SIEM | SECURITY INCIDENT AND EVENT MANAGEMENT

WHAT IS A SIEM?

Also referred to as Security Incident and Event Management, or Monitoring, RedLegg’s SIEM service gathers logs and events from key hosts within your network, aggregates the logs together, and provides alerting on events or series of events that match pre-determined criteria. RedLegg SIEM provides the following features:

  • Data aggregation
  • Data correlation
  • Alerting
  • Compliance reports

RedLegg offers key differentiators in our SIEM service including...

  • Correlation – Our Analysis Platform is unique from an MSS perspective because it allows us to not only perform case management and threat analysis from a centralized tool, but also allows us to correlate across our customer base. This key information exposes potential threats that may be new and developing, or even targeting specific customer verticals.
  • Intelligence – We put the threat data that our analysts gather from investigations back to work in our Threat Intelligence Service. This gives our subscribing customers a leg up on staying current with real-world potential risks that may affect their business verticals. The Threat Ecosystem is unique in Managed Service Providers, as we use real threat research to make the process smarter.
  • Observables and Asset Management – Part of the challenge in identifying a security threat is to know which hosts are participating in the activity. With our observable analyzers and our custom asset management, we can notate known customer hosts and gather quick intel on potential external threats. All of these differentiators serve to provide a better customer deliverable by enabling our analysts to provide better analysis, quicker identification of threats, and the ability to be proactive when identifying and mitigating known threats through threat intelligence.
SIEM-Pillar-Banner

Pretty much everything you'd need to know about co-managed SIEM. 

LEARN MORE

 

      Threat Ecosystem

Icons__Alert-Red Customer Alarm – An alarm is generated from your monitored environment. The alarm is sent directly to our Analysis Platform as an Alert.
Icons-_Watchtower-Tower-Red Analysis Platform – Within the Alert, our Analysis Platform identifies and extracts observables: IP address, domain, URL, or file hashes. These observables are considered as potential Indicators of Compromise.
Icons__Magnifying-Glass-Document-Red Threat Analysis – Analysts review the Alert data and run investigations on the identified observables. Analysts report their findings to customers and submit observables to the Threat Research Team for review.
Icons__Checkmark-Document-Red Threat Intelligence Service – Observables are reviewed by the Threat Research Team to verify their validity as bad actors. These items are included in our Threat Intel Service as known Indicators of Compromise (IOCs).

 

KEY FEATURES

Through a combination of management and monitoring of your SIEM environment, RedLegg’s SIEM service gathers logs and events from key hosts within the network, aggregates logs and events, and provides alerting on events or series of events that match pre-determined criteria.

AGGREGATION

Logs from your environment are gathered into one central location and displayed together to provide full context to host activity.

CORRELATION

Logs are inspected to look for relationships, patterns, and trends across all log hosts to identify activity that may be malicious in origin.

ALERTING

RedLegg works with you to create relevant, useful alerts so that in the event of a security or operational issue, the relevant parties will be notified.

REPORTING

Depending on compliance or audit requirements, RedLegg will work with you to build the reports and views needed for various levels of user access.

SIEM SERVICE METHODOLOGY

The RedLegg Managed Security SIEM service follows an established and proven methodology to onboard, manage, monitor, and maintain your infrastructure, providing some of the best service in the industry.

PHASE 1:
KICKOFF AND ONBOARDING

RedLegg holds a kickoff with you and the assigned personnel for the engagement:

  • Deployment Engineer – Assists with conducting an SIEM health check (takeover of an existing install) as well as building the appropriate alarms and rules to maximize the capabilities of the system.
  • Support Engineer – The assigned lead engineer for the account who will handle upgrades, patching and making sure the SIEM is running at optimal efficiency.

During the kickoff and onboarding phase, RedLegg discusses your needs and RedLegg capabilities for providing the best service. This includes:

  • Review the Contact Registration Form
  • Assign main project contact
  • Determine secondary client contact
  • Create initial escalation documentation
  • Review relevant RedLegg processes and procedures

PHASE 2:
MSS CAPACITY BUILDING

During this phase, RedLegg assists in reviewing current log collection and, if needed, collecting additional required log sources from the network. This process helps eliminate unnecessary noise and provide the best information to be ingested into the SIEM. This is a significant amount of work designed to help you get the most of your SIEM installation.

  • Once the proper log sources are being fed into the SIEM, RedLegg builds out the roles for RedLegg support and security to send operations and security alarms.
  • To build out the operational alarms, the Deployment Engineer goes into the operational rules, copies each applicable operational rule, and creates a customized alert. The operational alarms allow RedLegg to monitor the performance of the SIEM to make sure it is operating at its peak efficiency. Once the deployment engineer is sure the rules are operating correctly, alerting of these rules is turned on and monitored is handed off to the Security Analysts.

PHASE 3:
BASELINING

During Phase 3, RedLegg Security Analysts monitor the initial alerts coming into the SIEM and perform initial tuning. This helps to ensure that the alarms are operating properly, that the suppression thresholds are properly set to avoid too many alarms, that there is no duplication. This is one danger area of SIEM installations, as the initial baselining and operational turning can be overwhelming for many organizations monitoring alerts. During this period, RedLegg will work with you to finalize the escalation paths and re-align the escalation plan if necessary. During Phase 3, all alert monitoring and response is performed outside of the SLAs.

PHASE 4:
OPERATIONAL TUNING

During Phase 4, the RedLegg Security Analysts will be monitoring the alerts and investigating them. Real events will be handled according to the escalation procedure. False alarms will be tuned appropriately. During this process, RedLegg is tuning down duplicate alerts, ensuring that the rules fire correctly and that the alerts are sending relevant information, and then verifying what the alarm is forwarding.

PHASE 5:
ONGOING

As the false alarms subside and the SIEM alerts stabilize, the environment now has a fully functioning and tuned SIEM. RedLegg Managed Security Services will continue to monitor security alerts and conduct investigations, while ensuring that the SIEM is running at peak performance. During this time, RedLegg will begin running quarterly business reviews, offering suggestions to help improve the services and the overall security posture.

  • PHASE 1:
    ONBOARDING
  • PHASE 1:
    KICKOFF AND ONBOARDING

    RedLegg holds a kickoff with you and the assigned personnel for the engagement:

    • Deployment Engineer – Assists with conducting an SIEM health check (takeover of an existing install) as well as building the appropriate alarms and rules to maximize the capabilities of the system.
    • Support Engineer – The assigned lead engineer for the account who will handle upgrades, patching and making sure the SIEM is running at optimal efficiency.

    During the kickoff and onboarding phase, RedLegg discusses your needs and RedLegg capabilities for providing the best service. This includes:

    • Review the Contact Registration Form
    • Assign main project contact
    • Determine secondary client contact
    • Create initial escalation documentation
    • Review relevant RedLegg processes and procedures
  • PHASE 2:
    CAPACITY BUILDING
  • PHASE 2:
    MSS CAPACITY BUILDING

    During this phase, RedLegg assists in reviewing current log collection and, if needed, collecting additional required log sources from the network. This process helps eliminate unnecessary noise and provide the best information to be ingested into the SIEM. This is a significant amount of work designed to help you get the most of your SIEM installation.

    • Once the proper log sources are being fed into the SIEM, RedLegg builds out the roles for RedLegg support and security to send operations and security alarms.
    • To build out the operational alarms, the Deployment Engineer goes into the operational rules, copies each applicable operational rule, and creates a customized alert. The operational alarms allow RedLegg to monitor the performance of the SIEM to make sure it is operating at its peak efficiency. Once the deployment engineer is sure the rules are operating correctly, alerting of these rules is turned on and monitored is handed off to the Security Analysts.
  • PHASE 3:
    BASELINING
  • PHASE 3:
    BASELINING

    During Phase 3, RedLegg Security Analysts monitor the initial alerts coming into the SIEM and perform initial tuning. This helps to ensure that the alarms are operating properly, that the suppression thresholds are properly set to avoid too many alarms, that there is no duplication. This is one danger area of SIEM installations, as the initial baselining and operational turning can be overwhelming for many organizations monitoring alerts. During this period, RedLegg will work with you to finalize the escalation paths and re-align the escalation plan if necessary. During Phase 3, all alert monitoring and response is performed outside of the SLAs.

  • PHASE 4:
    TUNING
  • PHASE 4:
    OPERATIONAL TUNING

    During Phase 4, the RedLegg Security Analysts will be monitoring the alerts and investigating them. Real events will be handled according to the escalation procedure. False alarms will be tuned appropriately. During this process, RedLegg is tuning down duplicate alerts, ensuring that the rules fire correctly and that the alerts are sending relevant information, and then verifying what the alarm is forwarding.

  • PHASE 5:
    ONGOING
  • PHASE 5:
    ONGOING

    As the false alarms subside and the SIEM alerts stabilize, the environment now has a fully functioning and tuned SIEM. RedLegg Managed Security Services will continue to monitor security alerts and conduct investigations, while ensuring that the SIEM is running at peak performance. During this time, RedLegg will begin running quarterly business reviews, offering suggestions to help improve the services and the overall security posture.

SIEM MONITORING FEATURES

  • REAL-TIME ANALYSIS
  • AUTOMATED ALERTING
  • INTEGRATED TICKETING SYSTEM
  • LOG QUERIES AND INVESTIGATION
  • DETAILED ON-DEMAND REPORTING

REAL-TIME ANALYSIS

RedLegg’s Security Operations staff will perform real-time analysis on critical alarms generated from the SIEM. Actionable events will be investigated and escalated via the ticketing system and pre-determined escalation path.

AUTOMATED ALERTING

RedLegg will collaborate with you to determine automatic alert thresholds. Automatic alerts are generated when the SIEM has identified activity as suspicious based on signatures, behavior patterns, and other algorithms. Automated alerts will arrive as an email to RedLegg and you, and will be created in the ticketing system.

INTEGRATED TICKETING SYSTEM

When actionable events are identified by RedLegg Operations or an automated alert is generated, all information is submitted into the RL ticketing system for investigation, tracking, and auditing purposes. The ticketing system is available through the RL customer online portal.

LOG QUERIES AND INVESTIGATION

When suspicious activity has been detected or an investigation of the activity of a host is required, RedLegg can perform custom queries in the SIEM Log Database to retrieve event information from a designated date and time.

DETAILED ON-DEMAND REPORTING

On-demand reports are available, detailing statistics and analysis of the activity of the hosts reporting in to the service. Many of the reports are tailored to meet security or compliance requirements.

  • REAL-TIME ANALYSIS
  • RedLegg’s Security Operations staff will perform real-time analysis on critical alarms generated from the SIEM. Actionable events will be investigated and escalated via the ticketing system and pre-determined escalation path.

  • AUTOMATED ALERTING
  • RedLegg will collaborate with you to determine automatic alert thresholds. Automatic alerts are generated when the SIEM has identified activity as suspicious based on signatures, behavior patterns, and other algorithms. Automated alerts will arrive as an email to RedLegg and you, and will be created in the ticketing system.

  • INTEGRATED TICKETING SYSTEM
  • When actionable events are identified by RedLegg Operations or an automated alert is generated, all information is submitted into the RL ticketing system for investigation, tracking, and auditing purposes. The ticketing system is available through the RL customer online portal.

  • LOG QUERIES AND INVESTIGATION
  • When suspicious activity has been detected or an investigation of the activity of a host is required, RedLegg can perform custom queries in the SIEM Log Database to retrieve event information from a designated date and time.

  • DETAILED ON-DEMAND REPORTING
  • On-demand reports are available, detailing statistics and analysis of the activity of the hosts reporting in to the service. Many of the reports are tailored to meet security or compliance requirements.

OUR APPROACH

RedLegg is an innovative, global security firm that delivers managed cybersecurity solutions and peace of mind to its clients.

RedLegg’s approach to information security protects the confidentiality, integrity, and availability of critical data based on a sound risk management framework. This approach allows organizations to engage business owners in defining acceptable levels of risk and to participate in the process for evaluating threats.

RedLegg’s ARMEE (Assess, Remediate, Monitor, Educate, Enforce) methodology institutes a lifecycle that allows for an ongoing process to continuously improve the security posture of the organization. This methodology is designed to be portable to all business, legal, regulatory, and security requirements of the organization. It is flexible enough to account for the constant flux in the market place, attack vectors, and protection mechanisms.

The final step in RedLegg’s ARMEE methodology is to implement solutions that enforce security measures needed to protect against threats that may affect an organization’s core business.

ARMEElogo-1

Resources

     
SIEM-Slick-3D

 

OD-Webinar-SIEM-Questions

 

Case Study_SIEM-International-Law-Firm-SOC-3D-1

 

SIEM-Architecture-Review

 

SIEM Service Info Sheet SIEM Webinar Managed SIEM Case Studies SIEM Architecture Review

 

BETTER YOUR VISIBILITY.

Better defend your network.

REACH OUT