Incident Detection & response


CISO AG is ensuring the incident detection ability of the service by providing three core pillars to its clients. A Security Infomation and Event Management (SIEM) solution, a Security Orchestration and Automated Response (SOAR) solution, and Security Operation Center (SOC) as a service. The two technical solutions and the service combined with the best of breed security analysts and engineers and a decade of experience providing the backbone of our managed service.

Incident Detection

Security Information and Event Management

CISO AG offers different options utilizing a SIEM solution to collect, aggregate, and correlate security events (logs) and information. For providing the service, we can use a SIEM system already implemented within the organization; therefore, the cost of licensing and implementation can be saved. If the organization has not implemented a SIEM solution, but wish to do so, we can provide end to end service from requirements definitions to the selection, via technical implementation and BAU operation, let it be on-premise or cloud-based.

Our certified engineers have experience with more than a dozen different SIEM vendors. The third option to utilize our managed SIEM platform and onboard the organization to the platform. Our platform is a sophisticated solution where each tenant’s data is separated, and it is highly scalable, capable of processing a large number of events and correlation. Hundreds of log collection sources are supported by default, and we can create custom parsers and aggregators.

All three option is working and viable, highly customizable to the organization’s needs. One part remains unchanged: our consultant’s expertise utilizing the solution’s and getting the most out of it, by defining use cases, alerts, and playbooks for different incident detection scenarios.

Security Orchestration and Automated Response

The Security Orchestration and Automated Response solutions are one of the latest tools in the cyber defense toolbox. The number of events flagged in SIEM systems is getting higher and higher as more and more devices, solutions, and SaaS services are getting integrated into the SIEM system.

The SOAR tool is created to provide AI and behavior-based analytics and responses to events, enabling the security analyst to focus on detailed investigations. The primary purpose of the solution is to provide automated responses to low-level events.

A simple example of the usage of the SOAR toolset, the edge firewall, or IDPS registers a one-off port scan, which is usually considered as background noise for a security analyst. However, if the IP address is belonging to a known bad actor, this could be an early warning os a future attack. One of the best practices is to block this IP address range and any known IP address range associated with the bad actor.

Usually, this process would involve the security analyst to verify the bad actor, submit a request for a change to block the IP addresses on the firewall(s), and wait for the confirmation from the network management team that the IP range is blocked. As we can see it, this could be a lengthy process, especially in a larger organization with a strict change management policy. While with a SOAR solution, it is all automated, and the security analyst’s role is to monitor and verify the results.

It is possible to create (orchestrate) automated workflows with the tools stack like create a host know vulnerabilities, open a ticket in the ticketing system, and enroll the host into the next patching cycle. The goal of a SOAR solution is to integrate the security events and responses with the broader internal and external IT tools set. SOAR is on the list of emerging technologies by Gartner.

Security Operation Center

In the last two decades, security operation centers evolving from the traditional network operation centers, become a critical part of the organization’s security operation. Nowadays, it is impossible to imagine a company that cares about information security and privacy without a SOC or a managed SOC service.

CISO AG’s third pillars of incident detection are the group of hand-picked security analysts, team leaders, and service managers utilizing decades of experience providing excellent service. For the managed service, the SOC team onboard the organization by defining the list of event sources, baselining the business as usual events and traffic flow, identifying events of interests, and creating SIEM use cases and SOAR playbooks as part of the incident response process. It is part of the process to define Key Performance Indicators (KPI’s), Operational, and Service-Level Agreements.

The SOC service can be provided on-premise, utilizing CISO AG’s platform and solutions, off-premise providing a remotely executed service, or we can partially or fully run the internal SOC service by providing our expertise and human resources.