Detecting Cyber Security Threats

How would you know if you have been breached? Many attackers upon breaching a network will go to great lengths to secure a foothold to maintain an undetected presence within that network, some hackers have successfully achieved this for many years.  Configuring your systems to generate security logs is fairly easy, though the real value in doing so, is to actually monitor those logs to detect nefarious activity. At CND we can help you configure your systems to generate alerts and monitor them either alongside your staff or as a managed service.

The services outlined below are some of the services we offer which enable us to either detect an attack as it happens or to identify indicators which suggest an attack has already taken place:

Security Information Event Management (SIEM)

CND have been working with SIEMs since they were first invented almost 20 years ago.  A SIEM takes events and logs from multiple source and correlates these events to create security context around what is happening within a network.

Service Overview

We are experienced at working with almost every SIEM, such as ArcSight, Mcafee (Nitro), LogRhythm, Netwitness, AlienVault, QRadar and many more.  SIEMs are one of our core functions.  We also provide managed services around SIEMs whether they are on your premises or managed and monitored by us in the Cloud.

Our own SIEM Managed Service is so much more than a SIEM as we incorporate a number of other security features 

Security Operation Centres

This is our core offering.  CND staff have been instrumental in the building SOCs since the turn of the century, initially for Defence and Government and more recently for all sectors. 

Service Overview

We are extremely flexible in how we deliver SOCs, as there is no one size fits all.  At CND we offer an extremely flexible "pick 'n' mix" approach, where clients can choose what they would like from a range of dozens of SOC modules. Some examples are as follows:

  • A client might require us to build an on-premise SOC and man it ourselves, letting the client know when a cyber issue arises.
  • A client might want us to build the SOC and run it with our staff whilst we recruit staff for the client, who will then take over the SOC when they are ready.
  • A client may only require our subject matter expertise to develop  a particular area within the SOC.
  • A client may want us to monitor their security events remotely from our own SOC

The list is endless, if you are interested in hearing more, please click on the button.

Cyber Security Monitoring and Analysis

Whilst we perform our own monitoring with our SOC Analysts, we are often called upon to share our expertise with our clients.

Service Overview

The engagements vary greatly from embedding our analysts within the clients SOC, as long term augmentees or for short term professional services engagements. We are able to supply staff from junior analysts through to tier 3 incident responders and beyond.

Under the professional services umbrella we are often asked to tune systems to remove false positives, train other analysts and produce work instructions. Please see our SME Pool page for more information.

Cloud Security Monitoring

When we started monitoring cloud services we were astounded about how much they were being targeted by attackers, our managed service deploys a sensor in the cloud services and pass events to our SIEM.

Some of the cloud services we monitor include AWS & Azure along with Cloud Apps such as Office 365 and G-Suite


Insider Threat Detection and Hunting

The insider threat is when legitimate users of a system turn bad and do harm. Whether they are exfiltrating data or causing malfunction, because they are legitimate users of a system it makes it very difficult to catch them.

Service Overview

Detecting.   Your typical SIEM and monitoring solutions aren't always best placed to detect the Insider as they are most often doing what they are legitimately permitted to do. However, as part of our Insider Threat Prevention service we fine tune what is permitted to make the detection more sensitive in key areas. Our experience over the years has resulted in many use cases around Insider Threat to form the basis of our detection regime

Hunting.  Once we suspect insider activity, we start to chase them down looking for evidence of nefarious activity.  Insider Threat Hunting is far more difficult  than normal threat hunting as the majority of the insiders activity is legitimate.  This ties in with our Forensics Readiness service.

GPG13 Protective Monitoring

UK Government Good Practice Guide No. 13

GPG13 Protective consists of 12 Protective Monitoring Controls (PMC) which mandate how logs on UK Government systems are collected, stored and analysed.

Service Overview

We have a great deal of experience in deploying Protective Monitoring Solutions which meet the Controls defined within GPG 13.

CND also provide a number of security monitoring services which comply with GPG13 and have members of staff with the highest levels of security clearance

As the majority of our work around GPG13 is extremely sensitive, we are limited in what we can share, please get in touch and if it is appropriate we will share with you what we can.  

We have also been engaged by a number of SIEM vendors to assist with making their products GPG-13 compliant 

Open Source Intelligence

Closely related to but not to be confused with Cyber Threat Intelligence, Open Source Intelligence collects and analyses information from publicly available sources such as the surface, dark and deep web and correlates it to form associations which might have otherwise not have been seen.

Our GCHQ trained analysts use this information to the benefit of our clients with outputs such as Strategic Adverse Media reports and to feed relevant information into our Cyber Threat Intelligence cell.

Cyber Threat Intelligence

Cyber Threat Intelligence is based upon the correlation of technical intelligence with open source intelligence to build a cyber security context around existing or potential threats.

Our researchers constantly trawl open source intelligence for arising threats, we also subscribe to a number of commercial Cyber Threat Intelligence feeds

Continuous Vulnerability Assessments

A vulnerability assessment or penetration test will provide you with a snapshot of the vulnerabilities you are exposed to at the time the test was undertaken, if a new vulnerability is released, or your equipment is misconfigured after the test, you will be exposed until your next test is performed, if they are scheduled annually this window of exposure could be extensive. Continuous vulnerability assessments are performed weekly or monthly and will greatly reduce this exposure.

The scans are most external though internal scans can also be provided in the same way

Constant Vulnerability Assessments

Taking the scheduled or continuous Vulnerability Assessment to the next level.  This service is aimed at internal hosts and provides a constant vulnerability assessment by installing an agent on every host, including clouds

© Computer Network Defence Limited 2019