Eliminating, Resolving, Addressing: Rebuilding Risk, Compliance and Operational Clarity

The situation

When we first engaged with this client, we quickly identified significant health issues with their enterprise security platform. They were experiencing long-running searches and frequent quota-related problems, yet they were initially unaware of these issues. Upon further investigation, we discovered compliance gaps, including difficulties in meeting certain standards and legal requirements.

Additionally, some of their existing security measures were not fit for purpose. While they believed these measures were functioning as intended, in reality they were not delivering the expected results. Compounding the issue, they lacked both a risk register and a defined operational model, leaving them uncertain about their security landscape and unprepared for emergency situations.

The client was also working with a third-party security operating centre (SOC) team, but there was little clarity on the value this team was providing, SLA’s and shared operational model.

Engagement Objectives

• Complete a Risk Modelling Exercise with the client: enabling the client to repeat this exercise themselves as needed.
• Stabilise the Enterprise Security Platform: correct all Splunk and Operate identified health issues back from red to green.
• Test and document all Detective Use Cases(DUCs): providing a register of all DUCs and the e2e testing completed to check they were working and fit for purpose, disable those that weren’t to save the client resources and money.
• Onboard Missing Data Feeds to empower Detections: onboard data feeds identified by DUC review and risk modelling exercise and map it accordingly.
• Assist in creating an Operational Model: host/assist them to create a workshop allowing the client hands on experience creating an Operating Model.

Apto’s Approach

One of our first steps was to carry out a discovery exercise. A key part of this was understanding the client’s existing use cases and identifying what needed risks needed to be mitigated and detected. To achieve this, we conducted a series of workshops to assess their assets, determine their monitoring requirements and establish what measures could be implemented to improve their security visibility. Additionally, we worked to clarify the shared responsibilities between the client and their third-party security team.

One of the main challenges was resistance from the third-party team, and reluctantance to engage, making it difficult to gain full buy-in from all stakeholders, a common scenario with outsourced SOC’s. Another critical element was determining which security frameworks the client wanted to align with. We collaborated with them to narrow this down to three frameworks (two best practice, one regulatory) and provided guidance on how to justify and implement them effectively, including operational controls.

In the design phase, we leveraged insights from the discovery exercise to develop new detections, addressing key gaps and enhancing their security coverage. The workshops, also illustrated how to refine the detection process and equip the client with the knowledge to create the necessary documentation themselves.

Finally, during the deployment phase we ensured end-to-end testing of everything we implemented. This included validating all use cases, diagrams and models to confirm they were functioning correctly. We meticulously tested for any edge cases that could trigger errors or cause issues, ensuring the system was robust and fit for purpose.

Outcomes

As a result of this engagement, we successfully stabilised all existing issues, bringing their system health status to green across the board. We provided them with a comprehensive overview of their framework coverage, highlighting any gaps that might require future attention. Additionally, we outlined the legal requirements they were now meeting and provided clear guidance on the next steps for those they still needed to address.

We established an ongoing risk management process, helping them define several key risks during our time with them. While it wasn’t feasible to cover every potential risk within the timeframe, we equipped them with the necessary tools and documentation to continue the process independently.

To further support their compliance efforts, we developed a series of bespoke dashboards, making it significantly easier for them to investigate key compliance elements (such as vulnerabilities) which had previously been a long-winded and inefficient process.

Business Impact

Cost Control

One of the key impacts of this engagement was optimising the client’s use of their Splunk platform, making it far more cost-effective. Initially, their system was overloaded, causing frequent skipped searches while they were paying a high licence fee for ingestion. By working with them to reduce ingestion costs, we not only helped save money on future renewals but also improved resource efficiency and usability.

Ownership of risk and Compliance

We also provided the client with a much clearer view of their overall compliance. When we arrived, they were attempting to align with five or six different frameworks, which created unnecessary complexity. We helped them refine their focus to just three, ensuring alignment across all levels of the organization, from the security team to the C-suite, so everyone was on the same page regarding what needed to be done to achieve full compliance.

Another major impact was establishing a comprehensive risk management process. Beyond just implementing the process, we ensured they understood its purpose and knew how to maintain and evolve it over time, providing them with long-term security and compliance benefits.

Operational Model – Effectiveness / Efficiency

Establishing an operational model was key to the client, managing the stakeholders, the platform, stakeholders and responsibilities.  Without clear definitions of this, risk, operation of the detection platform was in jeopardy and lack of accountability to critical systems.

Through a series of workshops the operating model scope defined,  broken into bite size areas, team, service/product, process and repeated until the overall operational model complete.  The impact, the client, has a fully scoped SIEM/Detection operational model, this covers all operational process and procedures, making it clear to all stakeholders and their responsibilities.

Overall

Complemented by our Operate service, the client has a fully functioning hybrid model, owning the risk and posture, with a side assistance of platform management and monitoring.  Also a operational model for present and future SOC’s.  The overall sum being peace of mind model, for the client with complete detection coverage, bespoke to the risks they identified complemented with best practice and regulatory frameworks.