SlideShare a Scribd company logo

Quadrant MSSP Doc

A
Amy Lynn Pennington
1 of 6
Download to read offline
1© 2016 Quadrant Information Systems Quadrant Managed Security Services Quadrant Information Security provides Managed Security Services and Enterprise Security. With around-the-clock monitoring and professional analysis, Quadrant delivers highly-effective threat detection. In addition, Quadrant provides its customers with system log management through 53 week storage and log search capabilities. Quadrant Threat Detection and Customer Remediation The Process: Monitoring, Investigation, Escalation and Remediation Through a four stage process, security threats are identified, investigated and escalated to the customer by Quadrant (stages 1-3) and subsequently neutralized via remediation steps performed by the customer (stage 4). The methodology is comprised of the following: Stage 1: Monitoring Quadrant Sensors monitor both network traffic at the packet level and system logs via thousands of rules which trigger alerts when suspicious activity is detected. The total transactions screened for a regional bank or similarly sized organization will typically be in the range of tens of billions per quarter. Stage 2: Investigation and Analysis Upon the advent of suspicious activity, the Sagan System Information Event Management (SIEM) system forwards an alert to the Quadrant Security Operations Center (SOC). Each alert is immediately triaged and potentially critical items are investigated by SOC analysts. Figure 1 Quadrant Threat Detection and Customer Remediation Process
2© 2016 Quadrant Information Systems Quadrant Managed Security Services (cont’d) Stage 2: Investigation and Analysis (cont’d) Quadrant Security Analysts categorize events using a group of prioritized classifications as seen in Table 1 below. Priority 1 events are critical events. Priorities 2 and 3 are not considered critical on their own, but may be flagged for monitoring of related suspicious activities in the customer network. Stage3: Escalation When a threat is deemed authentic and of significance, the client’s InfoSec leadership will be notified of the threat and provided all relevant information available in order that appropriate remediation steps can be taken. Stage 4: Customer Threat Remediation Once notified by Quadrant of a security threat, the customer’s security team will perform the necessary steps to eliminate the identified threat. In most cases, the initial escalation will be added to the customer’s internal service ticketing system for subsequent reporting and auditing of threats and subsequent steps taken for resolution. Specific Case: Network User Activity Monitoring Among many other types of network activities monitored by Quadrant systems, user account activities are monitored for indications of nefarious activity. Though the core or ‘standard’ user ruleset has been tuned to maximize security while minimizing unnecessary alert ‘noise’, Quadrant can enable additional, pre-written rules as well as work with the customer to create rules specific to their unique needs. Below is the lists the types of monitoring that is performed through the standard user activity ruleset:  Monitoring for users being added to administrator groups. For example, on windows system users being added to the "domain administrators", "enterprise administrators", etc. For Linux systems, users being added to the "sudo-ers" group for "super user access".  Monitoring for "brute force" (repeated password failures) for administrators. This include windows, Linux and network equipment (cisco, Linux, Fortinet, etc.). Analyst Classification Priority Active Attack 1 Botnet Traffic 1 DoS Attempt 1 Exploit Kit 1 Phishing Attempt 1 Rogue AP 1 Security Audit 1 SQL Injection Attempt 1 Trojan Horse/Malware 1 Virus/Worm 1 Account Lockout 2 Brute Force Attack 2 NMap/Portscan/Probes 2 P2P Traffic 2 Remote File Inclusion 2 Spam 2 Spyware/Adware 2 Suspicious Traffic 2 Attempted Recon 3 Authentication Failure 3 False Positive 3 Firewalled/Dropped/Denied 3 Invalid Login 3 Maintenance 3 Normal Traffic 3 Not Applicable 3 Policy Violation 3 System Error 3 System Event 3 Table 1 Quadrant Analyst Event Classifications
3© 2016 Quadrant Information Systems Quadrant Managed Security Services (cont’d) Specific Case: Network User Activity Monitoring (cont’d)  Monitoring for "account lockouts" of administrators.  Monitoring of usage of administrator account via "remote access" protocols (RPD, SSH, etc.).  Monitoring for administrator account usage from suspicious or non-standard geographic locations. When custom monitoring and/or reporting is required related to activity such as user activity, it simply requires Quadrant customers to work with Quadrant to define the criteria. In the case of Administrator Login activity monitoring, for example, customers generally provide Quadrant with a list of administrator groups for which custom rules can be written. Continuous Tuning – Maximizing Security, Removing Noise The Quadrant process includes continuous tuning of the detection systems in order to ensure the highest level of threat detection while ensuring the smallest number of false positives, or ‘noise’ that is forwarded back to the customer’s network security team. As Figure 2 below shows, the ratio between total transactions compared to escalated events can often be as great, or greater than 1 Billion to 1. Figure 2 - Billion to One, an Overview of the Quadrant Model System Log Management As previously stated, the second service that Quadrant provides for its customers is system log management. This allows for both the customer and, upon request, Quadrant to analyze and report on activity reflected in the system logs for the prior fifty-three weeks. By simply contacting the Quadrant team, reports can be generated for any type of logged activity.
4© 2016 Quadrant Information Systems Quadrant Managed Security Services (cont’d) Visualizing the Threat-scape in Your Environment Quadrant Information Security provides its customers with a full complement of methods to better understand their network’s security challenges. In addition to the individual security alert notifications from Quadrant Security analysts for critical events, Quadrant also provides a proprietary customer-facing console (called the Sagan Console) for real-time analysis as well as standard, periodic reports and on-demand custom reporting. Sagan Console The Sagan Console is Quadrant’s world-class security dashboard and event analysis portal. Each client has access to their own portal via the web, thus making it available from anywhere. The Console serves a number of important functions. There is the dashboard for the quick overview of the system operational status and security threat activity. Events, network packets and logs can be searched through the Console, and security event origins are displayed on an ‘Attack Map’, giving clients a glimpse at the type of threat actors that may be targeting their networks. Finally, the Sagan Console provides custom, Executive-level reporting capabilities through aggregated event data.
5© 2016 Quadrant Information Systems Reports Striving to provide its customers with as much understanding of their network security environment as possible, Quadrant has developed a number of reports, each providing a targeted level of detail to point to a pathway to action. There are both executive-level and technical-level reports. Executive-Level Reports Figure 3 - Sample Quarterly Executive Report
6© 2016 Quadrant Information Systems Technical Reports From: soc@quadrantsec.com To: quadrantsec-acme@quadrantsec.com Sent: Monday, May 2, 2016 8:01:50 AM Subject: Acme Sagan Syslog Report 2016-05-02 Sagan syslog report 2016-05-02 Reporting = Devices sending log messages to Sagan in the last 7 days: Not Reporting = Devices that the Sagan appliance previously received log messages from but that have not reported in the last 7 days: Network - Reporting 10.5.43.13 10.5.5.13 – ac123.acme.net . . . 10.25.1.5 Network - Not Reporting 10.5.3.69 - ac121.acme.net 10.5.3.78 - ac127.acme.net . . . 10.25.1.24 Windows - Reporting 10.100.145.137 - ac142net5.acme.net 10.100.145.138 . . . 172.19.10.44 – ac50tel.acme.net Windows - Not Reporting 10.100.139.127 10.100.139.141 . . . 10.251.17.60 Figure 2 - Sample Sagan Syslog Report, a weekly report to assist network security administrators ensure traffic visibility.

Recommended

Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
Panda Adaptive Defense - The evolution of malware
Panda Adaptive Defense - The evolution of malwarePanda Adaptive Defense - The evolution of malware
Panda Adaptive Defense - The evolution of malwarePanda Security
 
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsEbook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsDominique Dessy
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...Tahir Abbas
 
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskTripwire
 
SOC3D_Brochure_NEW_Digital
SOC3D_Brochure_NEW_DigitalSOC3D_Brochure_NEW_Digital
SOC3D_Brochure_NEW_DigitalOscar Williams
 

Recommended

Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
Panda Adaptive Defense - The evolution of malware
Panda Adaptive Defense - The evolution of malwarePanda Adaptive Defense - The evolution of malware
Panda Adaptive Defense - The evolution of malwarePanda Security
 
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsEbook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsDominique Dessy
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...Tahir Abbas
 
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskTripwire
 
SOC3D_Brochure_NEW_Digital
SOC3D_Brochure_NEW_DigitalSOC3D_Brochure_NEW_Digital
SOC3D_Brochure_NEW_DigitalOscar Williams
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360Panda Security
 
ThirdEye - LinkedIn's Business-wide monitoring platform
ThirdEye - LinkedIn's Business-wide monitoring platformThirdEye - LinkedIn's Business-wide monitoring platform
ThirdEye - LinkedIn's Business-wide monitoring platformAkshay Rai
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)James W. De Rienzo
 
Panda Security - Adaptive Defense
Panda Security - Adaptive DefensePanda Security - Adaptive Defense
Panda Security - Adaptive DefensePanda Security
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
IBM Security Intelligence
IBM Security IntelligenceIBM Security Intelligence
IBM Security IntelligenceAnna Landolfi
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationTripwire
 
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkInformation Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkWilliam McBorrough
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
 
Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Imperva
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoEMC
 
Best Network Performance Monitoring Tool
Best Network Performance Monitoring ToolBest Network Performance Monitoring Tool
Best Network Performance Monitoring ToolJoe Shestak
 
Siem tools-monitor-your-network
Siem tools-monitor-your-networkSiem tools-monitor-your-network
Siem tools-monitor-your-networkhardik soni
 
Intelligent Remote Monitoring
Intelligent Remote MonitoringIntelligent Remote Monitoring
Intelligent Remote Monitoringthesecuritygroup
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
How to run your startup on Amazon Web Services, by Alex Iskold
How to run your startup on Amazon Web Services, by Alex IskoldHow to run your startup on Amazon Web Services, by Alex Iskold
How to run your startup on Amazon Web Services, by Alex IskoldAlex Iskold
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015Paul Hogan
 

More Related Content

What's hot

Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360Panda Security
 
ThirdEye - LinkedIn's Business-wide monitoring platform
ThirdEye - LinkedIn's Business-wide monitoring platformThirdEye - LinkedIn's Business-wide monitoring platform
ThirdEye - LinkedIn's Business-wide monitoring platformAkshay Rai
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)James W. De Rienzo
 
Panda Security - Adaptive Defense
Panda Security - Adaptive DefensePanda Security - Adaptive Defense
Panda Security - Adaptive DefensePanda Security
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
IBM Security Intelligence
IBM Security IntelligenceIBM Security Intelligence
IBM Security IntelligenceAnna Landolfi
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationTripwire
 
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkInformation Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkWilliam McBorrough
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
 
Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Imperva
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoEMC
 
Best Network Performance Monitoring Tool
Best Network Performance Monitoring ToolBest Network Performance Monitoring Tool
Best Network Performance Monitoring ToolJoe Shestak
 
Siem tools-monitor-your-network
Siem tools-monitor-your-networkSiem tools-monitor-your-network
Siem tools-monitor-your-networkhardik soni
 
Intelligent Remote Monitoring
Intelligent Remote MonitoringIntelligent Remote Monitoring
Intelligent Remote Monitoringthesecuritygroup
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 

What's hot (20)

Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360
 
ThirdEye - LinkedIn's Business-wide monitoring platform
ThirdEye - LinkedIn's Business-wide monitoring platformThirdEye - LinkedIn's Business-wide monitoring platform
ThirdEye - LinkedIn's Business-wide monitoring platform
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
 
Panda Security - Adaptive Defense
Panda Security - Adaptive DefensePanda Security - Adaptive Defense
Panda Security - Adaptive Defense
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009
 
IBM Security Intelligence
IBM Security IntelligenceIBM Security Intelligence
IBM Security Intelligence
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
 
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkInformation Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management Framework
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
 
Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4Web Application Attack Report, Edition #4
Web Application Attack Report, Edition #4
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
 
Best Network Performance Monitoring Tool
Best Network Performance Monitoring ToolBest Network Performance Monitoring Tool
Best Network Performance Monitoring Tool
 
Siem tools-monitor-your-network
Siem tools-monitor-your-networkSiem tools-monitor-your-network
Siem tools-monitor-your-network
 
Intelligent Remote Monitoring
Intelligent Remote MonitoringIntelligent Remote Monitoring
Intelligent Remote Monitoring
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint Security
 

Viewers also liked

How to run your startup on Amazon Web Services, by Alex Iskold
How to run your startup on Amazon Web Services, by Alex IskoldHow to run your startup on Amazon Web Services, by Alex Iskold
How to run your startup on Amazon Web Services, by Alex IskoldAlex Iskold
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015Paul Hogan
 
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...AlienVault
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPHuntsman Security
 
Mónica gonzález pérez a01681467 mogesa 29 de enero de 2016
Mónica gonzález pérez a01681467 mogesa 29 de enero de 2016Mónica gonzález pérez a01681467 mogesa 29 de enero de 2016
Mónica gonzález pérez a01681467 mogesa 29 de enero de 2016Mónica González
 
Грамоты и благодарственные письма ЯРО ООО Общества "Знание"
Грамоты и благодарственные письма ЯРО ООО Общества "Знание"Грамоты и благодарственные письма ЯРО ООО Общества "Знание"
Грамоты и благодарственные письма ЯРО ООО Общества "Знание"Stas Noev
 
The reseach of incubation center in silicon valley
The reseach of incubation center in silicon valleyThe reseach of incubation center in silicon valley
The reseach of incubation center in silicon valleyNaoya Muto
 
Evalluacion proyecto
Evalluacion proyectoEvalluacion proyecto
Evalluacion proyectoFernando Lazo
 
Perifericos brian powerpoint
Perifericos brian powerpointPerifericos brian powerpoint
Perifericos brian powerpointadri2128d
 
Analisis de los precios de los productos de la canasta basica familiar de tul...
Analisis de los precios de los productos de la canasta basica familiar de tul...Analisis de los precios de los productos de la canasta basica familiar de tul...
Analisis de los precios de los productos de la canasta basica familiar de tul...fernanda morales
 
Industrial Power Control Pvt.Ltd
Industrial Power Control Pvt.LtdIndustrial Power Control Pvt.Ltd
Industrial Power Control Pvt.LtdKushal Baid
 
온라인카지노…DDA21"COM…인터넷경마
온라인카지노…DDA21"COM…인터넷경마온라인카지노…DDA21"COM…인터넷경마
온라인카지노…DDA21"COM…인터넷경마복 성규
 
Rapport au Sénat : comprendre le chômag en France
Rapport au Sénat : comprendre le chômag en FranceRapport au Sénat : comprendre le chômag en France
Rapport au Sénat : comprendre le chômag en FranceSociété Tripalio
 
2015年《原住民族傳統智慧創作保護條例》暨子法及未來說明會手冊(保全授權版)
2015年《原住民族傳統智慧創作保護條例》暨子法及未來說明會手冊(保全授權版)2015年《原住民族傳統智慧創作保護條例》暨子法及未來說明會手冊(保全授權版)
2015年《原住民族傳統智慧創作保護條例》暨子法及未來說明會手冊(保全授權版)TITICoffice
 
Kiourtsis -The Importance of seedlings quality in timber and bioenergy produ...
Kiourtsis -The Importance of seedlings quality in timber and bioenergy produ...Kiourtsis -The Importance of seedlings quality in timber and bioenergy produ...
Kiourtsis -The Importance of seedlings quality in timber and bioenergy produ...fkiourts
 
Specticle G Presentation
Specticle G PresentationSpecticle G Presentation
Specticle G Presentationbackedbybayer
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
 
Visual studio 사용 설명서(고급)
Visual studio 사용 설명서(고급)Visual studio 사용 설명서(고급)
Visual studio 사용 설명서(고급)Lusain Kim
 

Viewers also liked (20)

How to run your startup on Amazon Web Services, by Alex Iskold
How to run your startup on Amazon Web Services, by Alex IskoldHow to run your startup on Amazon Web Services, by Alex Iskold
How to run your startup on Amazon Web Services, by Alex Iskold
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
 
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
 
Mónica gonzález pérez a01681467 mogesa 29 de enero de 2016
Mónica gonzález pérez a01681467 mogesa 29 de enero de 2016Mónica gonzález pérez a01681467 mogesa 29 de enero de 2016
Mónica gonzález pérez a01681467 mogesa 29 de enero de 2016
 
Грамоты и благодарственные письма ЯРО ООО Общества "Знание"
Грамоты и благодарственные письма ЯРО ООО Общества "Знание"Грамоты и благодарственные письма ЯРО ООО Общества "Знание"
Грамоты и благодарственные письма ЯРО ООО Общества "Знание"
 
The reseach of incubation center in silicon valley
The reseach of incubation center in silicon valleyThe reseach of incubation center in silicon valley
The reseach of incubation center in silicon valley
 
Mapa 23082016
Mapa 23082016Mapa 23082016
Mapa 23082016
 
Evalluacion proyecto
Evalluacion proyectoEvalluacion proyecto
Evalluacion proyecto
 
Perifericos brian powerpoint
Perifericos brian powerpointPerifericos brian powerpoint
Perifericos brian powerpoint
 
Analisis de los precios de los productos de la canasta basica familiar de tul...
Analisis de los precios de los productos de la canasta basica familiar de tul...Analisis de los precios de los productos de la canasta basica familiar de tul...
Analisis de los precios de los productos de la canasta basica familiar de tul...
 
Industrial Power Control Pvt.Ltd
Industrial Power Control Pvt.LtdIndustrial Power Control Pvt.Ltd
Industrial Power Control Pvt.Ltd
 
온라인카지노…DDA21"COM…인터넷경마
온라인카지노…DDA21"COM…인터넷경마온라인카지노…DDA21"COM…인터넷경마
온라인카지노…DDA21"COM…인터넷경마
 
Rapport au Sénat : comprendre le chômag en France
Rapport au Sénat : comprendre le chômag en FranceRapport au Sénat : comprendre le chômag en France
Rapport au Sénat : comprendre le chômag en France
 
2015年《原住民族傳統智慧創作保護條例》暨子法及未來說明會手冊(保全授權版)
2015年《原住民族傳統智慧創作保護條例》暨子法及未來說明會手冊(保全授權版)2015年《原住民族傳統智慧創作保護條例》暨子法及未來說明會手冊(保全授權版)
2015年《原住民族傳統智慧創作保護條例》暨子法及未來說明會手冊(保全授權版)
 
Kiourtsis -The Importance of seedlings quality in timber and bioenergy produ...
Kiourtsis -The Importance of seedlings quality in timber and bioenergy produ...Kiourtsis -The Importance of seedlings quality in timber and bioenergy produ...
Kiourtsis -The Importance of seedlings quality in timber and bioenergy produ...
 
Specticle G Presentation
Specticle G PresentationSpecticle G Presentation
Specticle G Presentation
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
 
Visual studio 사용 설명서(고급)
Visual studio 사용 설명서(고급)Visual studio 사용 설명서(고급)
Visual studio 사용 설명서(고급)
 
Ensayo de geometria
Ensayo de geometriaEnsayo de geometria
Ensayo de geometria
 

Similar to Quadrant MSSP Doc

NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer OverviewScott Suhy
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Laura Arrigo
 
Events Classification in Log Audit
Events Classification in Log Audit Events Classification in Log Audit
Events Classification in Log Audit IJNSA Journal
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company Abdulrahman Alamri
 
SCADA forensic tools open source. What are they What they doSo.pdf
SCADA forensic tools open source. What are they What they doSo.pdfSCADA forensic tools open source. What are they What they doSo.pdf
SCADA forensic tools open source. What are they What they doSo.pdfebrahimbadushata00
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vmazfayel
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Zoho Corporation
 
Monitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System ControlMonitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System ControlMarc-Andre Heroux
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxInfosectrain3
 
ArcSight Basics.ppt
ArcSight Basics.pptArcSight Basics.ppt
ArcSight Basics.pptneoalt
 
Advantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcAdvantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcKristen Wilson
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Tiffany Sandoval
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
Cyber Investigation Portal
Cyber Investigation PortalCyber Investigation Portal
Cyber Investigation PortalIRJET Journal
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inmaribethy2y
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyJonathanPritchard12
 

Similar to Quadrant MSSP Doc (20)

NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer Overview
 
Globally.docx
Globally.docxGlobally.docx
Globally.docx
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 
Events Classification in Log Audit
Events Classification in Log Audit Events Classification in Log Audit
Events Classification in Log Audit
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
 
SCADA forensic tools open source. What are they What they doSo.pdf
SCADA forensic tools open source. What are they What they doSo.pdfSCADA forensic tools open source. What are they What they doSo.pdf
SCADA forensic tools open source. What are they What they doSo.pdf
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit framework
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​
 
Monitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System ControlMonitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System Control
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
 
ArcSight Basics.ppt
ArcSight Basics.pptArcSight Basics.ppt
ArcSight Basics.ppt
 
Advantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcAdvantages And Disadvantages Of Nc
Advantages And Disadvantages Of Nc
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
Cyber Investigation Portal
Cyber Investigation PortalCyber Investigation Portal
Cyber Investigation Portal
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
 

Quadrant MSSP Doc

  • 1. 1© 2016 Quadrant Information Systems Quadrant Managed Security Services Quadrant Information Security provides Managed Security Services and Enterprise Security. With around-the-clock monitoring and professional analysis, Quadrant delivers highly-effective threat detection. In addition, Quadrant provides its customers with system log management through 53 week storage and log search capabilities. Quadrant Threat Detection and Customer Remediation The Process: Monitoring, Investigation, Escalation and Remediation Through a four stage process, security threats are identified, investigated and escalated to the customer by Quadrant (stages 1-3) and subsequently neutralized via remediation steps performed by the customer (stage 4). The methodology is comprised of the following: Stage 1: Monitoring Quadrant Sensors monitor both network traffic at the packet level and system logs via thousands of rules which trigger alerts when suspicious activity is detected. The total transactions screened for a regional bank or similarly sized organization will typically be in the range of tens of billions per quarter. Stage 2: Investigation and Analysis Upon the advent of suspicious activity, the Sagan System Information Event Management (SIEM) system forwards an alert to the Quadrant Security Operations Center (SOC). Each alert is immediately triaged and potentially critical items are investigated by SOC analysts. Figure 1 Quadrant Threat Detection and Customer Remediation Process
  • 2. 2© 2016 Quadrant Information Systems Quadrant Managed Security Services (cont’d) Stage 2: Investigation and Analysis (cont’d) Quadrant Security Analysts categorize events using a group of prioritized classifications as seen in Table 1 below. Priority 1 events are critical events. Priorities 2 and 3 are not considered critical on their own, but may be flagged for monitoring of related suspicious activities in the customer network. Stage3: Escalation When a threat is deemed authentic and of significance, the client’s InfoSec leadership will be notified of the threat and provided all relevant information available in order that appropriate remediation steps can be taken. Stage 4: Customer Threat Remediation Once notified by Quadrant of a security threat, the customer’s security team will perform the necessary steps to eliminate the identified threat. In most cases, the initial escalation will be added to the customer’s internal service ticketing system for subsequent reporting and auditing of threats and subsequent steps taken for resolution. Specific Case: Network User Activity Monitoring Among many other types of network activities monitored by Quadrant systems, user account activities are monitored for indications of nefarious activity. Though the core or ‘standard’ user ruleset has been tuned to maximize security while minimizing unnecessary alert ‘noise’, Quadrant can enable additional, pre-written rules as well as work with the customer to create rules specific to their unique needs. Below is the lists the types of monitoring that is performed through the standard user activity ruleset:  Monitoring for users being added to administrator groups. For example, on windows system users being added to the "domain administrators", "enterprise administrators", etc. For Linux systems, users being added to the "sudo-ers" group for "super user access".  Monitoring for "brute force" (repeated password failures) for administrators. This include windows, Linux and network equipment (cisco, Linux, Fortinet, etc.). Analyst Classification Priority Active Attack 1 Botnet Traffic 1 DoS Attempt 1 Exploit Kit 1 Phishing Attempt 1 Rogue AP 1 Security Audit 1 SQL Injection Attempt 1 Trojan Horse/Malware 1 Virus/Worm 1 Account Lockout 2 Brute Force Attack 2 NMap/Portscan/Probes 2 P2P Traffic 2 Remote File Inclusion 2 Spam 2 Spyware/Adware 2 Suspicious Traffic 2 Attempted Recon 3 Authentication Failure 3 False Positive 3 Firewalled/Dropped/Denied 3 Invalid Login 3 Maintenance 3 Normal Traffic 3 Not Applicable 3 Policy Violation 3 System Error 3 System Event 3 Table 1 Quadrant Analyst Event Classifications
  • 3. 3© 2016 Quadrant Information Systems Quadrant Managed Security Services (cont’d) Specific Case: Network User Activity Monitoring (cont’d)  Monitoring for "account lockouts" of administrators.  Monitoring of usage of administrator account via "remote access" protocols (RPD, SSH, etc.).  Monitoring for administrator account usage from suspicious or non-standard geographic locations. When custom monitoring and/or reporting is required related to activity such as user activity, it simply requires Quadrant customers to work with Quadrant to define the criteria. In the case of Administrator Login activity monitoring, for example, customers generally provide Quadrant with a list of administrator groups for which custom rules can be written. Continuous Tuning – Maximizing Security, Removing Noise The Quadrant process includes continuous tuning of the detection systems in order to ensure the highest level of threat detection while ensuring the smallest number of false positives, or ‘noise’ that is forwarded back to the customer’s network security team. As Figure 2 below shows, the ratio between total transactions compared to escalated events can often be as great, or greater than 1 Billion to 1. Figure 2 - Billion to One, an Overview of the Quadrant Model System Log Management As previously stated, the second service that Quadrant provides for its customers is system log management. This allows for both the customer and, upon request, Quadrant to analyze and report on activity reflected in the system logs for the prior fifty-three weeks. By simply contacting the Quadrant team, reports can be generated for any type of logged activity.
  • 4. 4© 2016 Quadrant Information Systems Quadrant Managed Security Services (cont’d) Visualizing the Threat-scape in Your Environment Quadrant Information Security provides its customers with a full complement of methods to better understand their network’s security challenges. In addition to the individual security alert notifications from Quadrant Security analysts for critical events, Quadrant also provides a proprietary customer-facing console (called the Sagan Console) for real-time analysis as well as standard, periodic reports and on-demand custom reporting. Sagan Console The Sagan Console is Quadrant’s world-class security dashboard and event analysis portal. Each client has access to their own portal via the web, thus making it available from anywhere. The Console serves a number of important functions. There is the dashboard for the quick overview of the system operational status and security threat activity. Events, network packets and logs can be searched through the Console, and security event origins are displayed on an ‘Attack Map’, giving clients a glimpse at the type of threat actors that may be targeting their networks. Finally, the Sagan Console provides custom, Executive-level reporting capabilities through aggregated event data.
  • 5. 5© 2016 Quadrant Information Systems Reports Striving to provide its customers with as much understanding of their network security environment as possible, Quadrant has developed a number of reports, each providing a targeted level of detail to point to a pathway to action. There are both executive-level and technical-level reports. Executive-Level Reports Figure 3 - Sample Quarterly Executive Report
  • 6. 6© 2016 Quadrant Information Systems Technical Reports From: soc@quadrantsec.com To: quadrantsec-acme@quadrantsec.com Sent: Monday, May 2, 2016 8:01:50 AM Subject: Acme Sagan Syslog Report 2016-05-02 Sagan syslog report 2016-05-02 Reporting = Devices sending log messages to Sagan in the last 7 days: Not Reporting = Devices that the Sagan appliance previously received log messages from but that have not reported in the last 7 days: Network - Reporting 10.5.43.13 10.5.5.13 – ac123.acme.net . . . 10.25.1.5 Network - Not Reporting 10.5.3.69 - ac121.acme.net 10.5.3.78 - ac127.acme.net . . . 10.25.1.24 Windows - Reporting 10.100.145.137 - ac142net5.acme.net 10.100.145.138 . . . 172.19.10.44 – ac50tel.acme.net Windows - Not Reporting 10.100.139.127 10.100.139.141 . . . 10.251.17.60 Figure 2 - Sample Sagan Syslog Report, a weekly report to assist network security administrators ensure traffic visibility.