The client’s already noted requirements are taken into account in the planning phase. The service presented (use of SIEMaaS) is accepted by the client and the contract for contractual processing (see appendix) is concluded. The points of contact, their responsibilities and availability (telephone number, email addresses etc.) are established. The required measures (informing the points of contact, taking action on site, etc.) are then set out. Suitable data interfaces are required to record monitoring data and for its technical implementation; we help design and implement these.
On the basis of this contract between the client and contractor, the client is switched to SIEMaaS for the contractual period. The sensors are then installed and commissioned. The sensors are connected to the SIEMaaS via a VPN connection provided by the contractor (SIEMaaS-Connect). The functioning and load on all sensors and connections used are actively monitored by the contractor. The sensor and VPN solution is configured and maintained by the contractor. The required sensor technology (hardware or virtual solution) is provided to the contractor within the framework and for the duration of the service agreement for the intended use. The client is obliged to keep the required sensor technology in proper usable condition, taking into account the contractor’s instructions, and to ensure that no damage and/or failure of hardware and software takes place as a result of actions and/or omissions made by them or their subcontractors. The client is not entitled to make changes to the sensor technology. They may not grant third parties any rights to this. When the SIEMaaS contract is terminated, the sensor technology must be returned to the contractor in full.
The sensors’ learning phase is set to run for one month. The detailed data from this period is treated and evaluated separately. This period may be expanded up to 90 days in coordination with the client, depending on the sensor or network configuration. This makes it possible to minimise ‘false alarms’, which can never be completely ruled out. The SIEMaaS team also obtains important real time information on the client’s ‘normal’ day-to-day operations, which is especially important for identifying attack scenarios.
When the learning phase is complete, the contractor monitors the infrastructure agreed with the client as part of SIEMaaS by using installed sensors and analysing incident data (‘monitoring’). The combination of automatic detection using smart software tools and expert knowledge enables a range of potential attack situations to be detected ultra-fast.