ThetaPoint Blog

Is Your Adversary Your Supply Chain?

The Airbus breach teaches a clear lesson; organizations cannot solely focus on monitoring and protecting their own infrastructure, they must also manage the risk brought on by their supply chain business partners. However, more and more organizations struggle to operate and maintain their security environment, so where can they find the time or the talent? I’ll let you in on a little secret – if an organization has the funds to operate a SOC, then that organization should have the means to protect their critical data and identify risky behavior through access and usage monitoring. What constitutes normal…

The Grass Isn’t Always Greener

It is amazing the number of times I hear of organizations switching from one SIEM platform to another, only to have the exact same problems that caused them to switch in the first place. I am here to tell you that the grass is not always greener on the other side. Some of you might be familiar with the 1993 Harold Ramis film “Groundhog Day”, starring Bill Murray and Andy MacDowell. For those that are not, here is the general theme, a weatherman gets stuck in Punxsutawney, Pennsylvania and relives the same day over and over, only to realize…

SRA Example: Any Stack, Any Network, Anybody

In this blog I will share a sample implementation of the technology stack described in the ThetaPoint Security Reference Architecture for Security Operations Centers. I will walk through some basics of network and endpoint instrumentation, event transport, analytics, and workflow. This example is designed to be easy to follow, but if you have something more specific that you want to delve into, feel free to book time on my calendar, and we’ll explore in detail together.   Architectural Overview - Instrumentation For this implementation, we’ll be using the Elastic Beats for wiring up event collection on…

Your SIEM isn’t the Problem, but Your Model is (part 2)

The Model is your Tutor for your Analysts and your MSSP The same set of facts and labels should be readily available regardless of who or what is doing analysis.  When a common Model applies across the infrastructure, every investigation into an alert also presents the correct contextual data to the investigator, regardless of how familiar they are with the tooling or business itself. You no longer need to go digging around just to find out what is important about an asset. This consistency and immediacy make it easier to internalize the normal quirks and behaviors that help adjudication.…

Your SIEM isn’t the Problem, but Your Model is

If one of these statements sounds familiar, this blog post is for you: “I’m not getting enough value out of my SIEM" “My MSSP floods me with alerts that are not relevant, and they’re not willing or equipped to filter or make good judgements on their end for most of the cases they send” “Our Junior Analysts have a hard time making heads or tails out of an alert” First the good news: you are not alone. However, a single thread does link all of these problems to a common cause…