In order to limit manual processing time and solve the primary challenges faced by most enterprises today, Herjavec Group’s Managed Security Service practice relies on two custom built solutions: The HG Threat Framework, and Analytics Platform. The combination of Herjavec Group’s SIEM discipline, Threat Framework and Analytics Platform adds necessary context to help prioritize alerts and indicators of compromise (IOCs), resulting in actionable intelligence and reduced false positives.

Herjavec Group Threat Framework is our starting point to gain visibility and baseline activity in each client environment. The Threat Framework allows dynamic and evolving threat modelling to be applied within any organizational environment at the SIEM level.

We apply a set of core and advanced use cases at the SIEM level to capture log data across the Threat Framework Attack Categories. When an applicable use case occurs, an email is triggered to Herjavec Group’s Analytics Platform.

Herjavec Group leverages the Mitre Method to map attack vectors to security controls. We work with your business leaders to develop custom industry & client specific content recommendations to advance your Threat Framework as your log sources and security needs mature.

The Analytics Platform then performs automated functions to filter, correlate and enrich the information, preparing a standardized ticket ready for investigation by a Herjavec Group security analyst, working in one of our 24/7 Security Operations Centers.

Threat Framework

The Threat framework covers key attack categories:

  • Authentication
  • Targeted Attacks
  • Malware
  • DDoS
  • Traffic Anomalies
  • Suspicious Activity
  • Policy Violations
  • Operational Scenarios
  • Behavior Analytics
  • Advanced Scenarios

Sample Threat Examples:

  • Authentication of Brute Force Attacks
  • Multiple Users Fail Authentication
  • Audit Log Cleared
  • Multiple Distinct IPS Alerts from Same Source
  • Large Number of Hosts with Malware Detections
  • Firewall Large Number of DENIED Connections
  • AWS CloudTrail Group Policy Deleted
  • IDLE Log Source

Each Attack Category has corresponding dashboards that provide long term trending and context. With this enriched data, our analysts are able to ensure they provide our customers with high quality, actionable information and recommendations for remediation.

We work through threat scenario thresholds, logic and actions for each enterprise environment.

Threat Advisory

Sample Threat Scenario

Targeted Attack – Numerous Attacks by a Single Host

TechnologyThreat ScenarioLogicThreshold LogicAction
Detect targeted attacks, as VA or Web App ScanMultiple distinct IPS Alerts from the same source in an hour
  • Quantity of distinct IPS alerts defines attack scale
  • Threshold set to a level when data is significantly greater than norm

  • Authorized Scan? Internal or External IP? Blacklist/Whitelist accordingly.
  • Check if any internal connections were initiated
  • Reimage or Quarantine compromised hosts

We onboard our Threat Framework and then work with you to implement custom use cases based on your environment and our cross client learnings as we understand your business & operational priorities.

Examples of custom use cases built for complex customer environments include:

VIP User Lock Out & Account Change

  • VIP offering for account holders of critical/extraordinary information
  • Goes beyond password change to offer visibility when user’s files are accessed or attempted to be accessed by accounts on the network
  • Also monitored use of admin accounts on non-authorized machines

Correlating Complex Tech To Reduce Manual Efforts

  • Use case involving 2 appliances– PAN Firewall/IPS and Cisco Ironport.
  • We correlated the IPS Virus/Vulnerability/Spyware alerts with the Ironport delivery messages.
  • If the PAN IPS allowed the traffic and the Ironport delivered the email, an alert would trigger, saving the customer hours of manual correlation.

USB Device Plug In for POS Terminals

  • We have helped clients suffering from POS fraud discover and block scanning devices by alerting to USBs plugged into credit card POS terminals

Download the Brief