What We Do

What to Expect

Ready to move forward with Cysiv SOC-as-a-Service?

Here’s what you can expect.

Onboarding Process

The onboarding process can typically be completed within a few weeks and encompasses the following key elements.

1. Kickoff Meeting

Cysiv will review and discuss expectations, requirements, timelines and next steps. We’ll need to confirm who on your team will be needed as part of the onboarding phase and daily operations, and we’ll introduce you to your Cysiv team.

2. Architecture & Data Science

We will work with your team to define the use cases and the telemetry sources that will support the use cases that you’ve prioritized, and do whitelisting to help reduce false positives.

To improve the efficiency and effectiveness of the onboarding process and ongoing operations, we’ll also need to understand your IT environment, including relevant infrastructure, security tools, applications, operating systems, and virtualization and containerization.

3. Deployment & Data Onboarding

Once we’ve determined the appropriate and required set of telemetry to be leveraged, and you've provided us with access to the required resources, this telemetry is then ingested into the Cysiv Command platform.

Most telemetry can be pulled from APIs or sent securely to Command over the internet. For older sources, such as logs over Syslog UDP, Cysiv Connector provides an encrypted conduit for passing all required telemetry from your environment to the Cysiv platform.

4. Platform Training

Although our team will be doing all of the “heavy lifting” when it comes to providing you with 24/7 service, you’re encouraged to actively participate in the detection and response process, as an active collaborator. And to do that you’ll need some training.

Once we’ve identified the people on your team that want to access the platform, they’re then trained on the Cysiv Command platform. The first training session is usually done after about seven days of data has been ingested into the platform.

Along with the remote live training, participants receive a comprehensive users guide, which complements the online help available in the service. And of course, we’re always available to help guide you if you need help.

5. 24/7 Monitoring & Management

With the onboarding process complete, you’re now ready to begin daily operations.

Daily Operations

Cysiv experts will then begin monitoring your environment, while escalating security incidents for corrective action, as required.

The diagram provides an overview of what actually happens with our 24/7 Monitoring and 24/7 Monitoring with Management services. With both services, you leverage the power of our SOC-as-a-Service platform, and the benefits of our data science, threat hunting and threat research experts.

cysiv-diagram

24/7 Monitoring

We monitor for threats, and investigate and triage them, notifying you of confirmed threats and their severity.

Telemetry Health
Detection
Investigation
Response
Telemetry Health
telemetry-health

TELEMETRY HEALTH

We ensure your telemetry is being reliably ingested by Cysiv Command, checking that all Connectors are online and providing the expected flow of telemetry.

And we perform any necessary troubleshooting and maintenance activities.

Detection
detection

DETECTION

A “security incident” is automatically generated in Cysiv Command when a suspicious entity is detected by the Cysiv Threat Detection engine.

A Security Incident case is created for detections that cannot be confirmed as benign/FP during triage.

Investigation
investigation

INVESTIGATION

Analysts then investigate the security incident, documenting the following:

  • Attacker attributes & root causes
  • Attack vector & campaign
  • Infected entities
  • Malware capabilities and behavior, and IOCs

We then recommend further investigation steps if the threat is not fully discovered or requires additional information.

Response
response

RESPONSE

Once the incident has been confirmed as a threat:

  • The expected impact level is assigned (Sev-1 ... Sev-5)
  • You're notified according to pre-defined SLAs
  • Containment / remediation guidance is provided
  • We recommend policy or security changes to prevent similar incidents
We then recommend further investigation steps if the threat is not fully discovered or requires additional information.

Data Science

Faster, higher quality detections

Our data scientists & threat hunters constantly update the threat detection engine with new rules and use cases, to ensure the best possible proactive protection from new threats.

Threat Hunting

Human-led and enhanced by automation

Our experts define specific hypotheses based on intel, domain knowledge and situation awareness. They collect data and test these hypotheses. Findings are escalated to you to confirm their nature.

Threat Research

Timely, relevant info on key threats

We collect and process cyber intel, do reverse engineering and malware analysis, damage assessment and reporting, and share this with you as it becomes available.

24/7 Monitoring with Management

Includes all of the benefits of 24/7 Monitoring AND Monday to Friday, 9-5pm CT

We manage selected security products by:

  • Configuring and tuning the devices
  • Monitoring their health and availability
  • Applying software patches, pattern updates, and other policy changes agreed to in advance
  • Coordinating configuration changes to these products.

We will actively implement and not simply recommend, policy or security control changes to be made to an incident, for the security of products we are managing on your behalf.

 

daily-operations

Request a Demo Today

Subscribe to Our Threat Reports