Ready to move forward with Cysiv SOC-as-a-Service?
Here’s what you can expect.
The onboarding process can typically be completed within a few weeks and encompasses the following key elements.
1. Kickoff Meeting
Cysiv will review and discuss expectations, requirements, timelines and next steps. We’ll need to confirm who on your team will be needed as part of the onboarding phase and daily operations, and we’ll introduce you to your Cysiv team.
2. Architecture & Data Science
We will work with your team to define the use cases and the telemetry sources that will support the use cases that you’ve prioritized, and do whitelisting to help reduce false positives.
To improve the efficiency and effectiveness of the onboarding process and ongoing operations, we’ll also need to understand your IT environment, including relevant infrastructure, security tools, applications, operating systems, and virtualization and containerization.
3. Deployment & Data Onboarding
Once we’ve determined the appropriate and required set of telemetry to be leveraged, and you've provided us with access to the required resources, this telemetry is then ingested into the Cysiv Command platform.
Most telemetry can be pulled from APIs or sent securely to Command over the internet. For older sources, such as logs over Syslog UDP, Cysiv Connector provides an encrypted conduit for passing all required telemetry from your environment to the Cysiv platform.
4. Platform Training
Although our team will be doing all of the “heavy lifting” when it comes to providing you with 24/7 service, you’re encouraged to actively participate in the detection and response process, as an active collaborator. And to do that you’ll need some training.
Once we’ve identified the people on your team that want to access the platform, they’re then trained on the Cysiv Command platform. The first training session is usually done after about seven days of data has been ingested into the platform.
Along with the remote live training, participants receive a comprehensive users guide, which complements the online help available in the service. And of course, we’re always available to help guide you if you need help.
5. 24/7 Monitoring & Management
Cysiv experts will then begin monitoring your environment, while escalating security incidents for corrective action, as required.
The diagram provides an overview of what actually happens with our 24/7 Monitoring and 24/7 Monitoring with Management services. With both services, you leverage the power of our SOC-as-a-Service platform, and the benefits of our data science, threat hunting and threat research experts.
We monitor for threats, and investigate and triage them, notifying you of confirmed threats and their severity.
We ensure your telemetry is being reliably ingested by Cysiv Command, checking that all Connectors are online and providing the expected flow of telemetry.
And we perform any necessary troubleshooting and maintenance activities.
A “security incident” is automatically generated in Cysiv Command when a suspicious entity is detected by the Cysiv Threat Detection engine.
A Security Incident case is created for detections that cannot be confirmed as benign/FP during triage.
Analysts then investigate the security incident, documenting the following:
- Attacker attributes & root causes
- Attack vector & campaign
- Infected entities
- Malware capabilities and behavior, and IOCs
We then recommend further investigation steps if the threat is not fully discovered or requires additional information.
Once the incident has been confirmed as a threat:
- The expected impact level is assigned (Sev-1 ... Sev-5)
- You're notified according to pre-defined SLAs
- Containment / remediation guidance is provided
- We recommend policy or security changes to prevent similar incidents
Faster, higher quality detections
Human-led and enhanced by automation
Timely, relevant info on key threats
24/7 Monitoring with Management
Includes all of the benefits of 24/7 Monitoring AND Monday to Friday, 9-5pm CT
We manage selected security products by:
- Configuring and tuning the devices
- Monitoring their health and availability
- Applying software patches, pattern updates, and other policy changes agreed to in advance
- Coordinating configuration changes to these products.
We will actively implement and not simply recommend, policy or security control changes to be made to an incident, for the security of products we are managing on your behalf.