Security Event Monitoring. Filters, normalization, correlation, and data analysis will be applied to identify potentially anomalous, suspicious, or malicious behaviors indicative of threats in the client’s environment.
Security Event Monitoring. The Client shall receive a communication (according to the escalation procedures defined or in the manner pre-selected in writing by Customer, either through the Portal, email, or by telephone) to security incidents according to the matrix below. Event classification is measured by the time that an analyst has completed their investigation in order to prevent notification for benign or false positive alerts. Severity Definition Agreement Notification Method Critical Events that represent an imminent threat to client assets, including: data destruction, encryption, exfiltration, or compromise by malware or malicious attacker. 30 minutes of event classification 1. Email 2. Phone Call 3. BlueVoyant Customer Portal High Events that represent a significant threat to client assets, including: rootkits, keyloggers, or trojans, but not defined as “critical”, confirmed suspicious privilege escalation, confirmed social engineering-based attack. 1 hour of event classification 1. Email 2. Phone Call 3. BlueVoyant Customer Portal Medium Events that represent a potential threat to client assets, including: malware types that include bots or spyware, but not defined as “critical” or “high”. No Notification BlueVoyant Customer Portal Low Events that represent a minimal threat to client assets. This includes, adware or other potentially unwanted programs (PUPs). No Notification BlueVoyant Customer Portal
Security Event Monitoring. The security event monitoring is performed continuously on a 24x7 basis, for aggregation applications, correlation and intrusion detection. In this monitoring events are aggregated from various sources such as operating systems, webservers, applications and intrusion detection systems. DRAWING (Monitoring – Detection – Response – Correction)
Security Event Monitoring. The Client shall receive a communication (according to the escalation procedures defined or in the manner pre-selected in writing by Customer, either through the Portal, email, or by telephone) to security incidents according to the matrix below. Event classification is measured by the time that an analyst has completed their investigation in order to prevent notification for benign or false positive alerts. Severity Definition Agreement Notification Method Critical Events that represent an imminent threat to client assets, including data destruction, encryption, exfiltration, or compromise by malware or malicious attacker. 30 minutes of event classification 1. Email 2. Phone Call 3. BlueVoyant Customer Portal / Azure Sentinel High Events that represent a significant threat to client assets, including rootkits, keyloggers, or trojans, but not defined as “critical”, confirmed suspicious privilege escalation, confirmed social engineering-based attack. 1 hour of event classification 1. Email 2. Phone Call 3. BlueVoyant Customer Portal / Azure Sentinel Medium Events that represent a potential threat to client assets, including malware types that include bots or spyware, but not defined as “critical” or “high”. No Notification BlueVoyant Customer Portal / Azure Sentinel Low Events that represent a minimal threat to client assets. This including adware or other potentially unwanted programs (PUPs). No Notification BlueVoyant Customer Portal/ Azure Sentinel
Security Event Monitoring. The Service filters, normalizes, correlates, and analyzes network, user, device, and other IT and security logs, aggregating disparate data and applying the latest detection methods to identify and respond to security events. Additionally, the BlueVoyant security operations team will proactively tune alerts respective to the Client’s environment to filter out noise and false positives. If warranted to support further investigation of a Security Event, BlueVoyant SOC analysts may access the Environment via approved Identity Provider (IdP) access to perform further analysis. ● Client Support: Clients are provided support for break-fix issues on events that directly impact the Service or tuning of the Service, such as event flow disruption related issues related to TA’s or detection content. Any enhancements, customizations, or requests deemed outside of client support activities are deferred to Professional Services. ● Custom Support: Clients are provided 20 hours of Splunk Professional Services to customize dashboards and alerts, and onboard additional data sources. BlueVoyant Platform Features ● Wavelength™ is the BlueVoyant client portal (“Wavelength™”). A web-based portal that provides access to alerts, confirmed incidents, notes of investigations, and SOC communications (approved Client employees). ○ Dashboards: Available in Splunk, dashboards representing security insights, hygiene, and tuning are included with the service. ○ Reports: Available through Wavelength™, reports include monthly executive reports and CIS baselining. ○ Threat Intelligence Reports: Threat landscape,and intelligence summary reports are developed by BlueVoyant threat research and delivered as monthly reports. ● Content: The Platform will deploy and regularly update security detection algorithms (“Content”). This provides the ability to detect potential threats based on reputation by correlating data to suspicious and/or malicious Indications of Compromise. See BlueVoyant Content in Scope of Service section.
Security Event Monitoring. SonicWALL log data is gathered by the Global Management System located at Dell’s premise. The data is parsed, correlated, and prioritized. The relevant security events are categorized by Dell based on the severity level. Malicious and unknown events are correlated and alerts are presented to Customer via the Dell Portal. The Dell Portal provides customers with a secure, web-based method to monitor the enterprise, generate security reports and update escalation procedures. Following deliverables are associated with Security Event Monitoring Service • Dell Portal access for ticket requests and reporting capabilities. • Ongoing enterprise security event aggregation and reporting for devices during the service term. Incident response, forensics and ticket requests associated with security event analysis are not included in security event monitoring service.
Security Event Monitoring. The BlueVoyant MDR for Splunk Cloud service filters, normalizes, correlates, and analyzes network, user, device, and other IT and security logs in real-time, aggregating disparate data and applying the latest threat intelligence to identify and respond to security events quickly. Additionally, the security operations team will proactively tune alerts respective to each Client’s environment to filter out noise and false positives.
Security Event Monitoring. The Client shall receive a communication (according to the escalation procedures defined or in the manner pre-selected in writing by Customer, either through the Wavelength, Email, or by telephone) to security incidents according to the matrix below. Incident classification is the process that a BlueVoyant security analyst performs an investigation to confirm the validity of an alert, impact, and assign a severity. Notification times for Client notification are measured by the time difference between when incident classification has been completed and when the Client is notified. Client notification occurs after event classification in order to prevent notification for benign or false positive alerts. Severity Definition Agreement Notification Method Critical Events that represent an imminent threat to Client assets, including: data destruction, encryption, exfiltration, or compromise by malware or malicious attacker. 30 minutes of event classification 1. Email 2. Phone Call 3. Wavelength High Events that represent a significant threat to Client assets, including: rootkits, keyloggers, or trojans, but not defined as “critical”, confirmed suspicious privilege escalation, confirmed social engineering-based attack. 1 hour of event classification 1. Email 2. Phone Call 3. Wavelength Medium Events that represent a potential threat to Client assets, including: malware types that include bots or spyware, but not defined as “critical” or “high”. No Notification Wavelength Low Events that represent a minimal threat to Client assets. This includes, adware or other potentially unwanted programs (PUPs). No Notification Wavelength
Security Event Monitoring. Security events are logged (log files), monitored (appropriate individuals) and addressed (timely action documented and performed). Network components, workstations, applications and any monitoring tools are enabled to monitor user activity. Organizational responsibilities for responding to events are defined. Configuration checking tools are utilized (or other logs are utilized), that record critical system configuration changes. The log permission restricts alteration by administrators. Retention schedule for various logs are defined and adhered. (1g) Measures to restore availability and access to personal data in the event of a technical of physical incident: See above AVAILABILITY CONTROL.
Security Event Monitoring. The Client shall receive a communication (according to the escalation procedures defined or in the manner pre-selected in writing by Customer, either through the Portal, email, or by telephone) to security incidents according to the matrix below. Event classification is measured by the time that an analyst has completed their investigation in order to prevent notification for benign or false positive alerts. Severity Definition Agreement Notification Method Critical Events that represent an imminent threat to client assets, including: data destruction, encryption, exfiltration, or compromise by malware or malicious attacker.
