Tag: SIEM
-
Detection-First SIEM: Rule Types, Dashboards, and Strategic Visibility
“You can collect all the logs in the world, but if you can’t detect, you’re just archiving risk.” Modern SIEMs aren’t just log aggregators—they are the analytical backbone of security operations. But to unlock their value, you need more than ingestion and alerts. You need detection-first thinking. This post outlines the real strategy behind detection-first…
-
How to use sysmon to detect threats
Sysmon is a powerful Windows system monitoring tool developed by Microsoft, which is used to detect and log different types of system activity events that can be used to investigate threats and attacks on Windows endpoints. Sysmon can be used to provide detailed insights into the activities taking place on a Windows system that can…
-
Designing an Effective Security Operations Center Architecture: Incorporating NIST CSF 5 Main Functions
Introduction A Security Operations Center (SOC) is a centralized team responsible for monitoring and analyzing an organization’s security posture. SOC architecture refers to the framework and components that are required to establish a comprehensive security posture. SOC architecture is composed of several layers, each with its own set of tools and technologies, and it is…
-
A quick review on Pyramid of pain
Introduction: The Pyramid of Pain is a framework used in the field of cybersecurity to help organizations better understand the tactics, techniques, and procedures (TTPs) used by attackers, and how to defend against them. It is called the “Pyramid of Pain” because it reflects the increasing level of effort and resources required by attackers to…
-
Using the MITRE ATT&CK Matrix for Effective Threat Hunting
Introduction Effective threat hunting is a proactive approach to cybersecurity that involves identifying and mitigating potential threats before they can cause harm to an organization’s systems and data. One advanced method of threat hunting is the use of the MITRE ATT&CK Matrix. The MITRE ATT&CK Matrix is a knowledge base of known adversary tactics, techniques,…
-
A quick guide on how to estimate Log Retention and log rotation policies
Step 1: Define Retention and Rotation Policies Step 2: Determine Event Size Step 3: Determine EPS (Events Per Second) Step 4: Determine Daily Disk Space Requirements Step 5: Compress Logs Step 6: Determine Storage Requirement for the Estimated Total Average EPS Here’s an example calculation based on the above policies: Note: These calculations are just…
-
A quick guideline for how to estimate or calculate your EPS or required capacity
To estimate the capacity required for log management, you need to determine the EPS and then calculate the amount of disk space needed to store the logs generated at that rate. Here’s a step-by-step guide: Step 1: Determine the EPS To determine the EPS, you need to know the number of events generated per second.…
-
Using Threat-Informed Detection Approaches for Implementing Prevention and Detection Solutions in a SOC and Mapping to the NIST CSF
Introduction: In today’s complex threat landscape, organizations must take a proactive approach to cybersecurity. Threat-informed detection and prevention approaches involve using threat intelligence to identify and respond to potential cybersecurity threats. Within a Security Operations Center (SOC), threat-informed approaches can be integrated into the incident response process to more effectively detect, respond to, and recover…
-
A useful concepts for SIEM assessment, implementing a SIEM-CMM: SIEM capability Maturity Model concepts
I. Introduction A. Purpose of the white paper The purpose of this white paper is to provide an overview of the Technical Capability and Maturity Model (CMM) for Security Information and Event Management (SIEM) implementation, and to highlight the importance of SIEM implementation capability and maturity for organizations. B. Definition of SIEM SIEM is a…
-
A quick review on SOAR platforms
Introduction: In recent years, security operations teams have been inundated with a deluge of security alerts and incidents that are difficult to manage and resolve efficiently. As a result, organizations are increasingly turning to Security Orchestration, Automation and Response (SOAR) platforms to help them streamline their security operations and improve their response times. In this…
ReZaAdineH 