Cyber Event Management
Capturing logs and events – delivering managed SIEM functions
Through the power of LogRhythm, our Security Operations Centre (SOC) captures logs from all of your critical devices. This includes firewalls, Intrusion Prevention Systems (IPS), mail servers, web servers, networking devices, servers and even client devices. Through our uniquely tailored approach we are then able to identify attempted security violations and stop them in their tracks.
Our ‘eyes on screen’ SOC is able to identify suspicious activity and perform detailed analysis to weed out false positives within the analysis engines. We are able to build complex correlation rules that give us the ability to report real-time exploitation attempts backed to your systems and security teams. Through our comprehensive experience in cyber risk management, we are then able to provide pragmatic guidance on what needs to be done to mitigate against attempted breaches.
How does the service work?
Threat2Alert is more than just a managed logging service. We take live threat data feeds and combine this with GEO location information to provide highly accurate event intelligence. Our CREST approved security team provide on-going assessment of event information, and will escalate to your security teams when suspicious activity is identified.
An example of how this might work:
- A user on a known blacklisted IP address probes your firewall for SSH services.
- The same user probes your firewall for HTTPS services.
- A series of e-mail attachments are sent from the blacklisted IP address to your internal users.
- An outbound web connection is made from an internal user to the blacklisted IP address.
- The anti-virus services engine on a domain controller is stopped.
- A new user is added to the “domain admins” group.
- A large attachment is sent via e-mail to a mail-server in an ‘untrusted country’ that you don’t normally communicate with.
Each of these individual events might generate a series of log entries. However, each of the logs potentially relate to the same incident and are indications that some form of data infiltration could be taking place. Through Nettitude’s team of seasoned Security Experts, we provide this event correlation and analysis overlay. We chain the events together and contact you to inform you that a suspected security incident is in progress.