The Problem

Over 1,100 alerts per week. Dozens of Critical Severity alerts triggering everyday. A security team of less than a handful of people. No automation. Where would you start?

The Solution: RapDev Expertise and Datadog Capability

The RapDev Managed Security team is full of experts in wrangling loud environments and making Datadog security operations effective. So where did we start?

Suppressions

Alert suppressions can be an easy way of reducing noise. RapDev Security Analysts are adept at finding activity patterns and assessing their impact, like an admin logging into a system on a predictable cadence and running a specific PowerShell script. That’s clutter. But what if a new user logs in during the same time and runs a different PowerShell script? That stands out, and we should retain visibility of that event. Striking that balance between too specific and too broad of a suppression is key. RapDev’s focus in this first phase of wrangling an out-of-control SIEM is finding that 75-80% solution for measurable impact. There is no sense in sprinting for perfection. Security is a marathon, not a sprint! Our client went from nearly two dozen Critical and high-severity alerts a day to under 5. No more constant fire drills, no more messaging channels lit up in red. But then what?

Dashboards and Reports

There is plenty of data that is security relevant but does not need to trigger alerts. A user blocked from logging into Discord is a good example. Policy infringements are certainly relevant to monitor and track, but if someone is automatically blocked from accessing their Discord account on an issued computer, do you need  alert for that? No. You need to be able to track and visualize that data over time. Cue the RapDev Security Team’s next step: leveraging Dashboards and Reports.

First, we built custom dashboards for tracking policy-related infringements, EDR efficacy rates, and risky user behaviors. Then we scheduled a monthly report for our client’s Security Team Lead and a quarterly report for upper-level management. We also advised our client on how to use the reports’ information, like phishing email training or Acceptable Use Policy refreshers.

Another step in the right direction! Fewer alerts to take up bandwidth. But RapDev was not done just yet. Datadog has more to offer for effective security monitoring.

Monitors

Log Monitors are a great capability to leverage. Pairing Log Monitors with Workflow Automations retains the action-oriented approach that Security teams desire while bringing in an Analyst only when necessary. Take, for example, a user being granted admin privileges. RapDev built a Log Monitor to watch for the appropriate log, which kicks off an attached Workflow. Within the client’s messaging platform, this Workflow asks a series of questions to the Security Team, “Is the user who granted the permissions is supposed to do this?” If yes, the Workflow asks the user themselves if they took these actions. If they did, then this event needs no escalation. If at any point a client representative chooses the “No, this is not expected” path, that is when the Workflow opens a Case and populates the related data. RapDev is keenly aware of how little time there is in a day to monitor an entire enterprise. This kind of approach alleviated significant pressure from both RapDev’s triaging analysts and our client’s Security Team.

The End Results

Before RapDev, 1,178 alerts in a week. Now with RapDev Managed Security Services, just 360. A nearly 70% reduction in noise and false-positives.

Maximizing Your Datadog Security Operations

Not everything needs to be an alert, and Datadog has a wide breadth of features available to savvy users. Using them effectively can ease the burdens of over-stretched SOCs. Luckily RapDev is brimming with both Datadog talent and security expertise. Everything we do is for the betterment of our clients! If you want to maximize your use of Datadog’s security modules, contact us today about our Managed Security offerings.