SIEM – Security Incident Event Management

Managed SIEM & Log Aggregation

Ongoing Operations has partnered with TruShield to offer a Managed SIEM solution. SIEM, or Security Incident Event Management, is a solution that allows for constant monitoring and threat detection for breaches or cybersecurity issues.

Managed SIEM Diagram

Managed SIEM Features

There are two flavors of Managed SIEM and Log Aggregation. They are CSM and CSM+. The primary difference is whether corrective action is taken immediately by TruShield or if the client is alerted and must take corrective action on their own.

There are also numerous features and services that are offered by TruShield, but which are add-ons to the CSM and CSM+ offerings. They are also listed. Please note that just because TruShield offers these services, does not mean that they are used instead of the standard OGO services (e.g. MFA management and firewall management). Also, many of these services conflict directly with our CISOaaS program.

TruShield is limited to discussing CSM and CSM+ features ONLY, unless it is about a specific feature or service that OGO does not otherwise provide. This will greatly reduce confusion for the client, especially in knowing which features and services OGO is providing, e.g. asset inventory, patching, etc. via CU Control, and which TruShield will be providing, e.g. 24/7/365 SOC, Log Aggregation and Correlation, etc.

Differentiation between TruShield CSM and other MSSP offerings (TBD on a case-by-case basis)

SIEM Terminology

  1. SIEM (Security Information Event Management) – Our industry leading SIEM signature-based detection component allowing for a multitude of different data sources to forward logs which are correlated against thousands of rules and threat intelligence.
  2. Anomaly Detection – Component of CSM where different metrics are monitored in the client environment to detect any threats through a behavioral analysis approach. This will involve tracking information like events per day, node, hour, log and trend analysis from environment against historical baseline data.
  3. Active Directory Analysis – Domain Controller monitoring analysis engine which ingests all domain controller events and can identify any events which pose a security threat and will score and send out real time alerts around these changes being made allowing for internal monitoring of our domain against insider threats.
  4. Global Threat Intelligence – This component of CSM leverages a multitude of different resources that allow our analysts and technology to stay up to date with the ever evolving landscape of cyber threats that exist in today’s world.
  5. Intelligent Agent – Host level intrusion detection allowing the forwarding of individual desktop/server events as well as allowing our analyst to have visibility into node based changes to include file integrity checking/modified files (OSSEC agent), and registry changes.
  6. Vulnerability Analysis Engine – Monthly prescheduled scans of active assets in client’s environments which produces a vulnerabilities snapshot showing the Top 10 vulnerabilities identified in the client’s environment.
  7. Firewall Analysis Engine – A tool allowing for a granular view of FW activity showing bandwidth usage, VPN connections into environment, the different protocols being sent and received in your environment, as well as security audits of firewall configurations with suggestions on how to address any vulnerabilities identified.

SIEM Scope

SIEM Pricing

Pricing is custom in each circumstance and is based on the number of devices and device classes that the credit union will have monitored. It is possible to just do perimeter or edge devices such as firewalls vs. all servers and routers.