The biggest deficiency that we see especially in penetration tests in the companies we provide consultancy services is; Rather than lack of product or user awareness, it is often due to the disregard of the following headings:
- Integration of existing systems with each other,
- Meaning of generated logs,
- Failure to be aware of weaknesses due to correlation deficiencies in SIEM systems,
- And most importantly, the integration of different consultancy services that are made up of product differences and taken as service by the organization.
We consider all the security processes of the institutions and organizations that we serve within our 3S service model under 5 headings as “Technology”, “Organizational”, “Policy”, “Operational” and “Cyber Threat Intelligence”.
Then, we adapt the existing structure in 3 stages consisting of “Rule Improvement”, “Log Analysis” and “Automation” steps.
This process is to determine the technological resources of your organization and evaluate the logical-physical configuration settings from the point of view of the incident response team. If your organization’s technological resources are not analyzed through IR, the most important log records will not be transferred to your SIEM solution when your systems are under attack due to lack of security architecture. This will result in thousands of dollars of investment leaving you in the most critical situation.
We can call this process the identification of the institution.
The process steps are as follows:
a) Determination of internal and external resources:
Determining the hardware and software resources (operating system, applications, etc.) used in your local network, branch offices and DR site consists of determining the services that are open to the outside world, your open resources to your business partners, and your connection with them (MPLS, IPsec etc.).
b) Extraction of business processes:
In order for your company to achieve its goals, cooperation and process management between the units must proceed in an integrated manner. Since an attacker can attack not only IT resources, but also the resources of any department (HR, finance), your SIEM consultant will be able to affect all business processes; the company needs to establish the rules of correlation of IT and other units for organizational flow and manipulation of digital processes with the ile Line Of Business” logic.
c) System hardening and Audit:
Due to the intensity of operational loads, it is almost impossible to configure servers, network equipment, and security systems in your organization in a best-practice manner. In many organizations, the log output of Linux and Windows operating systems is left by default. For this reason, the consultant personnel who come to serve must fulfill the security benchmarks in at least the systems facing the outside world within your server architectures or simply determine and report them according to the agreement between you. Of course, this personnel should not be the personnel who installed the product, but a member of the Incident Response team that came with the installation team.
d) Penetration test and vulnerability analysis:
In addition to the internal system improvement, SIEM project must also carry out a vulnerability analysis study and assist you in detecting and closing the vulnerabilities on the services. Thus, when you put your SIEM product into use, you will establish a structure that can be highly assured of its safety.
e) Correction of architectural errors detected at the technological stage:
After the topological errors are detected in the first phase of Technology, the architectural design should be re-discussed with the related teams and if there is a deficiency, the open point should not be left open for weakness.
f) Personnel awareness:
When we consider security from the “Last line of security” framework, we can conclude that today’s attack vectors are now aimed at people with the widespread use of phishing attacks. For this reason, the company that will make SIEM project should test the awareness of your staff. In the table that will emerge as a result of the test, it is required to present both the endpoint security logs and the solutions that you can increase the awareness of the personnel.
We handle these processes with completely custom Use Cases.
At this stage in which the ISO standards are in effect, if your institution has a standard that has been studied before (27001, 27002 etc.), the findings obtained as a result of these outputs and the rule sets for the studies should be defined on the SIEM product.
It is a process in which we analyze how the IT department of the organization manages security / system / network operations and how it acts under a cyber threat. After this process, fragility measurement of the IT team of the organization is performed.
Cyber Threat Intelligence and Orchestration
Cyber threat intelligence and orchestration process is a feature that should be considered and included in SIEM solutions that you use or want to use if you do not use a separate product for this need. This process allows you to take precautions by alerting you from certain platforms through proactive analysis in a big data environment such as SIEM that monitors your organization’s assets, processes, system information and other critical information processes.
This means that an attack that could pose a threat to your systems, so to speak, is not informed when the attacking team is facing the opponent’s striker, but is aware of the opponent’s game plan as a coach, so that you can be on the side of the game. We offer a 24/7 security response process before and during the attack.
3S Service Solution Stages
S1 – Rule Improvement
During the Rule Improvement phase, your organization’s Technology, Operational and Policy processes are handled and the logs generated by your existing systems are analyzed according to your business processes and data structure, then the results are sent to your SIEM system in a meaningful way.
S2 – Log Analysis
Since we have mastered all the processes of your organization during the Log Analysis phase, we simulate the attack scenarios that may come to your internal / external assets and provide you with a list of the correlation rules required for the occurrence of such alarms in your SIEM system. Since the product is an independent consultancy model, if the SIEM system is not available in your organization, we will launch the InfiSIEM system and offer you a pay as you go model with a monthly model.
S3 – Automation
The Automation stage is the one in which we integrate the so-called RPA (Robotic Process Automation) model into your system structure. Since we have revealed the actual attacks that can come to your processes in the S1 and S2 stages, you are now a SIEM architect where false positive alarms are minimized so that the alarms that may occur are now real alarms. In this sense, we offer you a defensive measure that you can take against an attack that may come to your organization within or outside the working hours, in a robotic structure. Our robotic structure, which will trigger when the relevant alarm occurs, provides a 24/7 security perspective by preventing the attack IP address and attack method by creating rules for your security systems.