Cybersecurity Maturity Concept for SIEM & MDR
The cybersecurity maturity process can seem overwhelming, especially if your organization lacks experience with this process. There’s a lot to consider, such as understanding exactly what you can expect and the value you will get from the process.
In this first video of the Sedara Whiteboard Series, we go over a crawl-walk-run methodology to ease into a mature SIEM & MDR cybersecurity posture.
If you’re looking to get some tangible value out of a system or service, watch the video above or read below for some key takeaways.
What is SIEM Technology?
SIEM technology revolves around data collection. It’s about collecting logs, analyzing them, and pulling data through API integrations to understand what is happening in your cybersecurity environment.
The Crawl-Walk-Run Approach:
The crawl phase starts with your SIEM ingesting highly critical assets, and sometimes high-value, lower volume assets. What do we mean when we say high-value? We’re referring to the data they are providing.
The primary focus during this stage includes getting visibility into network traffic. This includes firewall logs and directory services. Firewalls and directory services are considered extremely high-value data sources.
In a firewall log, you can expect to get the source, target port, and protocol information. Firewall logs don’t share a lot of information unless it is a unified threat management (UTM) device. With a UTM device, you can get actual URL destinations and conduct spam filtering.
When examining log sources, it’s crucial to consider:
- What data you’re collecting
- What intelligence is going to be applied
- What are you getting out of it?
One example of a security risk would be if a user adds another domain admin at a time when your employees aren’t usually working. Sedara can detect and respond to this problem by using your SIEM that has collected logs from your domain controllers.
Without putting some sort of intelligence into this, you would not be able to find this significant compromise.
The walk phase gets into more complex systems to configure, with higher volumes.
In this phase, workstations are your highest volume assets. The logs from your workstation may not be as important as the logs from your global directory services. However, you can build a significant amount of use cases and alarms from the data.
Obtaining workstation logs can be challenging. However, Sedara has created processes that integrate Windows event forwarding that can be applied in a couple of hours. The volume of data impacts the size SIEM you need.
One reason workstation logs are impactful is because, if an attacker knows you are using a SIEM they will use local accounts to get into your system and stay under the radar from detection.
Starting to isolate and remove devices or killing processes is a great way to start the response process during the walk phase.
As an MDR provider, Sedara can detect and respond to threats on your behalf.
The run phase can take longer to reach, is typically very high volume, and is fairly sophisticated to implement and manage. The complexity comes into play because you are including robust business applications such as ERP systems, EMR systems, finance systems, and more.
Getting the logs into the SIEM is more time-consuming, and typically you have separate teams responsible for different environments. More people are usually involved in the detection and response processes. Due to the level of complexity involved with this phase, these concepts take more time to develop.
How Sedara Can Help You with Cybersecurity Maturity
Be sure to check back for more videos in our Whiteboard Series. Do you want Sedara to become your Cybersecurity Sidekick? Get started today.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats–and what to do about them–just like our clients do.