Author: Heather Stump
Are you searching for a new partner to help protect your business from cyber threats? It is very important to complete your due diligence when it comes to managed security services providers, as well as SIEM platforms. This is a huge investment for your organization, so you want to make sure you find the provider and platform that makes the most sense for your security needs. Many times, the selection process alone can take months of work. What happens when you do find that perfect partnership? That perfect SIEM platform? How do you prepare for the onboarding of that MSSP and the associated toolset?
Once a partner is chosen, many clients are unsure what to do next, and how to prepare for the onboarding of these important relationships and tools. As someone who has been a part of many successful onboarding processes, I have compiled a list of the most helpful tips for preparing to onboard a new security partner and/or SIEM provider.
Onboarding an MSSP (Managed Security Services Provider)
Many organizations who are new to the MSSP world do not have an internal process in place for interacting with their MSSP. It’s critical to formalize an internal process for threat management and response, including policies and procedures. How will your security team manage the potential threats that are escalated for review and response? Make sure to start this conversation early, and continue to have it often, to ensure your team is prepared to respond once your MSSP is onboarded. An experienced MSSP will provide guidance and will already have the workflow established on their end, but make sure that you have a Point of Contact list and an Incident Response (IR) process in place.
SIEM Deployment Best Practices
Deploying a SIEM can be a complicated process, particularly if your organization has not previously had a SIEM in place. The key to a smooth implementation process is planning ahead. Take the time to outline your organization’s requirements and use cases prior to SIEM implementation.
- Initial Deployment Requirements
Understand the initial deployment requirements that your team is responsible for. What are the cloud vs. on premise considerations? Plan for physical or cloud-based log collector and correlation server deployments as needed. Make sure to review the specs/requirements before project kickoff and assign responsibilities internally. Many times, the planning phase of a deployment is the longest due to a lack of planning ahead of time. The planning phase should ideally take 1-2 weeks after the initial kickoff call. However, many times it can take several months due to lack of resource availability, whether it’s knowledge workers, physical/virtual resources, or both.
2. Log Source Planning and Prioritization
Begin listing out your top and most critical log source types and make sure you understand the method required for log collection. Work with your internal teams to understand what assets you are trying to protect and what logs are available to monitor anomalous activity on your network. This will again impact your internal scheduling/resource availability, so make sure to plan ahead. Prioritizing this list is crucial to ensure the initial focus is around your most critical assets, trimming the turnaround time of granting your trusted MSSP visibility into your security posture.
3. Business Specific Use Cases
Understanding what is important to your team ahead of time will help your MSSP ensure you are sending the proper log sources, events and that rules are built specifically for your needs. Alarms should be actionable, and your feedback is critical to the MSSP’s understanding of your security environment.
- What anomalies are present in your environment today?
- What type of activity is important for your security team to be aware of?
- Do you have a previous pen test report that outlines vulnerabilities within your environment?
Communication is Key!
When in doubt, talk to your MSSP as though they are an extension of your team. What is important to you is important to your MSSP, and they are there to help you through this process. The relationship with your MSSP does not end once you are onboarded and your SIEM is deployed—and your SIEM deployment is not complete once you are operational. Ongoing communication, feedback and regular discussions are important to further tune your SIEM to meet your evolving needs. Schedule calls on a regular cadence, respond to tickets/inquiries from your MSSP so they can continue to learn your environment and identify opportunities to improve your security tools.
Heather Stump is a Senior Project Manager for Binary Defense. She has been with the company for 2 ½ years. In her role, she manages the SIEM project delivery lifecycle and serves as the Point of Contact for client onboarding. She helps clients with onboarding throughout SIEM deployment and for ongoing SIEM management and maintenance activities.