Information Security teams are presented with large quantities of data, signals and alerts from an array of different sources. Sifting through this noise to identify, understand and respond to threats has become increasingly challenging.
Many of the biggest recent hacks have gone undetected for more than a year, allowing hackers time to inflict considerable damage. Accelerating the discovery of threats and arming your response is the next battlefront in Cyber Security.
The average time to identify a breach in 2020 was 207 days.
The average lifecycle of a breach was 280 days from identification to containment.
Security breaches have increased by 11% since 2018 and 67% since 2014.
Kontex’s bespoke SIEM operating model ensures an effective threat mitigation function for your organisation. Our model removes many of the frustrations with existing outsourced providers such as understanding activity responsibilities, coverage planning and on-going architecture design.
We continually develop the service to align with new threats and unexpected market changes specific to your organisation.
Unfortunately for organisations, many SIEM solutions are not collecting suitable event data, they are not architected correctly, they do not have sufficient threat detection analytics and they are not tuned to the needs of the business resulting in an ineffective threat identification and response programme.
A misconfigured and poorly managed SIEM solution will hurt your business. For a SIEM solution to be able to detect threats and operate effectively, it is critical that:
- Rich data from essential systems is ingested and analysed.
- Customised and accurate threat analytics rules are deployed and aligned with global risks trends.
- Skilled security analysts maintain and operate the SIEM.
- You Security team are notified early to threats so that your organisation suffers only minor impact if any at all.
Kontex’s proven Managed SIEM service will ensure that threats are detected and responded to on-time.
Device & Architecture Management - ‘Fuelling the engine’
- Reviews of client architecture, systems and roadmaps
- Supporting the customer in developing and maintaining sufficient verbosity in event flows
- Ensure key systems are captured
- Development of custom connectors and normalisation strategies
- Support in the development of use case strategy aligned with SIEM coverage
Continuous SIEM Configuration - ‘Tuning the engine'
- Constant tuning of existing analytics rules – removal of noise
- Deployment of value-add analytics rules
- On demand deployment of critical / threat intelligence led analytics rules
- Development of campaign specific threat hunting queries – Anomaly and compromise detection strategy
Monitoring & Reporting - ‘Running the engine’’
- Monitoring of SIEM incidents by qualified analysists
- Validating incidents and Incident Triage
- Provision of remediation guidance
- Post incident root cause tracked and reported
- Development of custom dashboards and reports based on use cases
- Daily threat hunting processes