We are a small company located in Bermuda with a team of 42 people. Specializing in reinsurance, we offer a range of reinsurance products from around the world. During a recent cybersecurity gap analysis, it became apparent that we needed to enhance our network and security monitoring capabilities beyond the capacity of our current 42-person team. Within the company, only three individuals work in the IT department, making it impractical to assign someone to security log monitoring around the clock.
To address this challenge, we have implemented Netsurion Managed XDR. This product, previously familiar to me from past professional experience, aggregates logs from our various devices including workstations, servers, switches, routers, and firewalls. These logs are then centralized on our on-premise servers, which are linked to Netsurion Managed XDR's security operations center. This center is staffed with experts who analyze the collected data, providing us with valuable insights. They promptly alert us through email, phone, and text if any unusual or critical activities are detected. These activities could range from unauthorized access attempts to anomalous Internet or firewall activities.
The system also offers weekly observation reports, categorizing activities using color codes ranging from red to green. This report covers a spectrum of information such as account lockouts and Internet activity. I have also specifically requested alerts for any usage of administrative passwords. Additionally, we engage in monthly review meetings where we assess the previous month's data, including a Power BI report that delves into trends and various monitoring aspects.
Another key service we utilize from Netsurion is their vulnerability assessment scanner. This monthly assessment involves scanning all our systems within the network to identify security vulnerabilities and needed updates. It's comparable to having a simulated penetration test, ensuring our systems are robust against potential threats. The resulting report provides valuable insights into our security posture.
In essence, Netsurion Managed XDR fills the crucial role of network and security monitoring that our internal team cannot handle alone. It's akin to having a dedicated 24/7 security team constantly scrutinizing our network for threats. The system not only detects immediate issues but also assists us in enhancing our security measures for the long term. For instance, based on their recommendations, we have successfully blocked requests originating from certain countries, such as the Russian Federation, China, North Korea, and Iraq. This proactive measure has significantly reduced the unnecessary traffic targeting our network.
Our experience with Netsurion's services has been exceptional. Their expertise and support are of the highest quality. As I had worked with them at a previous company, I sought them out again for our current needs. Particularly for a smaller company lacking a dedicated security team, this solution has proven to be one of the most effective ways to bolster our cybersecurity defenses. Their capabilities align perfectly with our requirements, and their professionalism makes them an ideal partner in safeguarding our digital environment.
One of the primary benefits of using Netsurion for our organization is that, due to a mandate from our regulator, we are required to have robust monitoring platforms in place. We now possess our own monitoring platforms, which allow me to oversee various aspects. Moreover, we have implemented a 24/7 monitoring platform, ensuring complete compliance with regulatory standards.
Netsurion offers a flexible solution that assists us in safeguarding our entire IT environment. This has significantly enhanced its robustness over time because they have been able to identify trends. Subsequently, we can adjust settings. Initially, when we implemented the product, we noticed more issues that, with time, would turn red or become more critical. These included instances where certain activities were not being blocked or when excessive permissions were granted to users in terms of access rights and similar matters. By analyzing trends over time, we have been able to refine the network, thereby achieving a higher level of overall security based on the insights provided by their monitoring.
The way the SOC service operates is by providing us with a dedicated team. This team usually consists of around four to five individuals participating in monthly calls. Essentially, this team, which is assigned to various companies, including ours, remains consistent. The individuals we interact with are familiar with our environment, and over time, we establish a rapport with them. Their contributions are highly valuable. It's akin to having a specialized team solely dedicated to handling our security concerns. Unlike a situation where we would interact with random support personnel for each inquiry or ticket, these individuals possess a deep understanding of our company as they consistently work with us. This arrangement eliminates the need to repeatedly transfer knowledge. They are well-versed in our history, the current state of our environment, and the specifics of our network. This setup operates 24/7, ensuring that meetings and communications align with my schedule. Furthermore, we receive updates even outside of regular working hours. This SOC service is available to us, and in my opinion, it's an excellent setup. The continuity of interacting with the same group of professionals allows us to establish relationships, not only with the individuals themselves but also with the company as a whole. This dynamic significantly enhances the trust we place in their services.
The SOC handles alert monitoring and threat hunting extremely well.
Reducing false positives is a crucial aspect of the tuning process we engage in. At the outset, we receive alerts for all activities, treating everything as a potential issue. However, we gradually refine this approach. For instance, we develop custom applications for our company. In collaboration with Netsurion, we've integrated their system to whitelist specific processes associated with our proprietary applications. To Netsurion, some of these processes might seem suspicious, such as activities involving the SQL database, potentially appearing as hacker activity. Nevertheless, this is not the case, and these actions should be permitted since they originate from our authorized service. It's highly beneficial to maintain this collaborative relationship. This allows us to fine-tune our system, minimizing the occurrence of false positives.
The SOC plays a crucial role in incident response. When issues arise, they are promptly prioritized. We have a specific prioritization process that feeds directly into our service desk. This enables us to initiate our incident response testing promptly. Additionally, the SOC identifies other potential concerns. For instance, we are currently investigating a situation involving suspicious DNS queries originating from specific IP addresses. Presently, we are actively examining this issue. While it appears suspicious at the moment, it has not been confirmed as an exploit or an actual event. Our standard procedure involves thoroughly investigating the matter and documenting all actions taken. Any actions we take become part of our response protocol. If the situation warrants, it might be escalated to the IT committee. Regardless, all actions and findings are meticulously logged in our service desk for future reference.
I appreciate that the SOC handles platform management. It's pleasant not to be directly involved with managing the tools themselves. Essentially, what we do is utilize an agent. This involves configuring an agent that is deployed universally. Additionally, they handle the configuration of SysLog services and similar tasks. Apart from these aspects, they take care of everything else. They provide the server and are responsible for updates, including those related to the internet. When it comes to integrations, they've established connections with our firewalls, antivirus, and email security gateway. This facilitates the retrieval of logs and security details, which they collaborate with us on. I'm relieved that I don't have to concern myself with updating their software. In our monthly meetings, they discuss new exploits they've come across, often with amusing names like "monkey dine," and their efforts to identify telltale traces of potential threats within systems. This proactive approach is commendable. Their management of these aspects allows us to concentrate on using the platform. For me, it's comparable to owning a car. When I buy a car, I can operate it, but I don't need to understand its engine intricacies. In the same manner, Netsurion Managed XDR has been a boon for us. It has consistently proven beneficial across the various companies I've worked with. Unlike setting up our own monitoring systems, which can be time-consuming, Netsurion Managed XDR's implementation is relatively swift. While there's an initial learning curve, within a few months, the value becomes evident. The insights provided are exceptional. Certain reports are even presented to the IT committee I report to, serving oversight purposes. These reports are also instrumental for compliance and audits. Netsurion Managed XDR is a third-party solution, impartial in its reporting. They provide compliance reports alongside their software tools. From my perspective, it's one of the essential tools. Over the course of my professional experience, there are a handful of products and services that I've found indispensable, and Netsurion Managed XDR is one of them. I used to use the Netsurion Managed XDR in my previous company, which was a relatively larger company.
The SOC has enabled us to fully concentrate on everything else that we need to do. Knowing that the segment, the monitoring, the event tracking, and the alerting are taken care of by someone else gives us the confidence that if something happens, we will be notified. This allows us to focus on tasks that are more aligned with our experience and the size of our IT departments. If an issue arises and it's critical, I will receive prompt notification. If it's not critical, I will receive an email from them the following day, or it will be included in an observation report. It will definitely be discussed in the monthly review meeting.
If we didn't have Netsurion Managed XDR, I would be looking at logs, and we'd be relying on antivirus and our own monitoring to see if something was untoward. We just wouldn't have the insight and visibility we have now. And I didn't have it before. We had monitoring, but nothing as in-depth as we have with Netsurion. So has it decreased the amount of time we spend on it? I would say it would have if we'd been able to do some of the stuff that they do, but we really couldn't do it. We didn't have the time. We didn't have the tools to do it. For us, it's been a total value add in terms of the capability, rather than the time saved because we were unable to do the tasks before.