the purpose of a SIEM?

Security has become a game of managing all the data that is generated by log files and other recorded events that could be used in detecting malicious behavior or compromise. The sheer volume of data that is generated by security events is such that no human can evaluate it in real time. Automation and aggregation of the data must be employed to make it usable and meaningful. A SIEM is a product that is meant to provide this functionality.

Why would I seek out a services provider to help manage my SIEM?

A SIEM, even though it is oriented toward automation, still requires a human analyst to monitor its views and insights. A security engineer or developer must configure and tune its initial implementation. This equates to expensive man-hours. For an organization that is held to a standard of compliance, it can require multiple full-time employees to cover 24/7 shifts.

A co-managed SIEM partner can provide the manpower at a fraction of the cost, while the organization retains ownership of the implementation and the data it generates.

What happens if I want to change my SIEM management provider?

Sometimes things happen and you may want to switch to a new provider to help manage your SIEM. That’s where the co-managed model shines: You own the purchased products or cloud accounts, any assets, and the infrastructure. The provider in a co-managed SIEM model has just provided services to help build, manage, and refine your owned setup. It’s all yours. If the need arises, bring in a new provider.

Co-Managed SIEM program differentiators

In any co-managed program, the organization retains ownership of the assets and data. Meanwhile, the service provider gives expertise in design, architecture, and day-to-day running of the security program.

This is in contrast to a full SaaS or “black box” solution where security oriented traffic is shipped off to a service totally owned and operated by the provider.

In the case of a co-managed SIEM, the SIEM product can be configured and customized by either party while the provider performs continued management and monitoring of the data . This allows the organization who owns the SIEM to retain dominion over their own security data and enjoy much cheaper monitoring and analysis by a provider who services multiple customers simultaneously.

Top shelf Co-Managed SIEM programs will add the following benefits:

  • Review of design and architecture
  • Continued care and feeding of designed solution
  • Integration to customer SOPs for the feel of a customer-owned tier 1 SOC
  • All documentation is co-owned and transferable
  • Data and integration ownership stay where they belong, with the customer

SIEM products and services

While there are many SIEM products on the market, there are a few standouts that are worthy of mention.

Self-hosted on-premises solutions
  • LogRhythm
  • Arcsight
  • Splunk
  • Qradar
  • Exabeam
Cloud-based / SaaS solutions
  • Microsoft Azure Sentintel
  • LogRhythm Cloud
  • Google Chronicle
  • Splunk
  • Rapid 7
  • Datadog
  • Sumo Logic

Glossary of Terms

Analyst: A trained technician or security engineer who specializes in evaluating the configuration and data insights from various security information and event management tools. An analyst also is trained on response, triage, and escalation procedures in the event of an incident.

Endpoint: An endpoint is any remote computing device that is connected to the network. Endpoints represent a liability attack surface due to challenges with maintaining updates, antivirus, and their role as a focal point for user behavior.

Incident: An occurrence where a policy, implied or stated, is violated by a remote attacker or internal actor.

RACI: RACI is an acronym that stands for responsible, accountable, consulted and informed. A RACI chart is a matrix of all the activities or decision making authorities undertaken in an organization set against all the people or roles. (Wikipedia)

Runbook: A collection of documented procedures that guide any user, new or experienced, in completing a task in an IT environment.

Service Level Agreement: A service-level agreement (SLA) is a commitment between a service provider and a client. Particular aspects of the service – quality, availability, responsibilities – are agreed between the service provider and the service user.

SOC: A Security Operations Center, or SOC, is a strategically located remote facility from which analysts can monitor, analyze, and respond to security threats in an effort to protect sensitive data and intellectual property.

Triage: As in medicine, triage is any approach to prioritization of response using defined rules and procedures to achieve some level of efficiency and minimization of damage in response to a detected incident.

Previous Post

Vulnerability Management

Next Post

Phishing Monitoring