ThetaPoint Blog

Your SIEM isn’t the Problem, but Your Model is (part 2)

The Model is your Tutor for your Analysts and your MSSP The same set of facts and labels should be readily available regardless of who or what is doing analysis.  When a common Model applies across the infrastructure, every investigation into an alert also presents the correct contextual data to the investigator, regardless of how familiar they are with the tooling or business itself. You no longer need to go digging around just to find out what is important about an asset. This consistency and immediacy make it easier to internalize the normal quirks and behaviors that help adjudication.…

Your SIEM isn’t the Problem, but Your Model is

If one of these statements sounds familiar, this blog post is for you: “I’m not getting enough value out of my SIEM" “My MSSP floods me with alerts that are not relevant, and they’re not willing or equipped to filter or make good judgements on their end for most of the cases they send” “Our Junior Analysts have a hard time making heads or tails out of an alert” First the good news: you are not alone. However, a single thread does link all of these problems to a common cause…

Security Reference Architecture - People

Many organizations struggle identifying, hiring, and retaining qualified security personnel. Because of this challenge, we often see organizations reducing their standards, leading to individuals who are ill-suited for their responsibilities or trapped with no opportunity for career progression. Because so many organizations are seeking the same types of skillsets, adding too many requirements to the position can limit your search. In addition, promoting from within and from the wrong skillsets can pigeonhole you and your staff for years to come. In some scenarios, your talent pool can become insufficient and unbalanced: heavy in some skill areas, light in others, and…

Security Reference Architecture – Technology

ThetaPoint’s Security Reference Architecture has abstracted the Security Operations Center’s (SOC) technology stack into four simple buckets: These categories focus on the critical services that the SOC performs. Many proprietary tools provide more than one of these services, but since vendor independence is one of our overarching goals, this division allows us to focus on the key features needed to support our production use cases. This simplified stack helps frame discussions about organizational responsibilities in the context of supporting the SOC as well as how the SOC can leverage parts of the enterprise technology stack to…

Security Reference Architecture - Framework Overview

Framework Overview The challenge of running an effective Security Operations Center far outweighs the effort to build one. This difficulty stems from the fact that the organization will be operating for far longer than the time needed for its implementation, and that the decision points are both more numerous and unanticipated. There are plenty of sources for guidance to help mitigate the effort, but this advice often comes in the form of consensus-driven control frameworks and abstract guidelines. While important, for this post we will assume that you already have a solid foundational understanding of these controls. We have repeatedly…