What is a Co-Managed SIEM and for whom is this approach suitable?

The digitization of all branches of business is advancing inexorably. However, as digital workflows are integrated into a company, the likelihood of IT security threats also increases. Cybercriminals are ceaselessly looking for existing vulnerabilities in IT systems and networks to tap valuable data, sensitive company internals or confidential information on technologies.

SIEM systems deliver critical added value to a company’s information security. With a SIEM solution, companies are able to comprehensively collect security-relevant data, consolidate it in a centralized repository and automatically detect anomalies and rule violations based on previously defined use cases. As a result, the use of a SIEM system offers the company’s internal IT security teams a decisive advantage – because the time required to identify an acute threat (mean time to detect) can be significantly reduced by a SIEM. Especially in the case of critical attacks on the IT infrastructure, this represents the decisive time advantage in many cases.

But what happens if companies lack relevant resources that are indispensable for setting up and maintaining a SIEM? These include, for example, professional expertise in certain SIEM disciplines, technical requirements or the corresponding manpower – resources that are currently not sufficiently available in many companies. The Co-Managed SIEM approach can provide a suitable solution here. This article explains what exactly a Co-Managed SIEM is and what advantages it offers.

What does the “Co-Managed SIEM” approach stand for?

With the help of a SIEM, it is possible to collect event log data from a wide variety of sources at a central location and to automatically detect and report anomalies and rule violations in this data based on previously defined use cases. SIEM stands for Security Information and Event Management and enables users to respond to cyber threats of all kinds in real time. Fully implemented in-house, a SIEM means a costly and resource-intensive deployment for companies and requires complex management. In addition, there are immense amounts of data that need to be evaluated and managed by internal IT security specialists on a daily basis. With managed SIEM systems, the work involved is outsourced to an external service provider. The service provider takes over the monitoring of SIEM messages, updates the solution with patches and provides reports and logs.

A Co-Managed SIEM approach is suitable for companies that do not want to outsource all SIEM services immediately, but only selected ones in a flexible manner. Ideally, a corresponding co-managed SIEM service portfolio has a modular structure and can be flexibly adapted to almost any customer requirement. As the customer, you decide which competencies you want to build up in-house and which services you want to have managed externally.

What are the advantages of managed SIEM services?

A partially – or fully – externally managed SIEM offers numerous advantages, such as:

• Proactive threat detection by SIEM expert team

The more data is generated within a company, the more complex and extensive the detection of current threats becomes. For a SIEM to be used effectively, the users of the system – usually SOC analysts – must understand attack scenarios and alerts and, of course, know how to respond appropriately. SIEM solutions do the repetitive work, but analysts must put the resulting alerts in context and see the “big picture.” To do this, they must monitor and assess alerts and respond appropriately to actual threats. Are these prerequisites in place at your company? If not, this is where you should seek expert support from experienced cyber defense analysts who can reliably identify attack patterns and complex contexts.

• Network monitoring around the clock

For a SIEM solution to be efficient and effective, networks and systems must be continuously monitored around the clock, 365 days a year. Especially in companies with only a small IT security team, an internal SIEM system carries the risk of capacity bottlenecks. With a managed SIEM, 24/7 network monitoring can be outsourced. The service provider’s IT security experts then permanently monitor your IT infrastructure, identify, analyze and process IT security incidents and, in the event of an emergency, take all necessary measures to eliminate the threat. This gives your own IT security team sufficient freedom to respond quickly and efficiently to acute problems.

• More flexible use of the IT security budget

An internal SIEM system can produce costs in the six-figure range, depending on the size of the company. Acquiring the SIEM solution alone is not enough – afterwards, the SIEM must be implemented promptly in the company’s IT architecture (roll-out phase). Additional time and costs must be spent on education and training until the company’s own IT security team has internalized the use of the SIEM and understood all the details. Once the SIEM is up and running, one of the tasks is to ensure the stable operation (monitoring and utilization) of all SIEM components as well as their maintenance by appropriate staff.

With an externally managed SIEM, however, these initial costs are kept low. For a monthly service fee, the SIEM system services required by your company are immediately available. Costs for education, training or maintenance or security patches are completely eliminated.

What distinguishes the Co-Managed SIEM from SECUINFRA?

In order for a SIEM to efficiently and effectively counter current and future cyber threats, different roles within the SIEM system must be staffed with different skills. From the monitoring of log sources to the development of SIEM content to incident response and threat hunting, the technology only works if all roles are perfectly staffed and mesh like a cogwheel. This is exactly where SECUINFRA comes in with its hybrid, modular and flexible co-managed SIEM approach: It can be decided individually which services from the SIEM toolbox you would like to use as a company and which ones remain with you internally. In close cooperation, a first-class SIEM system is created – without hidden costs and dependencies. From taking over individual roles to the complete operation of a SIEM, SECUINFRA’s Co-Managed SIEM approach can be specifically adapted to the needs and processes of your company. The hybrid offering allows services to be provided either on-site or remotely from one of SECUINFRA’s Cyber Defense Centers. Data protection is guaranteed at all times. The data does not leave your company and access to it is exclusively from Germany. Another major advantage of the SECUINFRA Co-Managed SIEM approach is the knowledge of the cybersecurity experts gained through many years of experience. Through the operation of two Cyber Defense Centers as well as more than 120 successful project completions in the area of SIEM consulting and services since 2010, the SECUINFRA experts bring great expertise to the services offered.

What services and modules does SECUINFRA’s Co-Managed SIEM approach include?

The Co-Managed SIEM approach is based on the fact that each SIEM system and the required components can be installed and operated within the customer network by SECUINFRA. For this purpose, the customer provides the operating system platform on which SECUINFRA installs, configures and operates the SIEM system via remote access. Alternatively, it is also possible that you as a customer operate the SIEM platform independently and are supported by SECUINFRA with individual modules from the co-managed SIEM portfolio.

The following modules can be used individually or as a complete package:

Security Monitoring

Within the scope of Security Monitoring, SECUINFRA Cyber Defense experts take over the sustainable analysis of IT security incidents, perform a precise qualification of the incidents and provide suggestions for countermeasures.

Security Monitoring is mainly subdivided into:

Threat Hunting

As part of the Threat Hunting module, SECUINFRA performs log data analyses based on internal or external incidents or based on newly discovered IOCs and detected attacks at other SECUINFRA customers. Furthermore, clear recommendations for action are given to the incident response team in case of detected security incidents.

Level-1 Analysis

Triage and initial analysis of SIEM alerts
Elimination of false positives and duplicate alerts
Escalation of relevant incidents to Level-2 Analysis

Level-2 Analysis

Detailed analysis and assessment of relevant incidents
Consultation with affected users and responsible parties to clearly assess relevant incidents
Clear recommendations for action for the incident response team in the event of security incidents

SIEM content development and maintenance

SECUINFRA cyber defense experts place great emphasis on highly focused SIEM content development and maintenance. To date, the cybersecurity specialists have developed more than 200 use cases based on the MITRE ATT&CK framework, among others. As a unique selling point, SECUINFRA not only creates the SIEM rules for the individual use cases, but also provides the necessary specifications for the log policy, test routines and runbooks. However, the initial creation of the content is not the end of the story – the cyber defense experts continuously work on maintaining the content, i.e. optimizing and adding to it.

The services in the SIEM Content Development and Maintenance module include in detail:

• Definition of the required use cases based on your security needs.
• Selection of these use cases from the SECUINFRA use case library or
• Comprehensive customized development of use cases with log policy, SIEM rule(s), test routines and runbook
• Implementation and continuous optimization of end-to-end SIEM use cases
• Initial and regular testing of the use cases
• Continuous maintenance and optimization of log policies, SIEM rules, test routines and runbooks

SIEM platform operation and log source monitoring

SIEM platform operation and log source monitoring form the basis for smooth SIEM operation.

SIEM Platform Operation

The SIEM platform operation is ensured by administrators of SECUINFRA. The range of tasks includes

• Release planning (e.g. testing and importing updates)
• Control of the availability of the SIEM infrastructure
• Troubleshooting of software problems of the SIEM infrastructure components
• Regular control of the license volume, if necessary timely notification of volume overruns

Log sources monitoring

With this module SECUINFRA ensures the monitoring of the availability and the quality of the connected log data. If necessary, adjustments to the log policy are carried out or escalation to the person responsible for the log source is taken over. This ensures that the log data required for the SIEM is always available in the required quality in the SIEM.

Optional: Incident Response

SECUINFRA optionally offers a DFIR framework contract with fixed SLAs free of charge in addition to the Co-Managed SIEM service. This gives companies the option to optionally commission SECUINFRA’s Compromise Assessment and Forensics specialists as well as Incident Responders at any time. The module includes:

• Execution of Compromise Assessments (COMPASS) for the identification of compromised IT systems
• Execution of forensic analyses to clarify the course of events and to preserve evidence
• Incident response support to restore IT operations as quickly as possible