Build a Co-Managed SIEM program
A combination of industry convention and years of serving top-tier enterprise customers have allowed Novacoast to refine a Co-managed SIEM program that unites the best of all worlds. Here's how we do it.
What makes Novacoast different?
SIEM services are as ubiquitous an element of the modern security stance as the SIEM tool itself, so what makes Novacoast a standout provider in the Co-Managed SIEM space?
Let's start with a little background on Novacoast as a security company: We've been at it for 23 years — a narrow focus on IT security has given us an edge and a long-term appreciation for the context of enterprise security. With high-profile customers in a variety of industries like healthcare, global finance, energy, and government, we've been held to the highest standard of best practices and performance.
All of our 375+ employees are regular full-time employees, no subcontractors. Security analysts in our SOC are background-checked and cleared prior to employment. We have a strong core of engineers and software developers with Computer Science degrees, and a culture of collaboration and sharing.
Our IT disciplines cover a wide variety: Compliance, Identity and Access Management, Incident Response, Application Security, Network Security , and Security Automation.
But what does that mean for managing your SIEM with you? It means we're experienced enough in all aspects of security to help you where you need it most, whether that's manpower, engineering, or planning and architecture. Novacoast can provide the exact level of SIEM management you require.
4 cornerstones of co-management
There are four fundamental elements to an effective co-managed SIEM solution. Novacoast provides all four under our roof, with deep expertise born of our security services experience in the top-tier enterprise market. We can provide any single cornerstone service, or all.
1 Network Operations Center (NOC)
Businesses in a regulated industry often require a security analyst watching a SIEM 24 hours a day, 7 days a week. The equates to a minimum six regular full-time hires to cover three shifts per day and the weekend, with some overlap for time off and sick days.
2 Security Operations Center (SOC)
An ideal solution allows a business to retain control and dominion over their own data. Services that involve “black boxes” or indeterminate cloud-based servers cannot assure full data security or ownership should a services contract end. A co-managed SIEM solution works with an organization to allow them full ownership of data and storage.
3 Engineering and Development
Many product-based security tools and packages require involved configuration and expert tuning. A business or organization often does not have an IT security team with the free time or experience in getting full potential from a SIEM product.
4 Maturity and Roadmap
Considering the myriad ways an organization can be compromised is daunting, and it is easy to get “off in the weeds” with any given specific detail. A co-managed SIEM solution allows CISOs to relegate the SIEM component to a manageable block...just another box checked. But refinement and maturity of program are always required to keep up with an ever-changing threat landscape. Through iteration and collaboration, our team will help plan and mature your security information and response program using the latest standards.
The heart of a security program is its people — the trained operators who design, implement, monitor, and respond to incidents. The teams that comprise operations for Novacoast Managed Security Services are dedicated IT security analysts and engineers that have been functionally divided into two effective groups: Network Operations and Security Operations.
In the Novacoast Co-Managed SIEM program, the combined efforts of the NOC and SOC can ensure uptime of the SIEM, functioning data population from configured sources, and "eyes on glass" monitoring of SIEM tools.
NOC & SOC
Why the distinction? The Network Operations Center, or NOC, is charged with monitoring and maintaining operation of the network and assets. Should an incident arise, whether an attack or just a simple outage, the NOC works to identify and respond to the issue, keeping service levels nominal or in excess of Service Level Agreements.
The Security Operations Center, or SOC, is charged with protection of information and data assets for the organization. While an attack may compromise the functionality of the network, the SOC focuses on the nature of the attack to prevent loss of owned data, intellectual property, and sensitive information.
Monitoring is a critical element of SIEM. The tools may be continuously populating with massive amounts of data, but how to know which events are actionable? It's a combination of automation and human analyst "eyes on glass."
Correlation is a technique for configuring rules that seek unique relationships between the events being recorded by a SIEM product. With enough useful sources of data being collected from end points, an attack taking place go unnoticed if it uses seemingly innocuous requests or network connections. But by using automated means of correlating several of these events that together comprise a real attack signature, detection can be rapid.
These confirmed incidents can be handled by a human analyst, or via an orchestrated means, such as a SOAR product.
Response & Triage
In the event of a security incident, how the SOC responds is the defining measure of its value. It's why the SOC exists; response and triage procedures are well-defined both at the outset of a co-management relationship, and are continually refined and tuned. Let's take a look at some of the major considerations in a response and triage plan:
Rule creation, Tuning, Recommendations
The fundamental mechanism of response is detection. SIEM rules are defined with a pre-conceived idea of what kind of traffic and threats can generally be expected by the organization. Once an initial ruleset is implemented, continual tuning occurs to eliminate false positives and verify that accurate events are triggering rules. Novacoast analysts and engineers have enjoyed a comprehensive view of all manner of traffic and are a good resource for developing recommendations. It's also a two-way conversation with the customer team who will know their own traffic better than anyone.
Tracking incidents and ticket life cycles
As Novacoast analysts are monitoring SIEM dashboards during defined hours of coverage, AKA "eyes on glass," a notification will occur if a SIEM rule is triggered, either by desktop notification mechanism or email.
The analyst will leverage customer specific Runbooks. Generally, the procedure is along these lines:
- Gather initial supporting evidence of the incident
- Leverage any known threat intelligence
- If necessary, escalate to the defined next tier in the response plan
- Leverage any additional tools available for deeper investigation
The objective is to eliminate the present threat and strengthen the security stance with knowledge gained from the incident.
The types and extent of reporting from the SIEM depend on the chosen SIEM products, but generally is comprised of metrics and aggregated counts of types of events.
For example, LogRhythm, a top SIEM product and Novacoast partner, includes over 100 predefined reports on user activity alone, such as account management activity, applications accessed by user, top suspicious users, new account summary and terminated account summary. These reports can give admins visibility into suspicious network user behavior.
Reports are designed based on customer objective and need. Novacoast can provide a standard menu of SIEM reports or work with customers to define custom ones.
Depending on the Managed Services agreement, a periodic status call may be a part of Co-Managed SIEM. This allows an opportunity for a SOC 2 Analyst to give a status presentation on all related topics, from configuration to incidents and metrics.
Responsibility assignment is part of the new customer onboarding process, and is a crucial step in defining who does what in all phases of operations.
Novacoast uses the RACI model to define roles in the co-managed relationship, and will provide a general RACI during the onboarding process with a new customer, which can be modified or extended as needed.
Novacoast security analysts are the lifeblood of the SOC and the Co-Managed SIEM service, and are held to a very high standard.
All Novacoast SOC analysts are required to meet specific qualifications such as: Bachelor’s Degree in Computer Science or Computer Technology, preferably with a concentration in Cybersecurity or Information Security. The equivalent to the latter would be three years of work experience in Information Security or related technological experience.
Novacoast performs an extensive pre-employment screening process to ensure performance capabilities. The SOC Analyst role is responsible for monitoring security, operational events, and incidents. They are required to maintain a working knowledge of current security changes, updates, patches in correlation with their technical certifications. SOC 1 analysts are required to open support cases with customers and escalate as necessary.
The SOC Lead role is responsible for daily operations of customer environments including, but not limited to: application policy changes, change control, and event investigations.
SOC Leads are required to maintain an extensive working knowledge in relation to security. Furthermore, they are required to research, develop, and provide solutions to identify any threats or vulnerabilities in the ultimate effort to avoid risks of exploit.
All technical employees are required to obtain and maintain the applicable technical certifications and continuously participate in current training in their area of expertise.
Novacoast has three Security Operations Centers, located in strategic time zones to provide 24-7 coverage:
- Santa Barbara, CA, USA
- Ann Arbor, Michigan, USA
- Manchester, England, UK
Engineering and developmentDepending on the specific needs for a SIEM product, it may work out of the box, or it may require customization by a product specialist. Our team of engineers and software developers can help.
Configuration of a SIEM usually involves installing a software agent on the endpoint to collect log files for the SIEM analysis engine. Circumstances may make this straightforward, or complicated.
In addition to log collection, configuration may include policy configuration, orchestration of automated response, and any network rules to allow necessary legitimate traffic through.
Engineers with extensive experience in the full spectrum of SIEM usage may have recommended best practices unique to the customer scenario.
Maturity and roadmap
Security planning is an iterative process, with the goal being continued refinement and maturing of all associated aspects.
Novacoast has a broad footprint and exposure to a variety of organizations at different points in their maturity arc, giving us unique insight into what should come next to strengthen a security posture.
We provide comprehensive planning tools and guides on SIEM usage to help both the customer new to security information and event management, and the established institution.