SIEM Alert Management

DeepSeas MDR for Logs service delivers 24x7x365 event analysis and supervised response to validated threats for security information and event management (SIEM) technologies. Our Cyber Defense Team detects threats by reviewing alerts from one or more system event log aggregation servers installed on the Client’s (or the Client’s third party) network. 

DeepSeas will deploy a core set of security information and event management (SIEM) alerting rules and analytics to enable increased contextualization of the Client’s machine data. DeepSeas will update and tune SIEM Rules as necessary to meet the service goals. 

As determined necessary to meet the service goals, DeepSeas will deploy SIEM Rule correlation logic (“SIEM Use Cases”) which will be used by the DeepSeas Cyber Defense Team as a primary source of threat detection alerts. 

DeepSeas offers three MDR for Logs service level options, which are summarized below: 

Client is purchasing DeepSeas SIEM Alert Management service, which includes the following service elements: 

• Curated Threat Detection Logic – DeepSeas applies curated detection logic and analytics to security monitoring tools deployed in customer networks to improve the effectiveness of threat detection and response.  
• 24x7 Threat Detection - DeepSeas threat detection provides review of alerts from, proactive enterprise search of, and targeted threat hunting using Client security monitoring tools to identify and prioritize cyber threats.  
• Threat Notification - Threat Notification reports are generated by DeepSeas cyber defense analysts to describe the nature, context, and severity of a validated threat along with remediation recommendations.  
• 24x7 Threat Response - DeepSeas cyber defense analysts provide the Clients with response guidance and/or response actions for resolving threats. Response actions (highly dependent upon the vendor solution leveraged) are defined in a mutually approved Client MDR Runbook document.  
• DeepSeas XDR Cyber Defense Platform - DeepSeas XDR Cyber Defense Platform provides clients with a cloud-hosted technology architecture that supports data collection, analysis, automated response, and reporting capabilities across multiple attack surfaces. 

SERVICE ONBOARDING

DeepSeas will work with the Client to create an implementation plan, that will consist of gathering and confirming relevant information, scoping, and deploying SIEM data collection architecture, implementing SIEM Rules and Use Cases and service activation.

1. INITIATION (Estimated Duration: 1-4 Weeks)
   1. DESIGN – DeepSeas will document a solution design that will define objectives, identify in-scope data, define use cases, and determine data collection architecture. 
   2. BUILD – Client will implement a data collection architecture and SIEM platform by deploying collection devices, validating SIEM ingestion of sample data, and establishing secure connections to cloud SIEM platform. 
   3. ONBOARD – Client will onboard environment data and configure ingestion of enrichment and source data. 
2. STABILIZATION (Estimated Duration: 2-8 Weeks)
   1. DEPLOY – DeepSeas will deploy initial threat detection rules and use cases.  
   2. BASELINE & TUNE – DeepSeas will observe the initial use case alerts and collaborate with Client to tune log sources, collection filters, rules and use cases based on feedback from DeepSeas.  
   3. DOCUMENT – DeepSeas will document a Client MDR Runbook that describes how SIEM use cases will be reviewed and managed. 
3. MANAGED OPERATIONS (Estimated Duration: Ongoing)
   1. EVENT ANALYSIS & RESPONSE – DeepSeas will provide Client with remote services that deliver essential response actions as agreed on in customer contract. 

Service Assumptions

• Pricing is based on the estimated EPS (Events Per Second) or Gigabytes per Day (GB/Day) for in-scope log sources. If average Gb/Day volume exceeds 30% than what is contracted for two consecutive months, DeepSeas and Client will re-engage to determine if data sources need to be removed and/or the estimated EPS needs to be increased at additional cost.
• Only in-scope, agreed-to log sources will be ingested and monitored.
• Log sources not currently supported will require additional scoping and additional charges for the work to create the parsing and the additional volume added.
• Ingestion volume will be maintained at the level agreed to in the Statement of Work. If volumes consistently rise 15% above the contracted amount, DeepSeas will coordinate a call to discuss next steps which could be tuning and or decommissioning log sources or increasing the recurring charge.

SIEM APPLICATION & DETECTION LOGIC

• The Client agrees to participate in threat response procedures as defined in the Customer MDR Playbook.
• The Client agrees to participate in quarterly review of threat detection use case logic.

SIEM PLATFORM MANAGEMENT

• The Client will administer user access to cloud hosted SIEM platform. 
• The Client will maintain administrative access privileges to SIEM platform. 
• The Client will provision DeepSeas users to SIEM platform. 

LOG SOURCE & MACHINE DATA COLLECTION

• The Client is responsible for configuring log & machine data sources.
• The Client will deploy data collection software deployment. 
• The Client will deploy and maintain data collection agents. 
• The Client will provide, monitor, and maintain servers to host data collection software. 

DeepSeas is responsible for the following:

SIEM APPLICATION & DETECTION LOGIC

• Deploy and maintain a core package of threat detection logic. 
• Configure and maintain SIEM platform. 
• Review alert data, identify & notify Client of validated threats based on deployed threat detection logic. 
• Provide response support per Client MDR playbook. 

SIEM PLATFORM MANAGEMENT

• Inform Client of approved DeepSeas users of SIEM platform