10 Steps to SUccess
1. R3SOLV personnel will work with the IT administrator / service provider designated by our client to install and configure the items below.
2. One Windows server (or a VM of a Windows server) on customer’s network will be designated as a host for the 1mb WMI “collector” to receive logs from other devices. Resource requirements for this process are extremely low and any 2008 R2 / 2012 R2 Windows Server can be used. If our client has multiple networks/domains, one collector will be deployed per network/domain.
3. Event logs from: Windows servers, Linux servers, network appliances, security tools (firewall, UTM, IDS, IPS), and any managed switches will be forwarded to the above-designated "collector".
4. The logs will be compressed 4x1, encrypted, and forwarded to the previously configured client log collector server in the cloud - via secure connection (TCP/SSL) - then processed for retention and given a MD5 Hash. (This is to ensure the integrity of the logs and to create a chain of custody in the event that the logs are needed for future forensic examinations or as evidence in a prosecution.)
5. The logs are pulled into the Advanced Security Platform and the Security Operations Centre team will use proprietary software and processes through various correlation vectors to analyze the resulting data for an inbound or outbound contact with known bad IPs/Domains (using multiple open-source & commercial threat intelligence feeds including ProofPoint) and also for suspicious network activity such as botnets, ransomware, data exfiltration and zero-day attacks.
6. When there is sufficient evidence of possible malicious activity, a security analyst from the Security Operations Centre will evaluate the evidence and create a "case", which will be forwarded to the R3SOLV Incident Response Team.
7. The R3SOLV Incident Response Team will review the case and provide additional advice regarding recommended actions to be taken. These may include:
a. Configuration changes to address a high-risk condition. General instructions will be included.
b. A request for additional information or investigation. Instructions for gathering additional information will be included.
c. Recommended actions to be taken to mitigate a possible breach.
8. The case and recommendations will be forwarded to the IT administrator / service provider designated by our client to receive this information. Cases involving a probable breach or high risk condition will be forwarded within 24 hours.
9. R3SOLV will provide an Executive Summary Report for each month, showing the number of events analyzed and the status of any cases opened during the month. R3SOLV will also provide reports detailing any cases opened during the month, the status of those cases, and recommended actions. Other reports may be provided as our client deems appropriate.
10. Your business is now affordably protected - 24/7/365 cyber-security monitoring with human-based remediation that puts your business one step ahead of hackers and the landscape of ever-evolving threats.