SIEM Management

Fully managed SIEM solution for MSPs, installed on-premise by StratoZen.

Security Information and Event Management (SIEM) platforms are inherently complex and require a great deal of experience across multiple vendors, multiple device types, network and telecommunications, operating systems, protocols, and much more.  They also require information security and compliance experience.  Furthermore, SIEM admins need to understand signatures, rules and how to tune the system for optimal performance so an organization doesn’t miss critical alerts but also doesn’t get overwhelmed with false positives and other “noise” that is common for these systems.

The bottom line is that more than 99.99% of data fed into a SIEM is of no value, however that .01% can cost millions of dollars, if not found and acted upon.   Valuable data is like looking for a needle in a haystack, and a SIEM is supposed to make it easy to find, correlate, analyze, and alert on important events.  A SIEM configured improperly or in the hands of an inexperienced admin can be dangerous.  Missed events can be classified as negligence.  Spamming false positives can keep IT staff running in circles costing the organization a tremendous amount of money and keep them from focusing on the important needs of the business.

But for some of our clients, a hosted SIEM-as-a-Service is not an option.  Some have already built an in-house SIEM platform and just need help with the management, maintenance, and monitoring.  Others, such as Managed Service Providers (MSPs), need an in-house solution to support their existing client’s connectivity through VPNs or MPLS.  For these needs, StratoZen has created a SIEM Management service.  This service leverages the StratoZen team to configure, manage, maintain, and monitor devices that are in the in-house SIEM infrastructure. StratoZen is uniquely equipped to assist managed service providers and enterprises with the challenges of deploying and managing a SIEM.  This includes a specific four step process including: Assessment, Design, Deliver, and Ongoing Management.

StratoSIEM1

 

Assessment

Expert evaluation of the current environment is the most critical step in proper SIEM management; most notably in the area of alerting and reporting.  In this phase StratoZen will:

  • Evaluate current Incident and Alert settings and compare them against our “minimum alert” standards for monitoring Performance, Availability, Security, and Change. This is the first step in creating an Alert Matrix.
  • Evaluate currently generated reports, both internal and client facing.
  • Evaluate current underlying infrastructure for scalability and growth.
  • Evaluate collector build parameters and technical specifications.
  • Interview key users of the system to identify gaps or issues.
  • Come to a full understanding of the state of the system today.
  • Document all findings to lay the foundation for the remaining phases

Based on these findings, StratoZen will begin the Design process, taking the known gaps and designing the system to fill those gaps.

Design

In the Design phase, StratoZen will work directly with the responsible SIEM team to design the system exactly as needed for the desired result.  StratoZen will:

  • Extract the current rules from the system and, working with the organization, will build an Alert Matrix outlining the rules in the system, the severity assigned, the notification parameters, and the desired actions when the alerts fire.
  • Build a list of desired daily, weekly, monthly reports for internal and/or client delivery.
  • Analyze and redesign the Discovery Mappings, as needed.
  • Analyze and redesign the Credential Mappings, as needed.
  • Analyze and redesign Scheduling of device discovery.
  • Analyze and finalize the underlying system desired state. This includes the master console, sub-systems and collector/relay hardware configurations, DNS round-robin settings for the relay systems, the online and archive disk settings, and the desired version of SIEM software across all of the devices.

Deliver

In the Deliver phase, we will take the design parameters that were created jointly above and implement them into the current system.  StratoZen will:

  • Re-craft Credential Mappings.
  • Re-craft Discovery of devices.
  • Implement Scheduling for Discovery.
  • Test and validate that devices are coming into the system correctly and are being monitored in full.
  • Re-craft the Incident and Alert firing to match the Alert Matrix.
  • Deliver the completed Alert Matrix so that your team has a fully documented list of the incidents and alerts and the expected team actions when those alerts fire.
  • Create the daily, weekly, monthly reports as identified in the Design phase.
  • Provide training in a web session to overview the new changes in the system and to outline some of the lesser-known features and benefits of the system in hopes of increasing team adoption.
  • Create and deliver an Operational Guidelines document. This document outlines the daily, weekly and monthly tasks required to maintain the SIEM.
  • Update documentation with any new information that is needed from the re-design outlined above.

Ongoing Management

In this phase, StratoZen provides nearly all of the same management, monitoring, and maintenance as we do for our SIEM-as-a-Service offering.  We handle all of the day-to-day operations of your SIEM environment remotely, ensuring that your platform stays up to date and healthy.  We also continuously perform rule and alert tuning to minimize false positives and false negatives.

With the system rebuilt and poised for new clients and scalable growth, StratoZen provides ongoing management of the system.  This allows your internal staff to focus on managing the network and alert response rather than keeping the SIEM environment running and healthy.  Our ongoing management can be customized to your needs, and typically includes the following:

  • Upgrade assistance. New versions of the SIEM come out frequently.
  • Alert fine-tuning. Although the alerts are tuned to what we designed together as a team, as you take on new clients, it is often required to adjust alerts to keep the noise-to-signal ratio correct and to accommodate new systems that were not previously seen.  Any change to the Alerting would also be reflected in the Alert Matrix.
  • New client on-boarding (for MSPs). To ensure that each and every client is on-boarded correctly and consistently, we can take responsibility for the onboarding of new clients or reviewing the on-boarding after it is completed by your staff.
  • New report development. As the system grows, both in clients and adoption by your team, new reports are often desired.  StratoZen can help create new reports as desired or train your team on how to create new reports themselves.
  • If there is an incident that needs Root Cause Analysis or detailed forensics, StratoZen can assist in finding and reporting on the data in the system and assist in creating Root Cause Analysis documentation.
  • Pre-sales support for MSPs. As long-time users and developers within the SIEM universe, we are very skilled at presenting the system to highlight its features and benefits.  Many of our MSP clients use us for pre-sales presentations to help close that deal with their customers.

Custom SIEM Services

Need highly customized SIEM services or a one-time project to get you over a big hurdle?  StratoZen offers custom project and consulting services as well.  Just contact our Sales team and we’ll be happy to help!

 

Optional SOC-as-a-Service Monitoring

pic2Many managed service providers need more than a SIEM, they need a real Security Operations Center (SOC) to analyze and escalate security events.  StratoZen offers outsourced SOC options that can be added to our SIEM-as-a-Service or SIEM Management offerings.

Learn more about our SOC-as-a-Service.

 

 

 

Contact us today to find out more about our SIEM Management!