The Cyber Defense Method:
Our cycle helps you to successfully introduce and continuously improve security monitoring. With this 7-step method you can quickly achieve results and efficiently protect your company against attacks. The cycle can be applied to individual areas (e.g. only to specific applications) or entire IT infrastructures. We help you to focus on the right components.
If you start with security monitoring, in this phase we determine your current situation with a GAP analysis and define the necessary steps to achieve your goals. If you already have a solution in use, you need to check and continuously improve the effectiveness of security monitoring.
- Define success factors and goals of the project
- Setting out specifications and requirements
- Revealing security deficits
- Determine protection needs and assets
- Define solution and implementation strategy
- Determine improvement measures
- Requirements for the concept phase
- GAP analysis with measures
- Estimation of investment and costs
The conceptual aspects of the solution are developed on the basis of the review carried out beforehand. This ranges from the correct dimensioning and architecture of the solution, through the integration of the log sources in accordance with the specifications, to stakeholder-adapted evaluation. This defines clear guidelines for subsequent implementation that enable good project control and any reservations become visible before further investments.
- Conception of a central security monitoring framework adapted to the operational requirements
- Create the basis for setup and integration
- Specification of customer-specific security monitoring use cases
- Definition of the operating concept and processes
- Detailed concept with cost estimate of the further project phases
- Feasibility study of your specific requirements
This is where the security monitoring framework is set up and the log sources are connected and parameterized according to the concept. An important point in this phase is the inventory and classification of the log data.
- Setup and configuration of the solution
- Integration of all relevant data sources
- Availability of the central security platform
- Integration of log sources
After the central collection of all relevant log data, the enrichment and preparation of the data using analysis tools leads to improved transparency and thus increases IT security enormously.
- Implementation of the security monitoring use cases defined in the concept
- Recognition of normal behaviour and deviations
- Visualization of data sources (events, dashboards)
- Alert Configurations
The aim is to detect safety-relevant events as highly automated as possible on the basis of collected data. This can be, for example, the loss of a log source or a brute force attack on a user account. The detection of targeted attacks (e.g. APT Advanced Persistent Threat) or dissatisfied administrators who extract sensitive data is often only possible with the know-how of proven security engineers.
- Detection of APTs and other attacks
Detection of anomalies and policy violations
- Periodic checks of the log sources
- Automatic alarm
- Situational investigations
- Elimination of false positives (tuning)
The alarm is forwarded to the experts via well-established processes, most of which are organized in a Security Operation Center (SOC). The experts determine the danger and urgency of the incident and take the necessary measures. The effectiveness of this phase depends heavily on resources, response time and expert knowledge. Ideally, therefore, a 7x24h organization and resources with the necessary know-how would have to be provided.
- Stemming and combating attacks
- Incident Tickets
- Incident summary (if necessary, definition of measures)
Reporting is an integral part of security monitoring and serves to increase transparency and evidence. In regular meetings with our security analysts, the reports are discussed and weak points are analyzed.
- Proof and control of security monitoring
- Reporting via key security metrics
- Management summary
- Reports according to customer requirements (Mgmt, Compliance Reporting)
- Regular meetings with the security analyst