Co-Managed SIEM

Learn About Co-Managed SIEM

Seeking information on what is common practice and standard procedure for a co-managed relationship with a managed security services provider can be a bit daunting. Here’s a few bits of knowledge that will hopefully make it easier to speak the same language.


Frequently Asked Questions

What does the acronym S.I.E.M. stand for?

SIEM stands for Security Information and Event Management.

What is the purpose of a SIEM?

Security has become a game of managing all the data that is generated by log files and other recorded events that could be used in detecting malicious behavior or compromise. The sheer volume of data that is generated by security events is such that no human can evaluate it in real time. Automation and aggregation of the data must be employed to make it usable and meaningful. A SIEM is a product that is meant to provide this functionality.

Why would I seek out a services provider to help manage my SIEM?

A SIEM, even though it is oriented toward automation, still requires a human analyst to monitor its views and insights. A security engineer or developer must configure and tune its initial implementation. This equates to expensive man-hours. For an organization that is held to a standard of compliance, it can require multiple full-time employees to cover 24/7 shifts.

A co-managed SIEM partner can provide the manpower at a fraction of the cost, while the organization retains ownership of the implementation and the data it generates.

What happens if I want to change my SIEM management provider?

Sometimes things happen and you may want to switch to a new provider to help manage your SIEM. That’s where the co-managed model shines: You own the purchased products, any assets, and the infrastructure. The provider in a co-managed SIEM model has just provided services to help build, manage, and refine your owned setup. It’s all yours. If the need arises, bring in a new provider.

Co-Managed SIEM Topics

Co-Managed Programs

In any co-managed program, the organization retains ownership of the assets and data. Meanwhile, the service provider gives expertise in design, architecture, and day-to-day running of the security program. This is in contrast to a full SaaS or “black box” solution where security oriented traffic is shipped off to a service totally owned and operated by the provider.

In the case of a co-managed SIEM, the SIEM product can be configured and customized by either party while the provider performs continued management and monitoring of the data . This allows the organization who owns the SIEM to retain dominion over their own security data and enjoy much cheaper monitoring and analysis by a provider who services multiple customers simultaneously.

The Novacoast Co-Managed SIEM in particular adds the following benefits:

  • Novacoast reviews design and architecture
  • Novacoast provides care and feeding of solution
  • 100% of care and feeding of solution is taken care of by Novacoast
  • Integration to customer SOP’s for feel of customer owned tier 1 SOC
  • Documentation is co-owned and transferable
  • Data and integration ownership stay where they belong, with the customer

SIEM Products

While there are many SIEM products on the market, there are a few standouts that are worthy of mention. Contact our sales team if you don’t currently have a SIEM setup and would like expert help.

  • LogRhythm
    • LogRhythm’s NextGen SIEM platform is an industry leader and a partner of Novacoast.
  • Arcsight
    • The ArcSight Enterprise Security Manager is a comprehensive threat detection, analysis, and compliance management SIEM solution. ArcSight is from Microfocus, one of Novacoast’s partners.
  • Splunk
    • Splunk’s analytics-driven SIEM product is well proven as part of their Security Operations Suite.

Glossary Of Terms

Analyst

A trained technician or security engineer who specializes in evaluating the configuration and data insights from various security information and event management tools. An analyst also is trained on response, triage, and escalation procedures in the event of an incident.

Endpoint

An endpoint is any remote computing device that is connected to the network. Endpoints represent a liability attack surface due to challenges with maintaining updates, antivirus, and their role as a focal point for user behavior.

Incident

An occurrence where a policy, implied or stated, is violated by a remote attacker or internal actor.

RACI

RACI is an acronym that stands for responsible, accountable, consulted and informed. A RACI chart is a matrix of all the activities or decision making authorities undertaken in an organisation set against all the people or roles. (Wikipedia)

Runbook

RACI is an acronym that stands for responsible, accountable, consulted and informed. A RACI chart is a matrix of all the activities or decision-making authorities undertaken in an organization set against all the people or roles. (Wikipedia)

Service Level Agreement

A service-level agreement (SLA) is a commitment between a service provider and a client. Particular aspects of the service – quality, availability, responsibilities – are agreed between the service provider and the service user. (Wikipedia)

SOC

A Security Operations Center, or SOC, is a strategically located remote facility from which analysts can monitor, analyze, and respond to security threats in an effort to protect sensitive data and intellectual property.

Triage

As in medicine, triage is any approach to prioritization of response using defined rules and procedures to achieve some level of efficiency in response to a detected incident