Tiered Approach to Security Maturity: A Crawl Walk Run Approach - Sedara Whiteboard Series

Show Notes

Welcome to the first video of Sedara's Whiteboard Series. Our goal for these videos is to educate you about cybersecurity.

In this podcast, Darrick will go over the Tiered Approach to Security Maturity. Darrick Kristich is the Founder and CEO of Sedara.

The SIEM & MDR deployment process can seem overwhelming, especially if your organization lacks experience with this process. There’s a lot to consider, such as understanding exactly what you can expect and the value you will get from the process. 

In this first podcast of the Sedara Whiteboard Series, we go over a crawl-walk-run methodology to ease into a mature cybersecurity posture. 

If you’re looking to get some tangible value out of a system or service, watch this video or read below for some key takeaways.

What is SIEM Technology? 

SIEM technology revolves around data collection. It’s about collecting logs, analyzing them, and pulling data through API integrations to understand what is happening in your cybersecurity environment. 

The crawl-walk-run-approach:

Crawl 

The crawl phase starts with your SIEM ingesting highly critical assets, and sometimes high-value, lower volume assets. What do we mean when we say high-value? We’re referring to the data they are providing. 

The primary focus during this stage includes getting visibility into network traffic. This includes firewall logs and directory services. Firewalls and directory services are considered extremely high-value data sources. 

In a firewall log, you can expect to get the source, target port, and protocol information. Firewall logs don’t share a lot of information unless it is a unified threat management (UTM) device.  With a UTM device, you can get actual URL destinations and conduct spam filtering.

When examining log sources, it’s crucial to consider:
What data you’re collecting
What intelligence is going to be applied
What are you getting out of it? 

One example of a security risk would be if a user adds another domain admin at a time when your employees aren’t usually working. Sedara can detect and respond to this problem by using your SIEM that has collected logs from your domain controllers. 

Without putting some sort of intelligence into this, you would not be able to find this significant compromise. 


Walk:

The walk phase gets into more complex systems to configure, with higher volumes. 

In this phase, workstations are your highest volume assets. The logs from your workstation may not be as important as the logs from your global directory services. However, you can build a significant amount of use cases and alarms from the data. 

Obtaining workstation logs can be challenging. However, Sedara has created processes that integrate Windows event forwarding that can be applied in a couple of hours. The volume of data impacts the size SIEM you need.

One reason workstation logs are impactful is because, if an attacker knows you are using a SIEM they will use local accounts to get into your system and stay under the radar from detection.

Starting to isolate and remove devices or killing processes is a great way to start the response process during the walk phase. 

As an MDR provider, Sedara can detect and respond to threats on your behalf.

Run: 

The run phase can take longer to reach, is typically very high volume, and is fairly sophisticated to implement and manage. The complexity comes into play because you are including robust business applications such as ERP systems, EMR systems, finance systems, and more.