Essential SIEM – Standard Service

DeepSeas Essential SIEM service delivers 24x7x365 event analysis and supervised response to validated threats for security information and event management (SIEM) technologies. Our Cyber Defense Team detects threats by reviewing alerts from one or more system event log aggregation servers installed on the Client’s (or the Client’s third party) network. 

DeepSeas will deploy a core set of security information and event management (SIEM) alerting rules and analytics to enable increased contextualization of the Client’s machine data. DeepSeas will update and tune SIEM Rules as necessary to meet the service goals. 

As determined necessary to meet the service goals, DeepSeas will deploy SIEM Rule correlation logic (“SIEM Use Cases”) which will be used by the DeepSeas Cyber Defense Team as a primary source of threat detection alerts. 

DeepSeas offers three MDR for Logs service level options, which are summarized below: 

Client is purchasing DeepSeas Essential SIEM service, which includes the following service elements: 

• Cloud Hosted SIEM Platform – DeepSeas will provide a cloud hosted security information and event management platform for customers to store, analyze, and search logs with 400 days of hot storage access.  
• SIEM Data Collection Onboarding and Platform Management - DeepSeas will provide service implementation including collection architecture definition and on-going management of the deployment architecture. in collaboration with the Client, DeepSeas will provide data source collector software and configurations necessary for the successful ingestion of log events.  
• Threat Detection - DeepSeas threat detection provides review of alerts from, proactive enterprise search of, and targeted threat hunting using Client security monitoring tools to identify and prioritize cyber threats. 
  • DeepSeas deploys a core set of detection use cases via the SIEM platform. These detection use cases provide added visibility/coverage over Client's environment.
  • Alerts from other systems such as endpoints may be ingested for added visibility. Direct action on those specific alerts should continue to be handled via that system's management console. DeepSeas offers additional MDR services to respond specifically to alerts generated from:
    • Endpoint
    • XDR
    • Network
    • OT
    • Email
• Threat Notification - Threat Notification reports are generated by DeepSeas cyber defense analysts to describe the nature, context, and severity of a validated threat along with remediation recommendations.  
• Threat Response - DeepSeas cyber defense analysts provide the Clients with response guidance and/or response actions for resolving threats. Response actions (highly dependent upon the vendor solution leveraged) are defined in a mutually approved Client MDR Runbook document. Should a threat be identified within the Client’s environment being monitored, a Validated Threat Notifications report will be sent to the Client and will include severity level, vector information, and response actions as agreed to in the Client Runbook will be taken to mitigate the threat.  
• DeepSeas XDR Cyber Defense Platform - DeepSeas XDR Cyber Defense Platform provides clients with a cloud-hosted technology architecture that supports data collection, analysis, automated response, and reporting capabilities across multiple attack surfaces. 

SERVICE ONBOARDING 

DeepSeas will work with the Client to create an implementation plan, that will consist of gathering and confirming relevant information, scoping, and deploying SIEM data collection architecture, implementing SIEM Rules and Use Cases and service activation. 

1. INITIATION (Estimated Duration: 1-4 Weeks)
   1. DESIGN – DeepSeas will document a solution design that will define objectives, identify in-scope data, define use cases, and determine data collection architecture. 
   2. BUILD – DeepSeas will collaborate with Client to implement a data collection architecture and SIEM platform by deploying collection devices, validating SIEM ingestion of sample data, and establishing secure connections to cloud SIEM platform. 
   3. ONBOARD – DeepSeas will collaborate with Client to onboard environment data and configure ingestion of enrichment and source data. 
2. STABILIZATION (Estimated Duration: 2-8 Weeks)
   1. DEPLOY – DeepSeas will deploy initial threat detection rules and use cases.  
   2. BASELINE & TUNE – DeepSeas will observe the initial use case alerts and collaborate with Client to tune log sources, collection filters, rules and use cases based on feedback from DeepSeas.  
   3. DOCUMENT – DeepSeas will document a Client MDR Runbook that describes how SIEM use cases will be reviewed and managed. 
3. MANAGED OPERATIONS (Estimated Duration: Ongoing)
   1. EVENT ANALYSIS & RESPONSE – DeepSeas will provide Client with remote services that deliver essential response actions as agreed on in customer contract. 

SIEM APPLICATION & DETECTION LOGIC

• The Client agrees to participate in threat response procedures as defined in the Customer MDR Playbook.

SIEM PLATFORM MANAGEMENT

• The Client will provide DeepSeas with a list of approved customer users of the hosted SIEM platform.

LOG SOURCE & MACHINE DATA COLLECTION

• The Client is responsible for configuring log & machine data sources.
• The Client will assist in data collection software deployment
• The Client will deploy and maintain data collection agents
• The Client will provide, monitor, and maintain servers to host data collection software

SIEM APPLICATION & DETECTION LOGIC

• Deploy and maintain a core package of threat detection logic. 
• Configure and maintain SIEM platform. 
• Review alert data, identify & notify Client of validated threats based on deployed threat detection logic. 
• Provide response support per Client MDR playbook. 

SIEM PLATFORM MANAGEMENT

• Administer user access to cloud hosted SIEM platform. 
• Maintain administrative access privileges to SIEM platform. 

LOG SOURCE & MACHINE DATA COLLECTION

DeepSeas, working with the Client, will identify system data sources that will be collected by the SIEM solution and mutually-agree on a SIEM deployment architecture that will include:

• The location of machine data collection servers to deploy to the Client environment(s) 
• The network communication and configuration requirements to enable the Client’s system data sources to be forwarded to data collection servers and cloud hosted SIEM platforms. 
• A deployment strategy and timeline for Client data collection  
• The DeepSeas collection software: is a software package that enables log collection from external sources and delivers it to the supported SIEM platform. It enables log collection and monitoring for devices and systems in which deployment of a log collection agent is not possible, such as a router or firewall. Most often devices are configured to deliver Syslog content to the collection software.  
• DeepSeas Collection Agents: agents are software that are installed directly on client endpoints and servers to enable log collection and delivery to the supported SIEM platform.  
• Cloud/SaaS Platform Sources: The supported SIEM can communicate directly via API with most cloud-based technologies and services for log ingestion. The Client is responsible for providing and maintaining API credentials for DeepSeas.  
• Health Monitoring: If DeepSeas detects that agents and/or log collection appliances become uncommunicative or unreachable or output has not been received from log sources that are within the scope of service, DeepSeas will notify the Client and assist with troubleshooting. 
• Non-standard Sources: DeepSeas will provide a set of correlations and detections for commonly supported sources and platforms. For nonstandard log sources, DeepSeas may require its consultants or engineers to work with Client to understand the Client’s log source(s), important event criteria, and any custom reporting or real-time alerting requirements. The scope of this analysis will be set out in a separate signed Statement of Work (“SOW”). This consulting work is separate and distinct from the efforts of the deployment engineers described below.  
• Non-security Data: Client may elect during the scoping phase to send non-security related log data to the SIEM Cluster, such as performance, transactional, or internal health monitoring data. 
• Non-security data applies against daily ingest volume for pricing and software subscription purposes. The Client can search and report against this data, but DeepSeas will not monitor, report, or action against it.  
• Scope of Service: The Service is limited to monitoring the devices & sources subscribed for service as defined in the associated Statement of Work and does not include management or monitoring of any unsubscribed endpoint or intermediary log sources. 
• Unapproved Sources: Sources that have been configured to relay their logs to the DeepSeas collection software or agent but are not defined in the Statement of Work are deemed as “unapproved”. Log collection from unapproved sources may be blocked by DeepSeas and a client may receive charges related to the monitoring of the unapproved source.