The situation
The client, a housing provider serving over 35,000 people, needed a new Managed SIEM vendor to help elevate their security posture.
The incumbent managed security service provider (MSSP) managed AlienVault OSSIM in the client’s environment. As the client’s business grew, the service from their MSSP wasn’t able to keep up with their expectations.
The MSSP had a very 'hands off' approach with the client, and did not regularly tune their SIEM deployment. This led to the client receiving floods of alerts with no priority or context assigned to them.
This quickly became overwhelming for the client's small IT team. They didn't have time to sort through hundreds of alerts themselves, and their MSSP wasn't properly supporting them. The client needed a provider that could help them prioritise and make the best use of their resources. They also wanted clear, step-by-step support for all security incidents so they could remediate any issues.
The client wanted to see clear value from a Managed SIEM service, which they felt they were not getting with their existing provider. They also wanted peace of mind that an outsourced SOC was properly monitoring their environment 24/7 for cyber threats. This led to the client starting their search for another service provider that could give them this coverage and peace of mind.
Client technology stack highlights
- Microsoft 365
- Microsoft Azure AD Connect
- On prem Exchange Servers
- Over 110 VMs running Windows Server 2016
- A small number of Linux servers
- Over 1,100 user devices
- Cisco AMP / Microsoft Defender for Endpoint
- Cisco Meraki
- VMware vCenter
- Citrix ADC
- Veeam backups
The solution
The client saw the Managed SIEM service from Defense.com as a much better solution compared to their existing provider. They liked how Defense.com used its own SIEM technology, yet could still collect data from all their existing security investments.
After choosing Defense.com, our team started to work with the client to help them see immediate value from the service. This included prioritising the onboarding of critical servers that processed sensitive personal data. The client also decided to stagger the onboarding of some log sources, including test applications and development servers. This helped them juggle other business priorities without compromising the security of their production environment.
Once the initial batch of log collectors and API calls were configured and deployed, the Defense.com SOC team worked with the client to:
- Validate that all log collectors were operating as expected
- Review the client’s company profile to tailor detection rules to their needs
- Confirm processes for raising critical security incidents
- Schedule regular service reviews to optimise the SIEM deployment and discuss any changes to the client’s environment
After these steps were completed, the Defense.com SOC analysts monitored the baseline level of network activity to understand what ‘normal’ looked like for the client. From there, the Defense.com team was able to adjust the SIEM deployment and detection rules based on the observed activity and tune out any false positives.
The outcome
Over the first few months of the service being live, Defense.com automatically raised a series of Microsoft Azure security alerts, including clicks by users on potentially malicious URLs. Two particular alerts were investigated in more detail, relating to the creation of forwarding/redirect rules. Both of these events turned out to be legitimate user activity, however SOC analysts will always closely review this type of alert, as it could be an indicator of compromise.
Alerts were also raised for malware that was prevented by Microsoft Defender for Endpoint. Although the malware was prevented from delivering its payload, these security events were raised to the client as a precaution, with the recommendation that the affected endpoints should be scanned manually for any signs of infection.
In addition to their 24/7 threat detection and outsourced SOC service, the client utilised other features of the Defense.com platform to uplift their security posture. They used the built-in Vulnerability Scanning engine to schedule regular scans across a range of external IPs to identify and prioritise any known security weaknesses. This replaced their previous solution that didn’t give them a way to easily prioritise the alerts that were generated, saving their team a lot of time.
The client also conducted an external infrastructure penetration test with a sister company of Defense.com. The full results of the pen test were automatically uploaded into their Defense.com account, including a list of vulnerabilities prioritised in order of criticality. This enabled the client to quickly review the results of their test and understand what they needed to remediate first.
Client feedback
The client was impressed with how the different features in Defense.com came together in one place, and how easy the platform was to use. They also liked how scalable the Defense.com Managed SIEM service was in comparison to their old provider.
The client found the Defense.com service to be a much better solution for the needs of their business. The automatic prioritisation of alerts helped the IT team to use their time more effectively, so they could focus on other projects. Having a 24/7 service also gave the client peace of mind that their environment was being continually monitored for cyber threats.
After seeing so much value from the rest of the Defense.com platform, the client also put plans in place to use the Security Awareness Training and Phishing Simulation features to help educate their staff about cyber security.
Learn more about Defense.com™
Detect and respond to cyber threats and protect your business with Defense.com. Try for free to see our platform in action and find out how you can increase your cyber resilience.
