In order to limit manual processing time and solve the primary challenges faced by most enterprises today, Herjavec Group’s Managed Security Service practice relies on two custom built solutions: The HG Threat Framework, and Analytics Platform. The combination of Herjavec Group’s SIEM discipline, Threat Framework and Analytics Platform adds necessary context to help prioritize alerts and indicators of compromise (IOCs), resulting in actionable intelligence and reduced false positives.
Herjavec Group Threat Framework is our starting point to gain visibility and baseline activity in each client environment. The Threat Framework allows dynamic and evolving threat modelling to be applied within any organizational environment at the SIEM level. We apply a set of core and advanced use cases at the SIEM level to capture log data across the Threat Framework Attack Categories. When an applicable use case occurs, an email is triggered to Herjavec Group’s Analytics Platform.
Herjavec Group leverages the Mitre Method to map attack vectors to security controls. We work with your business leaders to develop custom industry & client specific content recommendations to advance your Threat Framework as your log sources and security needs mature.
The threat framework covers key attack categories including:
- Targeted Attacks
- Traffic Anomalies
- Suspicious Activity
- Policy Violations
- Operational Scenarios
- Behavior Analytics
- Advanced Scenarios
- Multiple hosts Fail Authentication
- Multiple AD Accounts Locked Out
- Expired or Disabled Account Password Failures
- Malware Outbreak Numerous Hosts with Same Malware
- Host with Reoccurring Malware Infections
- Large File Transfer to Internet Detected
- Multiple Distinct IPS Alerts from Same Source
- IPS Numerous Destinations Attacked by IDS Host
- Unusually Large SQL Transaction
- Unusual After Hour Workstation Unlocks
- Office365 Exchange Configuration Changes by Users
- Excessive File Deletes or Moves by User
- Large Number of Users with Account Changes
We work through threat scenario thresholds, logic and actions for each enterprise environment.
Sample Threat Scenario
Targeted Attack – Numerous Attacks by a Single Host
|Technology||Threat Scenario||Logic||Threshold Logic||Action|
|Detect targeted attacks, as VA or Web App Scan||Multiple distinct IPS Alerts from the same source in an hour|
We onboard our Threat Framework and then work with you to implement custom use cases based on your environment and our cross client learnings as we understand your business & operational priorities.
Examples of custom use cases built for complex customer environments include:
VIP User Lock Out & Account Change
- VIP offering for account holders of critical/extraordinary information
- Goes beyond password change to offer visibility when user’s files are accessed or attempted to be accessed by accounts on the network
- Also monitored use of admin accounts on non-authorized machines
Correlating Complex Tech To Reduce Manual Efforts
- Use case involving 2 appliances– PAN Firewall/IPS and Cisco Ironport.
- We correlated the IPS Virus/Vulnerability/Spyware alerts with the Ironport delivery messages.
- If the PAN IPS allowed the traffic and the Ironport delivered the email, an alert would trigger, saving the customer hours of manual correlation.
USB Device Plug In for POS Terminals
- We have helped clients suffering from POS fraud discover and block scanning devices by alerting to USBs plugged into credit card POS terminals