Defensive Countermeasure Guidance for Blue Teams uses insights from attacks and detection capabilities to improve the tactical execution of defenders. 

On average, it takes between 50-200 days for most organizations to detect and resolve malicious attacks. Oftentimes, penetration test findings go unresolved or are satisfied with insufficient measures that, if addressed correctly, would have prevented many incidents. Additionally, ingesting the wrong logs into the Security Information and Event Management (SIEM) system is not only exceedingly costly but also creates a potential blind spot for detecting early indicators of compromise (IoCs), such as lateral Server Message Block (SMB) spray and weak credential harvest.

TrustedSec uses insights collected from thousands of penetration tests and the latest attack research to improve deflection and deterrence activities of Blue Team defenders following a multi-step process:

Penetration Test Results Review

Defensive Countermeasure Guidance engagements use the organization’s previous penetration test results to provide defensive insight and recommendations.

Security Posture Evaluation

TrustedSec believes an organization’s security posture is best evaluated by identifying the people, processes, and technology around Detection, Deflection, and Deterrence. A holistic understanding provides better customized recommendations to the organization. 

Monitoring and Detection Guidance

By reviewing current capabilities and replaying attacks, TrustedSec may recommend adjustments to the SIEM to improve the target organization’s defensive posture.

SIEM Ingestion Review (Optional)

TrustedSec frequently finds that clients are not ingesting impactful logs from servers and critical workstations into the SIEM. In addition, while SIEM vendors may tout the ability to monitor petabytes of data, this can increase costs exponentially.

TrustedSec will review methods for ingesting events from high-target servers and critical assets to better identify early IoCs. The SIEM ingestion review will also help identify ways to reduce overall licensing while increasing the ingestion levels for the most common event IDs. A SIEM ingestion review can be done independently or alongside the Defensive Countermeasure Guidance, as each will improve the target organization’s defensive posture.