How to test and verify if your SIEM/SOC detection service works properly
> IT | PENTESTING & MORE > SIEM / SOC Testing
How good is your detection?
When your Security Operations Centre (SOC) does not alert you to any security events, you have no way of knowing what is happening. This poses a risk. It could be there are no security events taking place. It could also mean your Security Incident Event Management (SIEM) solution is malfunctioning. There is only one way to check if your detection is working as it should, and that is to explicitly test it. Let Secura help you.
Make sure your detection works
Improve your detection rate
Validate claims of your SOC provider
- Making sure your security monitoring and detection system detects actual threats
- How to reduce the number of false positives that lead to genuine threats being overlooked
- Striking the right balance between sensitivity (catching every possible threat) and specificity (avoiding false alarms)
There could be all kinds of technical reasons for SIEM/SOC malfunctioning, but the result is the same. Your analysts are effectively blindfolded and groping in the dark.
How we support you
Detection relies on use cases to find relevant anomalies. A use case could be: ‘alert us when a large amount of data is transferred outside of office hours.’ These rules are meant to detect typical adversarial behavior.
Secura’s Red Team members and pentesters know exactly how to mimic adversarial behavior. To test your capabilities, our experts execute use cases one-by-one. Together with your team or your provider’s team, our experts verify that the alerts are correctly triggered. Any missing alert is analyzed in detail and a root cause is determined if possible.
To trigger use cases, Secura simulates a security event happening inside your network, often without actually performing the activity that would have normally raised that event. This could be for instance by sending attack signatures over the network, or by performing suspicious actions on servers.
Case Study: 70% of TTPs missed
Secura executed a SIEM/SOC test at a client in the public sector. They use a third party detection provider and contacted us because they had a feeling they were missing events and alerts.
Our experts executed approximately 10 high-level use cases in an interactive session, by simulating the corresponding security events and dozens of tactics, techniques, and procedures (TTPs).
In this case, our experts found that only 30% of TTPs covered by the client's use cases were actually detected, even though the related security events were registered correctly. Many critical TTPs were not detected, such as lateral movement, AD hash dumping, privilege escalation and EDR/MDR deactivation.
During analysis sessions, we were able to pinpoint and fix (many of) the issues together with the SOC team. A retest confirmed that the issues had indeed been fixed correctly. The client's detection capabilities were dramatically improved.
Download fact sheet
Contact me about SIEM / SOC Testing
Would you like to learn more about our SIEM / SOC Testing Service? Please fill out the form below, and we will contact you within one business day.
Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.
Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.