The Cyber Defense Method:

The Security Monitoring Cycle
Cycle E

Our cycle helps you to successfully introduce and continuously improve security monitoring. With this 7-step method you can quickly achieve results and efficiently protect your company against attacks. The cycle can be applied to individual areas (e.g. only to specific applications) or entire IT infrastructures. We help you to focus on the right components.

Review

If you start with security monitoring, in this phase we determine your current situation with a GAP analysis and define the necessary steps to achieve your goals. If you already have a solution in use, you need to check and continuously improve the effectiveness of security monitoring.

Goals:

  • Define success factors and goals of the project
  • Setting out specifications and requirements
  • Revealing security deficits
  • Determine protection needs and assets
  • Define solution and implementation strategy
  • Determine improvement measures

Output:

  • Requirements for the concept phase
  • GAP analysis with measures
  • Estimation of investment and costs
Review

Concept

The conceptual aspects of the solution are developed on the basis of the review carried out beforehand. This ranges from the correct dimensioning and architecture of the solution, through the integration of the log sources in accordance with the specifications, to stakeholder-adapted evaluation. This defines clear guidelines for subsequent implementation that enable good project control and any reservations become visible before further investments.

Goals:

  • Conception of a central security monitoring framework adapted to the operational requirements
  • Create the basis for setup and integration
  • Specification of customer-specific security monitoring use cases
  • Definition of the operating concept and processes

Output:

  • Detailed concept with cost estimate of the further project phases
  • Feasibility study of your specific requirements
Concept

Collect

This is where the security monitoring framework is set up and the log sources are connected and parameterized according to the concept. An important point in this phase is the inventory and classification of the log data.

Goals:

  • Setup and configuration of the solution
  • Integration of all relevant data sources

Output:

  • Availability of the central security platform
  • Integration of log sources
Collect

Analyze

After the central collection of all relevant log data, the enrichment and preparation of the data using analysis tools leads to improved transparency and thus increases IT security enormously.

Goals:

  • Implementation of the security monitoring use cases defined in the concept
  • Recognition of normal behaviour and deviations

Output:

  • Visualization of data sources (events, dashboards)
  • Alert Configurations
  • Reports
Analyze

Detect

The aim is to detect safety-relevant events as highly automated as possible on the basis of collected data. This can be, for example, the loss of a log source or a brute force attack on a user account. The detection of targeted attacks (e.g. APT Advanced Persistent Threat) or dissatisfied administrators who extract sensitive data is often only possible with the know-how of proven security engineers.

Goals:

  • Detection of APTs and other attacks
  • Detection of anomalies and policy violations

Output:

  • Periodic checks of the log sources
  • Automatic alarm
  • Situational investigations
  • Elimination of false positives (tuning)
Detect

React

The alarm is forwarded to the experts via well-established processes, most of which are organized in a Security Operation Center (SOC). The experts determine the danger and urgency of the incident and take the necessary measures. The effectiveness of this phase depends heavily on resources, response time and expert knowledge. Ideally, therefore, a 7x24h organization and resources with the necessary know-how would have to be provided.

Goals:

  • Stemming and combating attacks

Output:

  • Incident Tickets
  • Incident summary (if necessary, definition of measures)
React

Report

Reporting is an integral part of security monitoring and serves to increase transparency and evidence. In regular meetings with our security analysts, the reports are discussed and weak points are analyzed.

Goals:

  • Controlling
  • Proof and control of security monitoring

Output:

  • Reporting via key security metrics
  • Management summary
  • Reports according to customer requirements (Mgmt, Compliance Reporting)
  • Regular meetings with the security analyst
Report
SOC Workshop with Use Case & Attack Scenarios
Where to start if there are not enough resources available? Leave the work to an experienced security engineer who will guide you and your team during a Cyber Defense Workshop (SOC Workshop) and introduce you to the first Use Cases. Depending on the initial situation, a one-day workshop already provides sufficient knowledge transfer so that you can master further steps on your own.