One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 533383 |
| Date de publication | 2018-03-21 13:00:00 (vue: 2018-03-21 13:00:00) |
| Titre | What Have You Done for Me Lately? Tips for MSSPs |
| Texte |
As security professionals, we like to imagine ourselves diving through the air to stop that ransomware-infected thumb drive going into the unsuspecting user’s USB port. Or stopping the Stuxnet virus before the nukes launch, sending us into WWIII.
The truth is, a lot of the time, things are rather quiet for us. We’ve built our walls, and for the most part, no one is getting in. So how do we keep our clients engaged when there is no threat to report? How do we remind them we’re here looking out for them when all is quiet on the Western Front?
As a Managed Security Service Provider (MSSP) partnering with AlienVault, we create high-quality touchpoints. Bits and pieces of value to prove our worth and provide our clients with tangible, useful information. I’ll share a few such touchpoints that have proven valuable to our clients.
Use your SIEM to find misconfigurations
I had a client express concern recently over a massive spike in “deny” entries in his firewall logs. Due to external networks and segmentation, a lot of his company traffic hit the firewall, and consequently preventable misconfigurations were causing unnecessary network traffic.
We enabled a rule to show firewall blocks coming from inside his network. The rule was simple enough to set up. We were looking for a deny from a single IP and then 10 more occurrences from the same IP to and from “HOME_NET”:
Within minutes our SIEM produced a circle the size of Jupiter, representing thousands of alarms fired. After a day we racked up 38,000 alarms! From there I could produce a report showing the top offenders, enabling our client to work with his team to remediate the issues. Happy client.
Run reports you have created for other clients
One of our clients likes to see a report from AlienVault that shows the IP addresses of known bad actors, otherwise known as the Open Threat Exchange (OTX) report. I send it weekly, and he will then shun the top 5 or 10 at the firewall level. I have since shared this report and idea to block the top offenders with other clients, who have gladly jumped onboard with the weekly regimen.
Here is a sample of the report showing 15-16K SIEM events coming from the same IP(s) and known malicious actors:
Good information, right? Yes, let’s kick 222.186.160.32 to the curb!
Another report we get great response from shows new assets in our SIEM. I can select a radio button to “show assets added last week” and then download that and send to my client. This is of course good information from a security standpoint as well as asset inventory and general housekeeping. Lastly, automate your reports to keep your name in the client’s inbox!
Follow up on security incidents
We often end an email regarding a security incident with something along the lines of, “we’ll keep an eye on things and reach out if we see any new activity.” This is good and you should do just that, but you should formalize the process and produce an incident report. Clients like this and it doesn’t have to be a novel. Just basic facts:
Date and time of the incident
Description of the events
Systems involved
Impact
Remediation steps
Other ideas for MSSP touchpoints
Share your e |
| Envoyé | Oui |
| Condensat | “home “show “we’ll happy lastly 000 160 16k 186 222 activity actors actors: added addresses after air alarms alienvault all along another any anything are ask asset assets associate automate bad basic before begin bits block blocks built but button call can causing circle client client’s clients coming company compliance concern consequently could course create created crisis curb current date day deny description diving doesn’t don’t done download drive due email enabled enabling end engaged enough entries events exchange expertise express external eye facts: find fired firewall follow formalize from front general get getting gladly going good great had have hear here high his hit housekeeping how i’ll idea ideas imagine impact inbox incident incidents infected information inside inventory involved issues jumped jupiter just keep kick known last lately launch let let’s level like likes lines logs looking lot malicious managed massive meet minutes misconfigurations month’s monthly more most mssp mssps name need net”: network networks new news newsletter novel nukes occurrences offenders offer often onboard one only open other otherwise otx ourselves out over part partnering pieces port preventable process produce produced professionals prove proven provide provider quality quiet racked radio ransomware rather reach recently regarding regimen regulations remediate remediation remind report reports representing response review right rule run same sample scans schedule security see segmentation select send sending service set share shared should show showing shows shun siem simple simply since single size something spike standpoint state steps stop stopping stuxnet such systems talk tangible team them then things thousands threat through thumb time times tips top touchpoints traffic trends truth unnecessary unsuspecting usb use useful user’s valuable value virus vulnerability walls we’re we’ve week” weekly well western what when who wild will within won’t work worth wwiii your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.