In order to limit manual processing time and solve the primary challenges faced by most enterprises today, Herjavec Group’s Managed Security Service practice relies on two custom built solutions: The HG Threat Framework, and Analytics Platform. The combination of Herjavec Group’s SIEM discipline, Threat Framework and Analytics Platform adds necessary context to help prioritize alerts and indicators of compromise (IOCs), resulting in actionable intelligence and reduced false positives.

Herjavec Group Threat Framework is our starting point to gain visibility and baseline activity in each client environment. The Threat Framework allows dynamic and evolving threat modelling to be applied within any organizational environment at the SIEM level. We apply a set of core and advanced use cases at the SIEM level to capture log data across the Threat Framework Attack Categories. When an applicable use case occurs, an email is triggered to Herjavec Group’s Analytics Platform.

Herjavec Group leverages the Mitre Method to map attack vectors to security controls. We work with your business leaders to develop custom industry & client specific content recommendations to advance your Threat Framework as your log sources and security needs mature.

Threat Framework

The threat framework covers key attack categories including:

  • Authentication
  • Targeted Attacks
  • Malware
  • DDOS
  • Traffic Anomalies
  • Suspicious Activity
  • Policy Violations
  • Operational Scenarios
  • Behavior Analytics
  • Advanced Scenarios

Sample Alerts

  • Multiple hosts Fail Authentication
  • Multiple AD Accounts Locked Out
  • Expired or Disabled Account Password Failures
  • Malware Outbreak Numerous Hosts with Same Malware
  • Host with Reoccurring Malware Infections
  • Large File Transfer to Internet Detected
  • Multiple Distinct IPS Alerts from Same Source
  • IPS Numerous Destinations Attacked by IDS Host
  • Unusually Large SQL Transaction
  • Unusual After Hour Workstation Unlocks
  • Office365 Exchange Configuration Changes by Users
  • Excessive File Deletes or Moves by User
  • Large Number of Users with Account Changes

We work through threat scenario thresholds, logic and actions for each enterprise environment.

Threat Advisory

Sample Threat Scenario

Targeted Attack – Numerous Attacks by a Single Host

TechnologyThreat ScenarioLogicThreshold LogicAction
Detect targeted attacks, as VA or Web App ScanMultiple distinct IPS Alerts from the same source in an hour
  • Quantity of distinct IPS alerts defines attack scale
  • Threshold set to a level when data is significantly greater than norm

  • Authorized Scan? Internal or External IP? Blacklist/Whitelist accordingly.
  • Check if any internal connections were initiated
  • Reimage or Quarantine compromised hosts

We onboard our Threat Framework and then work with you to implement custom use cases based on your environment and our cross client learnings as we understand your business & operational priorities.

Examples of custom use cases built for complex customer environments include:

VIP User Lock Out & Account Change

  • VIP offering for account holders of critical/extraordinary information
  • Goes beyond password change to offer visibility when user’s files are accessed or attempted to be accessed by accounts on the network
  • Also monitored use of admin accounts on non-authorized machines

Correlating Complex Tech To Reduce Manual Efforts

  • Use case involving 2 appliances– PAN Firewall/IPS and Cisco Ironport.
  • We correlated the IPS Virus/Vulnerability/Spyware alerts with the Ironport delivery messages.
  • If the PAN IPS allowed the traffic and the Ironport delivered the email, an alert would trigger, saving the customer hours of manual correlation.

USB Device Plug In for POS Terminals

  • We have helped clients suffering from POS fraud discover and block scanning devices by alerting to USBs plugged into credit card POS terminals

Download the Brief

I subscribe to Herjavec Group News which includes Threat Advisories, Thought Leadership and information about products, services and events that may be of interest.