(1) A “Prevent Breach” and “Network Perimeter Protection” concept becomes obsolete and is no longer adequate. Perimeter security has been a traditional concept to keep threats out of the boundaries and detect them at gateways of network perimeter. However, breaches can happen, and maybe is happening now since the threat actors use more malware and sophisticated code, which can easily intrude into your organization’s network either through each user’s email communication, in such case, into endpoints, or into devices intentionally or unintentionally open to the public with poorly managed passwords or passwords managed but already stolen. Each organization needs to ‘Assume Breach’. Such circumstances require organizations to have a more agile, proactive and persistent protection concepts and also actual capabilities to detect and response against threats and risks. Most organizations have had more threats daily with more shortage of security resources and at the same time they now experience an expanded attack surface as more devices, communication, data storage and service delivery rely on Internet connectivity including direct access or in another word local breakout. The expanded attack surface further consumes security resources of organizations.
(2) Worse news is that you cannot protect your organization by just purchasing and setting up very high end and expensive cyber security products or solutions. You need to have the professionals who can manage them and not simply manage but orchestrate them for less false positives and false negatives. While the security resources are quickly consumed, you think that the automation by artificial intelligence, which many cyber security vendors claim, is a key. However, it is just related to effectiveness of the professionals, prioritization of responses by human operators and does not mean automatic detection and response.
In 2013 MBSD’s blue team expanded and redefined its operations into new advanced SOC model and the team has been providing the threat hunting SOC services to a few Japanese large organizations including the global companies and domestic medical network on a full turnkey outsourcing basis. The blue team uses best of the bread technologies such as SIEM (Security Information and Event Management), EDR (Endpoint Detection and Response) and the commercially available threat intelligence data from the world-class intelligence vendors but blended with the blue team experts’ own detection and correlation logics and rulesets. The threat hunting SOC has a dedicated team for each customer and is different from MSSP (Managed Security Service Provider) or MDR (Managed Detection and Response) models, which are usually providing alert and first aid response (and further advisories) from their single SOC or follow the sun multi SOCs to many many customers with a SIEM platform of their original or third party. The point is MSSP/MDR with a single SIEM platform has common analytics and detection logics and rules, which, ideally, should have been different for respective customers. MBSD blue team builds a SIEM for each customer by understanding the customer’s infrastructure and considering the customer’s businesses and threats they are facing with.
The MBSD threat hunters do not only provide alerts, first aid response and further advisories but also further investigation to make a total attack chain identified as much as possible by collecting more, longer, and extensive logs to be collected with its expert analysis. The services are always delivered with a CISO as a service.
MBSD’s own rulesets on the third party SIEM
MBSD threat hunting services are delivered through its proprietary analytic logics and rulesets built on the third party SIEM or log collection platform, which integrates with various a customer’s on-premise security devices such as IDS/IPS, UTM, WAF, proxy, other gateway security sensors, EDRs, and EPPs. and also collects access data at a customer’s important servers and accounts including the Active Directories. The team have experience of integration with a customer’s cloud assets such as M365, OneDrive, Sharepoint Online, and Azure assets and AWS assets and collect security alerts and logs from Microsoft Defender solutions (gateways and endpoints). The team will use cloud native SIEM such as MS Sentinel, AWS security suites, Google Chronicle in the near future if a customer request but the most important thing is not a choice of SIEM but the choice of professionals.
So What is a SIEM?
SIEM allows to ingest logs relating to potential security events from a customer’s endpoints, the network layer, gateways, applications and event reporting platform and compare the logs against MBSD’s detection rulesets and additionally the third-party world-class threat intelligence data to identify attacks and compromise.
When a chain of incidents is confirmed, the threat hunters perform full root cause analysis to determine the criticality which trigger a decision process to see whether incident response actions to be taken or not.
CISO as a service
When an organization finds it is under attack, its management need the ability to take necessary decisions and actions quickly and make the situation under control.
Common mistakes organizations make are:
The right decisions and then right actions will lead your organization toward quick recovery both of its IT network and assets and of business operations.
MBSD provides CISO, MBSD’s skillful cyber security consultant, who is acting as CISO of your organization, not only in case of incident response but also for every day CSIRT operations of your organization including cyber security strategy planning. MBSD also provides CSIRT team members in addition to CISO to make your organization’s CSIRT ready for high cyber security resource consumption project.