Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

Audit of outsourced SIEM service Provider

Just wondering if anyone has every audited an outsourced SIEM service provider and are willing to share experience and audit program. Will soon be auditing Dell's SecureWorks which is the outsourced SIEM service provider. SecureWorks receives Events of Interest logs and alerts our security officer of potential incidents for follow up. Some questions I have are: 1. How do I see the set up of Events of Interest? 2. Dell has agents set up on servers. How can I verify they are safe? 3. How do I verify transmission of log data is via VPN, encrypted or otherwise secured to prevent viewing while in transmission? 4. Any best practices? Of course I will be looking at the contract, SLAs, and incident handling
You must sign in to rate content.
(Unrated)

Comments

RE: Audit of outsourced SIEM service Provider

I haven't conducted an audit of our SIEM provider beyond the information necessary to realize Dell SW wasn't a good fit for us, but here's how I would attempt to tackle each of your problems:

1) This will require working with the SecureWorks team to better understand their normalization processes and their criteria for event classification, which was likely agreed upon when your contract was first signed with them.

2) Safe, as in 'no vulnerabilities'? Easiest method to do this would be to ensure that you have the most recent version of the agent installed on each of your systems, and that you maintain that patching level going forward. If you're worried beyond that, you could do some pentesting of the systems but the risk mitigated here likely isn't worth the cost, though I'm unsure of your organizations risk appetite.

3) Your infrastructure/network team should be able to see traffic with a sniffer, work with them for this information.

4) The biggest part of this kind of audit is in the contracts you have with them. Review them carefully, preferably with your legal team, to make sure that your company isn't liable for any events stemming directly from the partnership with SecureWorks. Beyond that, SLA's should be your next concern to ensure that they are in fact doing everything that you expect (and pay) them to do.

Hope this helps.
Kyle430Social at 2/4/2016 9:18:08 AM Quote
You must sign in to rate content.
(Unrated)

RE: Audit of outsourced SIEM service Provider

I haven't conducted an audit of our SIEM provider beyond the information necessary to realize Dell SW wasn't a good fit for us, but here's how I would attempt to tackle each of your problems:

1) This will require working with the SecureWorks team to better understand their normalization processes and their criteria for event classification, which was likely agreed upon when your contract was first signed with them.

2) Safe, as in 'no vulnerabilities'? Easiest method to do this would be to ensure that you have the most recent version of the agent installed on each of your systems, and that you maintain that patching level going forward. If you're worried beyond that, you could do some pentesting of the systems but the risk mitigated here likely isn't worth the cost, though I'm unsure of your organizations risk appetite.

3) Your infrastructure/network team should be able to see traffic with a sniffer, work with them for this information.

4) The biggest part of this kind of audit is in the contracts you have with them. Review them carefully, preferably with your legal team, to make sure that your company isn't liable for any events stemming directly from the partnership with SecureWorks. Beyond that, SLA's should be your next concern to ensure that they are in fact doing everything that you expect (and pay) them to do.

Hope this helps.
Kyle430Social at 2/4/2016 9:18:08 AM Quote
You must sign in to rate content.
(Unrated)

RE: Audit of outsourced SIEM service Provider

I haven't conducted an audit of our SIEM provider beyond the information necessary to realize Dell SW wasn't a good fit for us, but here's how I would attempt to tackle each of your problems:

1) This will require working with the SecureWorks team to better understand their normalization processes and their criteria for event classification, which was likely agreed upon when your contract was first signed with them.

2) Safe, as in 'no vulnerabilities'? Easiest method to do this would be to ensure that you have the most recent version of the agent installed on each of your systems, and that you maintain that patching level going forward. If you're worried beyond that, you could do some pentesting of the systems but the risk mitigated here likely isn't worth the cost, though I'm unsure of your organizations risk appetite.

3) Your infrastructure/network team should be able to see traffic with a sniffer, work with them for this information.

4) The biggest part of this kind of audit is in the contracts you have with them. Review them carefully, preferably with your legal team, to make sure that your company isn't liable for any events stemming directly from the partnership with SecureWorks. Beyond that, SLA's should be your next concern to ensure that they are in fact doing everything that you expect (and pay) them to do.

Hope this helps.
Kyle430Social at 2/4/2016 9:18:08 AM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.