The managed security services landscape is plentiful with enough terminology, acronyms, and jargon to stymie the best IT expert. This guide can help provide some insight to concepts you'll encounter in thei realm.
Learn about Co-Managed SIEM
Seeking information on what is common practice and standard procedure for a co-managed relationship with a managed security services provider can be a bit daunting. Here's a few bits of knowledge that will hopefully make it easier to speak the same language.
Frequently Asked Questions
1 What does the acronym S.I.E.M. stand for?
SIEM stands for Security Information and Event Management.
2 What is the purpose of a SIEM?
Security has become a game of managing all the data that is generated by log files and other recorded events that could be used in detecting malicious behavior or compromise. The sheer volume of data that is generated by security events is such that no human can evaluate it in real time, so automation and aggregation of the data must be employed to make it usable and meaningful. A SIEM is a product that is meant to provide this functionality.
3 Why would I seek out a services provider to help manage my SIEM?
A SIEM, even though it is oriented toward automation, still requires a human analyst to monitor its views and insights. A security engineer or developer must configure and tune its initial implementation. This equates to expensive man-hours, and for an organization that is held to a standard of compliance, it can require multiple full-time employees to cover 24/7 shifts.
A co-managed SIEM partner can provide the manpower at a fraction of the cost, while the organization retains ownership of the implementation and the data it generates.
4 What happens if I want to change my SIEM management provider?
Sometimes things happen and you may want to switch to a new provider to co-managed your SIEM. That's where the co-managed model shines: You own the purchased products, any assets and infrastructure. The provider in a co-managed SIEM model has just provided services to help build, manage, and refine your owned setup. It's all yours. If the need arises, bring in a new provider.
Co-Managed SIEM Topics
Any co-managed program is a scenario in which a service provider is hired to provide expertise in the design, architecture, and day-to-day running of a security program, while the organization retains ownership of the assets and data. This is in contrast to a full SaaS or "black box" solution in which security oriented traffic is shipped off to a service totally owned and operated by the provider.
In a SIEM co-management scenario in particular, the SIEM product can be configured and customized by either party, and continued management and monitoring of its data is performed by the provider. This allows the organization who owns the SIEM to retain dominion over their own security data, and enjoy much cheaper monitoring and analysis by a provider who services multiple customers simultaneously.
The Novacoast Co-Managed SIEM in particular adds the following benefits:
- Novacoast reviews design and architecture
- Novacoast provides care and feeding of solution.
- 100% of care and feeding of solution is taken care of by Novacoast.
- Integration to customer SOP’s for feel of customer owned tier 1 SOC
- Documentation is co-owned and transferable
- Data and integration ownership stay where they belong, with the customer.
While there are many SIEM products on the market, there are a few standouts that are worthy of mention. If you currently do not have a SIEM setup and would like expert help, please contact our sales team.
LogRhythm's NextGen SIEM platform is an industry leader and a partner of Novacoast.
The Arcsight Enterprise Security Manager from Novacoast partner Microfocus is a comprehensive threat detection, analysis, and compliance management SIEM solution.
Part of their Security Operations Suite, Splunk's analytics-driven SIEM product is well proven.
Glossary of Terms
A trained technician of security engineer who specializes in evaluating the configuration and data insights from various security information and event management tools. An analyst also is trained on response, triage, and escalation procedures in the event of an incident.
And endpoint is any remote computing device that is connected to the network. For any organization, endpoints represent a liability attack surface due to challenges with maintaining updates, antivirus, and their role as a focal point for user behavior.
An occurence in which a policy, implied or stated, is violated, either by a remote attacker or internal actor. Really, it's anything weird that triggers a rule defined by...
RACI is an acronym that stands for responsible, accountable, consulted and informed. A RACI chart is a matrix of all the activities or decision making authorities undertaken in an organisation set against all the people or roles. (Wikipedia)
In a computer system or network, a runbook is a compilation of routine procedures and operations that the system administrator or operator carries out. System administrators in IT departments and NOCs use runbooks as a reference. Runbooks can be in either electronic or in physical book form. (Wikipedia)
Service Level Agreement
A service-level agreement (SLA) is a commitment between a service provider and a client. Particular aspects of the service – quality, availability, responsibilities – are agreed between the service provider and the service user. (Wikipedia)
A Security Operations Center, or SOC, is a strategically located remote facility from which analysts can monitor, analyze, and respond to security threats in an effort to protect sensitive data and intellectual property.
As in medicine, triage is any approach to prioritization of response using defined rules and procedures to achieve some level of efficiency in response to a detected incident.