SOC Monitor 2018-03-22T09:27:53+00:00

SOC MONITOR

Find, detect and respond effectively to cyber-attacks within your environment with 24×7 monitoring services provided by our expert staff and industry leading technology. Nettitude’s SOC 24×7 Monitored Services provide a threat intelligence led approach to provide you with visibility and actionable pro-active guidance leading to a high level of assurance back to your organisation.

  • 24×7 Global Eyes on Screen SOC Service
  • Trained analyst experts dedicated to detecting and responding to alerts within your environment
  • Built on Industry Leading SIEM Platform from LogRhythm
  • Seamless interface with Incident Response and Reverse Engineering Malware teams
  • Web Dashboard for Health, Incident and High Level Monitoring
  • ISO 27001 assessed environment PCI Compliance Service Provider
  • Benefit with threat intelligence from the Nettitude global honeypot network
  • Deploy ThreatReceivers (HoneyTraps) into your own environment
  • Threat intelligence services from both in house Commercial Feeds and Open Source Feeds (Contextualised)

Request a free quote

 The Nettitude SOC operates as far more than simply a managed logging service. Built around advanced threat intelligence with integrated industry-leading technology, it is designed to deliver a highly relevant service.

The Nettitude SOC 24×7 monitored Service provides you with assurance that your environment is not only being monitored but that alerts and an appropriate response can be determined quickly when needed. In can be easy to become swamped in log data and lose sight of why the service is needed, and what is being protected.

Nettitude’s SOC 24×7 Monitored Service gives a straightforward way to manage the risks to your critical assets, with a focused, highly capable service at a predictable cost. Leveraging the benefits of a global managed service with a personalised extension to your existing cyber security teams brings a unique business advantage.

To effectively and efficiently identify and manage cyber threats thereby minimising the likelihood and possible impact of incidents that could affect the organisation
CREST, 2015

The Nettitude SOC team will help you with:

  • Understanding the real threat landscape relevant to your organisation, critical assets and risk appetite
  • Review your security strategy, requirements and objectives and align to the maturity and roadmap of your organisation
  • Collect, correlate, analyse and triage events across your organisation
  • Provide deep dive experts in network, host and malware investigations
  • Give clear actions, next steps and guidance around improving and maturing your security posture

The SOC Monitored Service is built around:

  • LogRhythm, a purpose industry leading Next-Gen SIEM tool to harness and sift the data
  • Managed Vulnerability Scanning Service to identify known weakness/vulnerabilities
  • Active and Relevant Threat Intelligence Data and Feeds
  • Comprehensive Endpoint Tools
  • Network Monitoring and traffic Analysis
  • Behavioural Analysis
  • Deception Technology – Threat Receivers (HoneyTraps) to detect ongoing malicious activity
  • Advanced expert Incident Response Capabilities when needed

The service delivers:

  • 24×7 monitoring of events and incidents within your environment
  • Web Console and Dashboard showing incidents, heath status and management information
  • Event Alerting, Actions and Remediation Advice
  • Incident Response experts and capability inc malware analysis services

SOC 24×7 Monitored Capabilities

The Nettitude SOC brings together a wide range of skills, knowledge, technology and services to provide a comprehensive approach to detecting threat actor’s activity within your organisation.

THREAT INTELLIGENCE

  • Threat Actor Database & Tracking
  • Understanding the real attack Surface of your organsiation
  • Global HoneyPot Network
  • Consultative & Threat Feeds
  • CBEST/STAR Certified

TECHNOLOGY

  • LogRhythm (Threat2Alert)
  • Tenable.io
  • CarbonBlack
  • ThreatReceivers
  • Network Traffic Capture
  • Ability to injest log data from security products, technology and software

SKILLS

  • Skilled and Experienced SOC Analysts
  • Offensive Security Knowledge Base (Red Teaming, etc)
  • Malware Analysis and Reverse Engineeirng
  • Vulnerability Research and Exploit Development
  • Forensics
  • Incident Response
  • Network, Host and Malware investigations

SERVICE

  • 24×7 Eyes on screens
  • UK and US SOC
  • Customisable Reporting
  • Business Intelligence Workshops/Reviews
  • Malware analysis service

The service delivers:

  • 24×7 monitoring of events and incidents within your environment
  • Web Console and Dashboard showing incidents, heath status and management information
  • Event Alerting, Actions and Remediation Advice
  • Incident Response experts and capability inc malware analysis services

Why use a managed SOC?

There are many reasons why a manged SOC may be best for you, but an in-house SOC, or a hybrid model which uses a managed service for escalations or specific tasks will work better for some organisations. Nettitude adopt a flexible and varied approach dependant on your needs and requirements….

  • 1: Can I tell Senior Management if we have been breached?
  • 2: Can I report cyber incidents in a timely manner?
  • 3: Can I assess the impact to the organisation of cyber attacks/breaches? Can I report for GDPR, PCI, etc as required?
  • 4: Can I get early warning signals that our organisation is under attack, or being targeted?
  • 5: Do I know if traffic from our organization is communicating with unwanted countries, services, TOR/dark web, known malicious internet servers, etc?
  • 6: How many attempts to compromise our attack surface have there been in the last 30 days? How sophisticated are they?
  • 7: How well protected are our critical assets? How close to being compromised are they?
  • 8: How can I give assurance that our environment is monitored and an effective response is in place, should the worst happen?

Advanced Capabilities for APT type attack detection

Nettitude Managed 24×7 SOC Services give you access to unparalleled capability. Combining the unique knowledge around threats, how malicious attackers really operate and what is happening right now, gives your organisation peace of mind that the appropriate level of detection and response is in place for a cyber-attack.

1. Experts with a deep knowledge of sophisticated offensive attacks

  • The technical assurance teams within Nettitude operate at the top of the industry and have a deep understanding of Offensive Security (How attacks really happen) through red teaming, CBEST/STAR and threat intelligence led assurance testing, vulnerability research and exploit development.

4. Operating at the Forefront of the Industry

  • Working with CREST to define standards for the accreditation of SOC’s
  • In house developed SOC Maturity Model
  • Evolving intelligence led testing into Purple Teaming, SOC Maturity Assessments and the governance of Technical Assurance

2. Threat Intelligence driven service

  • Nettitude drive all their services through a threat intelligence led strategy. Understanding who, how, why and when attacks will happen in the context of your organisations critical assets and attack surface is fundamental to adopting the right cyber security approach.
  • Nettitude’s Global HoneyPot Network provides up to the date attack information from 30+ countries and all the main financial hubs in the world.
  • Threat Receivers (HoneyTraps) (link) can be deployed within your own organisation to identified first hand current/ongoing attacks along with the methods, tools and tactics being used by malicious users.

5. Industry Leading (Next-Gen) Recognised Technology

  • No LogRhythm SIEM

    • Gartner Magic Quadrant since 2012
    • Highest product/service scores for Threat Intelligence and SIEM and Compliance
    • Dedicated to Cyber Security Intelligence
    • Designed for Managed Services
  • CarbonBlack (EDR)
  • Tenable.io (Continuous Vulnerability Scanning)

3. Industry recognised

  • CREST CIR Programme Member (link)
  • SC Magazine 2017 Finalist and runner up
  • LogRhythm MSSP of the year 2015

6. Strong Research & Innovation

  • Vulnerability research, reverse engineering and exploit development
  • Bespoke tools, sophisticated attack platforms, cyber ranges, HoneyTraps, etc

Threat Intelligence and Threat Hunting capabilities

Nettitude’s 24×7 Monitored SOC services are built around a fundamental understanding of threats, their capabilities and approaches. Highly regarded offensive capabilities to simulate scenarios with our own in house but tooling gives the managed SOC service a highly pragmatic, relevant and essential level of knowledge.

The use cases and playbooks built up from this knowledge can be rapidly deployed into service on your log sources. The combined benefits of the global honeypots, threat actor databases and millions of previously used malware samples, ensure you can leverage this capability.

How does Threat Intelligence feed the SOC?

Threat Intelligence can come through a wide variety of sources

  • Nettitude have developed their own global honeypot network with 100’s of nodes capturing live attacks, malware and indicators of compromise
  • In depth malware analysis and reverse engineering skills
  • Nettitude have developed their own global honeypot network with 100’s of nodes capturing live attacks, malware and indicators of compromise
  • In depth malware analysis and reverse engineering skills

Feeding the SOC with data

At the outset it is essential to collect the right log data from your environment. What you collect, at what level, and when will be based on an understanding of your critical assets, attack surface and the threats your likely to face. Nettitude will work closely with you at the outset to ensure an appropriate proactive Data Gathering approach is adopted and presented to you.

Data should be collected from a variety of appropriate sources and based on your business intelligence needs. Both internal and external collection is critical.

Some of the sources may include:

  • LOG DATA

    • Direct Log Sources
    • Investigation/
    • Forensics
  • THREAT INTELLIGENCE

    • OSINT
    • Commercial Feeds
    • Global HoneyPot Network
    • Technical Feeds
  • DECEPTION TECHNOLOGY

    • ThreatReceivers (HoneyTraps) – Internal / External
    • HoneyTokens
    • HoneyPlatforms
  • DATA ENRICHMENT

    • Endpoint Detection & Response (EDR)
    • Network Data (PCAP)
    • Malware Capture/Analysis
    • Vulnerability Data
  • CUSTOM BESPOKE

    • Botnet Monitoring
    • Phishing Traps

Misconceptions often associated with Log Collection

There is no silver bullet in cyber security. When engaged within an arms race with nation states, organised criminal groups, hacktivists and other threat actors (See link) no organisation can ever say they are 100% secure. It’s a false starting point with any cyber security strategy.

A far better starting point is that it could happen to you, and if it did what can your organisation do to manage that risk and its impact?

The answer will affect your network design, data management, risk management, etc. But a vital component will be the monitoring and detection of your environment.

But what are some of the fallacies around building a SOC to do this?

  • Logs are not an end in themselves – It’s easy to collect a barrage of data. That’s not the problem.

  • SIEM is not a panacea – A SIEM tool to collate this barrage of data is not the silver bullet either.

  • Don’t assume your business wants to hear what the SOC finds – A mature approach and wide business buy in is essential.

  • Review regularly which SIEM content is providing benefit – Fire and forget with your log store won’t work. Constant changes to the threat landscape, user behaviours, and environmental changes requires focus and attention.

  • Establish the basics then mature – Don’t aim for the sky first. i.e. Start with the basic attacks and work towards a maturing of use cases, detection points and sophistication.

  • Understand offensive security in depth (this is what you’re trying to detect after all!) – If you don’t know how the bad guys operate, how will you know what you’re looking for?

  • Don’t think there is a sea of skilled people available (or retainable) – Skills are hard to find, looking at logs is repetitive. Using automation, orchestration and mature use cases and playbooks is essential to focus on the relevant and impactful activity.

Endpoint Detection & Response

Is Endpoint Detection and Response really needed?

Why are endpoints often a missed focus point? Traditionally the focus has been on your critical assets which often reside in datacentres, on servers, mainframes or within dedicated applications/databases.

However, how do attacks get here? The majority of attacks start with a phishing email or website click. Your endpoint will be compromised first.

Why are EDR tools an essential part of a SOC log collection strategy?

EDR (Endpoint Detection and Response) tools are often over looked or deployed on critical assets first, rather than on endpoints where the initial point of compromise often first happens.

  • Investing in deep dive monitoring and detection capabilities early in the attack chain gives you the best opportunity to react effectively
  • Identify publically known weaknesses within YOUR organisation as close to exposure as possible
  • Identify & prioritise fixes and patches
  • Aid effective and timely remediation
  • Understand your remediation actions
  • Help identify rogue assets

Network Traffic Analysis

Every attack will seek to communicate out of your environment either for command and control (C2) traffic, downloading tolls, scripts or further malware, or for the exfiltration of data or intelligence from your environment.

This means that a mature SOC must have coverage over the network traffic going in and out of your environment. With the ability to hide heartbeats and communications within existing protocols and existing legitimate network traffic, the capture and deep dive analysis of this data is vital in detecting key parts of activity within the attack chain.

Deploying a dedicated network appliance that can capture network traffic at critical points, keep for investigations and provide real time analysis.