Minnesota SIEM Consultant

by | Jul 16, 2019 | Blogs | 0 comments

Do you want help with your security information and event management solution (SIEM)? 

We’ve been working on SIEM solutions for years and if I can be totally transparent, it’s difficult. To implement and tune a SIEM so that it provides risk reduction, low false positives, high fidelity alerts is a difficult task. But when it’s done right, it quickly provides a return on investment, years of risk reduction, and be extremely valuable.

The Problem

Your sold hope and vision of a beautiful single-pane of glass dashboard alerting on every security event you should know about, and creating incidents for security anomalies that only an advanced artificial intelligence, machine learning, a next-generation solution can deliver. 

What you get instead is one hundred out of the box worthless alerts that generate way too much false alerts, provide no value and alert you on things that your existing security controls are preventing anyway. 

There is hope. 

If you’re a Minnesota business and have more than ten endpoints reporting to your SIEM (that’s where the magic starts happening), and less than 1,000 reporting sources (justifies full-time SIEM engineer), we can partner with you to improve your SIEM platform. 

Our Process

We start by clarifying the purpose and goal of the system. We then examine the risk and drive the use-case alerting scenarios.

We review your asset reporting architecture and ensure we get the right endpoints logging the right data. We organize them within the SIEM for environment, directionality, and risk. We then overlay SIEM rules that validate and support what WireShark and other packet inspection tools are showing use are common. 

Tabletop exercises are performed with your security staff to brainstorm what is not normal, what a potential attack might look like, what wrong way directional traffic is. 

We build high fidelity, low false positive alerts, and we test them. We build playbooks and support documentation and work alongside your security analysts to show them exactly what we’re doing and why. We build one single alert at time, test, and pivot. Once we have a strong foundation of security alerts of in place we move to correlation alerts and artificial intelligence. 

Specific Vendor Products

No matter what SIEM solution you currently use we can most often help. We start with a get to know you session, and whiteboard your current situation. If you need an NDA in place beforehand, we can do that. Based on our SIEM assessment we’ll tell you upfront if we can help our not. We only serve Minnesota companies we can bring value to. Nothing less. 

We’ve often asked if we support a specific vendor SEIM solution, or if we’ve worked with it before. Although we can’t tell what companies we’ve helped with each solution, we can tell you we have a lot of experience with most leading SIEM solutions. 

The other thing that I can tell you is, it doesn’t matter. 

Most people start with the SIEM itself and try to get it to work. They look at how to get into the console, deploy agents, parse log messages, create alerts, configure ticketing and escalation. 

We start with risk. Risk drives security situations that we need to know about. Your unique business risks drive what we need to discover and alarm on from the SIEM. That’s the purpose it’s there. 

A SIEM can provide value with one single high fidelity, low false positive alarm. Do you have that kind of risk that we can help you drive that much value from?

80% of the SIEM value equation exists before the SIEM is in place. The risk. This includes defining where the crown jewels are, where the confidential and sensitive data resides, what are the privileged accounts, who has access to service accounts and root. Who can see sensitive fields within the database? Who posses a risk if they leave the company tomorrow. What threat vectors are available, what assets have a high ‘time-to-patch’, what systems are legacy, what needs to be high availability? These questions are where a great SIEM implementation starts. 

How many alerts?

How do you define the value of your SIEM? How many alerts would it take to achieve that value? 

I want to offer a shocking statistic I’ve personally gathered from the clients I’ve worked with. This should make you feel better about your situation, and it should also shock you. 

Less than one out ten companies we’ve worked with have more than three SIEM alarms they feel are valuable and reduce their risk. 

How many do you have?

What if we could turbocharge your SIEM? What if we could customize it to your business, your unique risk, and your value?

If after the SIEM assessment, and SIEM architecture and tuning process we could build one single high fidelity, risk-reducing alarm, every month would that be valuable to you?

If the answer is yes, give us a call and let’s schedule a whiteboard session. 

Summary

So much money is spent on SIEM solutions every year. So much labor time is spent trying to get it to do something. 

We can do better. 

Setup a SIEM Workshop today and let us help you jump start your SIEM from zero to sixty and keep it running, driving value, and reducing risk for years to come. 

Submit a Comment

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!