SECURITY LEARNING CENTER
Co-Managed SIEM
A co-managed solution employs a blended group of cybersecurity engineers and operations experts to run, manage, and perfect the tools of security information and events, while you retain total ownership.
Learn About Co-Managed SIEM
Seeking information on what is common practice and standard procedure for a co-managed relationship with a managed security services provider can be a bit daunting. Here’s a few bits of knowledge that will hopefully make it easier to speak the same language.
SIEM stands for Security Information and Event Management.
Security has become a game of managing all the data that is generated by log files and other recorded events that could be used in detecting malicious behavior or compromise. The sheer volume of data that is generated by security events is such that no human can evaluate it in real time. Automation and aggregation of the data must be employed to make it usable and meaningful. A SIEM is a product that is meant to provide this functionality.
A SIEM, even though it is oriented toward automation, still requires a human analyst to monitor its views and insights. A security engineer or developer must configure and tune its initial implementation. This equates to expensive man-hours. For an organization that is held to a standard of compliance, it can require multiple full-time employees to cover 24/7 shifts.
A co-managed SIEM partner can provide the manpower at a fraction of the cost, while the organization retains ownership of the implementation and the data it generates.
Sometimes things happen and you may want to switch to a new provider to help manage your SIEM. That’s where the co-managed model shines: You own the purchased products, any assets, and the infrastructure. The provider in a co-managed SIEM model has just provided services to help build, manage, and refine your owned setup. It’s all yours. If the need arises, bring in a new provider.
Co-Managed Programs
In any co-managed program, the organization retains ownership of the assets and data. Meanwhile, the service provider gives expertise in design, architecture, and day-to-day running of the security program. This is in contrast to a full SaaS or “black box” solution where security oriented traffic is shipped off to a service totally owned and operated by the provider.
In the case of a co-managed SIEM, the SIEM product can be configured and customized by either party while the provider performs continued management and monitoring of the data . This allows the organization who owns the SIEM to retain dominion over their own security data and enjoy much cheaper monitoring and analysis by a provider who services multiple customers simultaneously.
The Novacoast Co-Managed SIEM in particular adds the following benefits:
- Novacoast reviews design and architecture
- Novacoast provides care and feeding of solution
- 100% of care and feeding of solution is taken care of by Novacoast
- Integration to customer SOP’s for feel of customer owned tier 1 SOC
- Documentation is co-owned and transferable
- Data and integration ownership stay where they belong, with the customer
SIEM Products
While there are many SIEM products on the market, there are a few standouts that are worthy of mention. Contact our sales team if you don’t currently have a SIEM setup and would like expert help.
-
Exabeam
- Part of their operations platform, Exabeam’s SIEM capabilities are essentially what used to be known as LogRhythm—log management, behavioral analytics, and automated threat detection, investigation, and response (TDIR)
-
Google SecOps
- Google’s cloud-based operations platform provides SIEM augmentation, enhancing detection capability of your existing SIEM.
-
Microsoft Sentinel
- Cloud-native SIEM platform optimized for Azure infrastructure but can aggregate data from all sources, including users, applications, servers, and devices running on premises or in any cloud.
Analyst
A trained technician or security engineer who specializes in evaluating the configuration and data insights from various security information and event management tools. An analyst also is trained on response, triage, and escalation procedures in the event of an incident.
Endpoint
An endpoint is any remote computing device that is connected to the network. Endpoints represent a liability attack surface due to challenges with maintaining updates, antivirus, and their role as a focal point for user behavior.
Incident
An occurrence where a policy, implied or stated, is violated by a remote attacker or internal actor.
RACI
RACI is an acronym that stands for responsible, accountable, consulted and informed. A RACI chart is a matrix of all the activities or decision making authorities undertaken in an organisation set against all the people or roles. (Wikipedia)
Runbook
RACI is an acronym that stands for responsible, accountable, consulted and informed. A RACI chart is a matrix of all the activities or decision-making authorities undertaken in an organization set against all the people or roles. (Wikipedia)
Service Level Agreement
A service-level agreement (SLA) is a commitment between a service provider and a client. Particular aspects of the service – quality, availability, responsibilities – are agreed between the service provider and the service user. (Wikipedia)
SOC
A Security Operations Center, or SOC, is a strategically located remote facility from which analysts can monitor, analyze, and respond to security threats in an effort to protect sensitive data and intellectual property.
Triage
As in medicine, triage is any approach to prioritization of response using defined rules and procedures to achieve some level of efficiency in response to a detected incident