The onboarding process can typically be completed within a few weeks and encompasses the following key elements.
Cysiv will review and discuss expectations, requirements, timelines and next steps. We’ll need to confirm who on your team will be needed as part of the onboarding phase and daily operations, and we’ll introduce you to your Cysiv team.
We will work with your team to define the use cases and the telemetry sources that will support the use cases that you’ve prioritized, and do whitelisting to help reduce false positives.
To improve the efficiency and effectiveness of the onboarding process and ongoing operations, we’ll also need to understand your IT environment, including relevant infrastructure, security tools, applications, operating systems, and virtualization and containerization.
Once we’ve determined the appropriate and required set of telemetry to be leveraged, and you've provided us with access to the required resources, this telemetry is then ingested into the Cysiv Command platform.
Most telemetry can be pulled from APIs or sent securely to Command over the internet. For older sources, such as logs over Syslog UDP, Cysiv Connector provides an encrypted conduit for passing all required telemetry from your environment to the Cysiv platform.
Although our team will be doing all of the “heavy lifting” when it comes to providing you with 24/7 service, you’re encouraged to actively participate in the detection and response process, as an active collaborator. And to do that you’ll need some training.
Once we’ve identified the people on your team that want to access the platform, they’re then trained on the Cysiv Command platform. The first training session is usually done after about seven days of data has been ingested into the platform.
Along with the remote live training, participants receive a comprehensive users guide, which complements the online help available in the service. And of course, we’re always available to help guide you if you need help.
Cysiv experts will then begin monitoring your environment, while escalating security incidents for corrective action, as required.
The diagram provides an overview of what actually happens with our 24/7 Monitoring and 24/7 Monitoring with Management services. With both services, you leverage the power of our SOC-as-a-Service platform, and the benefits of our data science, threat hunting and threat research experts.
We monitor for threats, and investigate and triage them, notifying you of confirmed threats and their severity.
We ensure your telemetry is being reliably ingested by Cysiv Command, checking that all Connectors are online and providing the expected flow of telemetry.
And we perform any necessary troubleshooting and maintenance activities.
A “security incident” is automatically generated in Cysiv Command when a suspicious entity is detected by the Cysiv Threat Detection engine.
A Security Incident case is created for detections that cannot be confirmed as benign/FP during triage.
Analysts then investigate the security incident, documenting the following:
We then recommend further investigation steps if the threat is not fully discovered or requires additional information.
Once the incident has been confirmed as a threat:
Faster, higher quality detections
Human-led and enhanced by automation
Timely, relevant info on key threats
We manage selected security products by:
We will actively implement and not simply recommend, policy or security control changes to be made to an incident, for the security of products we are managing on your behalf.