How would you know if you have been breached? Many attackers upon breaching a network will go to great lengths to secure a foothold to maintain an undetected presence within that network, some hackers have successfully achieved this for many years. Configuring your systems to generate security logs is fairly easy, though the real value in doing so, is to actually monitor those logs to detect nefarious activity. At CND we can help you configure your systems to generate alerts and monitor them either alongside your staff or as a managed service.
The services outlined below are some of the services we offer which enable us to either detect an attack as it happens or to identify indicators which suggest an attack has already taken place:
This is our core offering. CND staff have been instrumental in the building SOCs since the turn of the century, initially for Defence and Government and more recently for all sectors.
We are extremely flexible in how we deliver SOCs, as there is no one size fits all. At CND we offer an extremely flexible "pick 'n' mix" approach, where clients can choose what they would like from a range of dozens of SOC modules. Some examples are as follows:
The list is endless, if you are interested in hearing more, please click on the button.
Whilst we perform our own monitoring with our SOC Analysts, we are often called upon to share our expertise with our clients.
The engagements vary greatly from embedding our analysts within the clients SOC, as long term augmentees or for short term professional services engagements. We are able to supply staff from junior analysts through to tier 3 incident responders and beyond.
Under the professional services umbrella we are often asked to tune systems to remove false positives, train other analysts and produce work instructions. Please see our SME Pool page for more information.
When we started monitoring cloud services we were astounded about how much they were being targeted by attackers, our managed service deploys a sensor in the cloud services and pass events to our SIEM.
Some of the cloud services we monitor include AWS & Azure along with Cloud Apps such as Office 365 and G-Suite
The insider threat is when legitimate users of a system turn bad and do harm. Whether they are exfiltrating data or causing malfunction, because they are legitimate users of a system it makes it very difficult to catch them.
Detecting. Your typical SIEM and monitoring solutions aren't always best placed to detect the Insider as they are most often doing what they are legitimately permitted to do. However, as part of our Insider Threat Prevention service we fine tune what is permitted to make the detection more sensitive in key areas. Our experience over the years has resulted in many use cases around Insider Threat to form the basis of our detection regime
Hunting. Once we suspect insider activity, we start to chase them down looking for evidence of nefarious activity. Insider Threat Hunting is far more difficult than normal threat hunting as the majority of the insiders activity is legitimate. This ties in with our Forensics Readiness service.
UK Government Good Practice Guide No. 13
GPG13 Protective consists of 12 Protective Monitoring Controls (PMC) which mandate how logs on UK Government systems are collected, stored and analysed.
We have a great deal of experience in deploying Protective Monitoring Solutions which meet the Controls defined within GPG 13.
CND also provide a number of security monitoring services which comply with GPG13 and have members of staff with the highest levels of security clearance
As the majority of our work around GPG13 is extremely sensitive, we are limited in what we can share, please get in touch and if it is appropriate we will share with you what we can.
We have also been engaged by a number of SIEM vendors to assist with making their products GPG-13 compliant
Closely related to but not to be confused with Cyber Threat Intelligence, Open Source Intelligence collects and analyses information from publicly available sources such as the surface, dark and deep web and correlates it to form associations which might have otherwise not have been seen.
Our GCHQ trained analysts use this information to the benefit of our clients with outputs such as Strategic Adverse Media reports and to feed relevant information into our Cyber Threat Intelligence cell.
Cyber Threat Intelligence is based upon the correlation of technical intelligence with open source intelligence to build a cyber security context around existing or potential threats.
Our researchers constantly trawl open source intelligence for arising threats, we also subscribe to a number of commercial Cyber Threat Intelligence feeds
A vulnerability assessment or penetration test will provide you with a snapshot of the vulnerabilities you are exposed to at the time the test was undertaken, if a new vulnerability is released, or your equipment is misconfigured after the test, you will be exposed until your next test is performed, if they are scheduled annually this window of exposure could be extensive. Continuous vulnerability assessments are performed weekly or monthly and will greatly reduce this exposure.
The scans are most external though internal scans can also be provided in the same way