Services

Incident Response Unit - Creation and assistance

The OODA loop
Here is the thing about building a unit performing detection and response: it can be a daunting task. You are setting out to create a team that will ingest massive amounts of data, make sense of the collected noise, respond to threats manifested across an entire organisation, track and remove any adversary footholds....and keep a cool head while doing it.

Reach out for assistance to navigate this undertaking of building a SOC or SAC and avoid the common pitfalls when hiring, creating processes, selecting tools, bulding use cases, or if you just need an Analyst-for-Hire to get some return of investment right of the bat.

In the mean time read on.

Splunk

Log management tools and SIEMs are not fire-and-forget tools that can be unboxed turned on and "just work". Splunk is no exception. It needs to be cared for continuously to get the most out of the data. Correlation searches must be fine-tuned constantly to match the current threat landscape and should use all the nooks and crannies of the search language.

Take a minute to think about how to correlate end point logs with firewall logs to determine which end points visited a malicious URL over a span of 30 days. Done? Now account for end points changing ip addresses during those 30 days.

Just as important is alignment of use cases with log sources to make sure no visibility gaps exist. It is not enough to "just collect Windows logs". If the correct events are not logged, no SIEM can fix that. Field discoveries must be verified, fields must be validated, data outages and drops detected, and overall coverage must be monitored.

At NIL815 we bring the security knowledge to the table that will make Splunk shine in your unit. Dip into a pool of extensive knowledge and get help with implementation of use cases, creation and verification of correlation searches, or an overall implementation health check.

MISP SaaS

​Sharing is caring. Imagine being in the middle of on incident and wanting to share information to peers or other parts of the organisation with actionable intelligence to be used for collaboration, detection, response, and automation. How would you go about doing this without resorting to spreadsheets, insecure emails, or pdf's that are notoriously hard to use for automate in any form?
MISP is a solution to this. MISP instances exchange actionable intelligence in a structured and secure manner between each other and allow for automatic ingestion of relevant data into security controls. The open source exchange platform is used by national agencies, CERTs, and security teams in organisations all over the world. MISP can also be used solely as an in house repository of information to facilitate security control automation and to retain and correlate with historic and open source data.

NIL815 offers hosting, running, and supporting MISP in a cloud infrastructure either as a stand alone solution for your organisation or a multitenant hub for your sector. Don't hesitate to contact out to hear more about the possibilities.

Official MISP project site: https://www.misp-project.org/

Copyright © 2018 NIL​815, Denmark