MANAGED SECURITY SERVICES
Co-Managed SIEM
Our experts will run, manage, and perfect your SIEM, while you retain total ownership.
The threat analysts and operations specialists of the Novacoast SOC are ready to optimize and run your EDR to make it perform and protect.
What We Do
The Novacoast Managed EDR service is focused on optimizing your EDR for maximum effectiveness in finding and remediating threats with as much automation as possible. Here’s what we do to accomplish that:
Active Incident and Alert Investigation
Analysts in the Novacoast SOC are eyes-on-glass ready to investigate alarms using any and all tool(s) at their disposal depending on the customer environment.
False Positive Handling
Inefficiencies in managing EDR are often rooted in False Positives or alerts that are triggered unnecessarily by a benign event. This is a common tuning activity when initially profiling any new organization or environment, but can cause some initial extra workload and concern. It’s an iterative process to reduce false positives.
Escalation of Incidents to Customer Staff
The process for remediation and response is a coordination of two teams – the SOC who provides expertise in threats and mitigation techniques and the customer who provides necessary access to systems and data when remediation becomes necessary. Analysts in the Novacoast SOC will escalate an incident once it meets agreed-upon criteria.
Remediation Support
When an incident or event occurs that requires active remediation and potentially emergency response, Novacoast can assist our customer’s security team with threat detail and any other intel that would aid resolution.
Alert/Watchlist Tuning
One of the primary benefits of an MDR program is the refined use of threat intelligence and threat hunting from the experienced Novacoast analysts. A customer’s alerts and threat watchlist will be tuned in accordance with industry and exposure to minimize noise, false positives, and excess workload.
Hunt Hypothesis Creation
Unlike investigations that are launched by a defined alert, hypothesis-driven investigation is initiated when threat intelligence indicates there may be malicious activity that’s not being detected by other testable means. Are bad actors present without triggering alerts? That’s where hunting comes into play. It’s a science – ideation based on suspicion followed by experiment to verify. Novacoast threat hunters utilize this technique when no alerts are yet defined for a suspected threat.
Feed Tuning and Recommendations
Threat intelligence feeds available today are numerous, and while some are broad in spectrum, others can be very specific to a certain type or family of threats. To avoid too much or too little data being imported for correlation, our specialists curate and tune what data EDR is using so that it’s appropriate for the customer’s industry or exposure profile.
New Use Case Creation
Novacoast’s analysts can assist if a customer’s EDR configuration is relatively new and requires the creation of use cases for detection, response, or threat hunting to address the unique scenarios of the business and employee usage.
Ad hoc Hunt Requests
Is something suspicious indicating potential malicious activity on the endpoint, but no alerts have been triggered? It’s time for analysts to hunt down the cause of the activity. This is an ad hoc request based action where the initiative comes from the customer or a Novacoast analyst who noticed abnormal behavior.
Binary Triage Analysis
If suspicious binaries are detected on a monitored system and the automated means for identification return nothing, some analysis is required to determine if that binary is malicious or not. This is called triage. Triage is determining the how serious and/or timely of a response should be by establishing potential or intent of the binary. Novacoast analysts will use a suite of tools in a quarantined container during analysis to extract strings and other data from the compiled binary that may be indicative of the binary’s purpose and level of virulence.
Root Cause Analysis
It’s often the case that symptoms of an attack or infection are indicative of a deeper issue. If binaries are appearing on a system, how were they delivered? Perhaps a backdoor exists or a drive-by attack has installed a binary that’s delivering additional payloads. In such a multidimensional incident, analysis can be performed to determine the root cause with the hope that abating this cornerstone of the attack will prevent the rest of the symptoms.
This kind of analysis requires experience and detailed knowledge of the host operating system and application stacks that may be the target of the attack. Analysts in the Novacoast SOC specialize in investigation that runs the gamut of Windows, MacOS, and flavors of Unix/Linux. They can apply their years of attack profiling to determine the root cause of any given incident.