We use Netsurion as our security operation center and also as an SIEM to put together all of our telemetry from various systems and to notify us when we have security events.

We are a small company located in Bermuda with a team of 42 people. Specializing in reinsurance, we offer a range of reinsurance products from around the world. During a recent cybersecurity gap analysis, it became apparent that we needed to enhance our network and security monitoring capabilities beyond the capacity of our current 42-person team. Within the company, only three individuals work in the IT department, making it impractical to assign someone to security log monitoring around the clock.

To address this challenge, we have implemented Netsurion Managed XDR. This product, previously familiar to me from past professional experience, aggregates logs from our various devices including workstations, servers, switches, routers, and firewalls. These logs are then centralized on our on-premise servers, which are linked to Netsurion Managed XDR's security operations center. This center is staffed with experts who analyze the collected data, providing us with valuable insights. They promptly alert us through email, phone, and text if any unusual or critical activities are detected. These activities could range from unauthorized access attempts to anomalous Internet or firewall activities.

The system also offers weekly observation reports, categorizing activities using color codes ranging from red to green. This report covers a spectrum of information such as account lockouts and Internet activity. I have also specifically requested alerts for any usage of administrative passwords. Additionally, we engage in monthly review meetings where we assess the previous month's data, including a Power BI report that delves into trends and various monitoring aspects.

Another key service we utilize from Netsurion is their vulnerability assessment scanner. This monthly assessment involves scanning all our systems within the network to identify security vulnerabilities and needed updates. It's comparable to having a simulated penetration test, ensuring our systems are robust against potential threats. The resulting report provides valuable insights into our security posture.

In essence, Netsurion Managed XDR fills the crucial role of network and security monitoring that our internal team cannot handle alone. It's akin to having a dedicated 24/7 security team constantly scrutinizing our network for threats. The system not only detects immediate issues but also assists us in enhancing our security measures for the long term. For instance, based on their recommendations, we have successfully blocked requests originating from certain countries, such as the Russian Federation, China, North Korea, and Iraq. This proactive measure has significantly reduced the unnecessary traffic targeting our network.

Our experience with Netsurion's services has been exceptional. Their expertise and support are of the highest quality. As I had worked with them at a previous company, I sought them out again for our current needs. Particularly for a smaller company lacking a dedicated security team, this solution has proven to be one of the most effective ways to bolster our cybersecurity defenses. Their capabilities align perfectly with our requirements, and their professionalism makes them an ideal partner in safeguarding our digital environment.

Our IT department has limited time and resources. We are unable to create our own SOC, therefore Netsurion has helped us accomplish more security initiatives and monitors our environment.

I manage 13 companies that have 300 to 400 companies underneath them altogether. We're a private equity company, so we manage one company, and they control 10 to 20 companies themselves. Our operations are decentralized, so there aren't many existing products suitable for our use cases. 

When we initially deployed, Netsurion didn't seem like a particularly robust solution. We had the reporting, and if I told them to look for something specific, they could look for it and report on it. We haven't given them anything outside of the box to look at. It tells us everything that you see. We haven't whittled it down to specific events yet.

Netsurion is on the endpoints. You install it, and it speaks to a web server. We have it on workstations and servers on AWS, Google Cloud Platform, Azure, and everything else. We're using it as a decentralized SIEM product, and it's one of the only ones out there. We use Netsurion for things like log forwarding, and we deploy it on every workstation. It's a manual process. There is an installed agent, and as long as it has internet connectivity, it goes and talks to the centralized server, and Netsurion's SOC monitors the logs for all those devices.

Because we don't have a centralized enterprise network, there are a lot of different companies involved, and they could be anywhere. They could be working from home, or there could be several employees in a coworking space. The Netsurion agent has to be installed on every endpoint and allowed to communicate directly to the internet.

Our main concern is IT security. We are looking at it from a point of view of making sure that we are fully PCI compliant. PCI is the compliance driver for us above all others. The log management, event management, and managed services are all fairly pricey services for a small business like us, but we felt the need to be able to take all the logging traffic that we are storing, then make some sense out of it. We needed someone with that expertise because we don't have a dedicated, trained security professional in our organization or in our small group. We turned to Netsurion for that service and have been happy with it.

We were struggling at the event level, like a lot of people do, in terms of centralized event management and notifications. We just did not have a single pane of glass where we could see events, potential issues, all on a fine thread of a timeline to compare across our enterprise. We needed to know: Is there anything else going on at the same time?

We use it extensively. Every product that we have on our network is tied into it. That's been huge for us. The thought process was, "If we're going to put it in place, we want every end-point out there to be cycling through logs or have syslogs pulled into EventTracker. Otherwise, it just didn't make sense. We wanted to have eyes on every device out there.

I use it for security events and incident management. It's a fantastic product. Netsurion Managed XDR is a really good product. It is hosted, and they do a lot of the analysis. They get great reporting. It covers all my highly valuable assets and offers a really low impact on my systems. I check a regulatory box as well as a cybersecurity box, so it covers a lot of bases for us.

We use Netsurion to find out what's going on in our environment. It lets us know if we have strange actions acting out. It's a deny-all policy, so there's an access list on each machine. It was effortless to tune it for our software because we have four pieces of intellectual property used in-house, and that was super easy to get up and running compared to some of the other solutions I've seen. For the most part, it's set-it-and-forget-it protection.

We use it for real-time alerts for things like domain admins being added. And we have the managed services provide weekly reports for us for VPN logins, after hours logins and several other similar alerts. 

And of course, at any time I can do individual investigations and searches on interesting traffic that might be reported to me by Netsurion or that we find on our own.

It's a system incident and event management platform. The typical use cases that go along with that are alerting and syslog aggregation.

We are using it to centralize all of our logs and have alerting on security issues. 

We primarily import Windows systems and Windows Server logs (2012 and 2016). We also import Cisco ASA logs, then Cisco router and switch logs. The import works well. 

We use Netsurion as a managed SOC provider for them to be able to do visibility scanning on all of the devices within our network and to look through the log events that we have coming out of the devices and SaaS products that we have. They are looking at the logins through Microsoft Azure and Google Workspace, aggregating all that, and doing some investigative work to see if there are any incidents where there might be a possible malicious activity or any possible intrusions into the network. If there are any problems or issues that may occur and if they do find things, they are able to notify our team of those things or those findings that may be a problem for us. They send us an email to let us know what to look into and how to remediate things. That is how we have been using them.

Since we can't have 24/7 operations for our SOC, we hire out for that and have it as a managed service. This makes much more sense and allows us to focus on the day-to-day activities of the company.

EventTracker analyzes all of the different types of security events, it both aggregates and correlates. They send us a daily report of things like servers that aren't responding that normally respond and any kind of events that they see from the day before. If there is a serious perceived security event, they will call. I have two folks at InfoSec, so they will call directly and say, "Hey, we're seeing something here." Then between the two of them, they'll try and identify whether it is a true event or not, and then monthly, we sit down with them on a call where we talk about what's going on and if there are opportunities for improvement.

If there was an event that we felt they shouldn't have escalated to us then we'll let them know and we'll talk about how it could have been avoided or vice versa or if there was an event that we didn't get escalated but it should have been. We don't get a lot of those, mostly it's about, "Hey, we're adding this new device, we want to make sure it's on the list, so it's getting monitored", and things like that.

We use it for logging all of our Active Directory activities, including authentication, alterations, and modifications to the AD controls and privileges. We use it for events coming off of both the servers and the desktops. And we also roll in the logs from our various security controls and devices, such as our antivirus tools, backup service, firewalls, the IPS, etc. Those are all rolled back into the EventTracker system. The goal is to eventually start taking advantage of the ability of EventTracker to correlate activity and alert on something that looks a bit unusual that we should then pay attention to.

We get a daily report that they've built, which summarizes all of the activity across all of those areas, on a daily basis for us. The types of log data we import into it include firewalls, server event logs, user workstation event logs, all of the Active Directory activity and authentications, and all of our antivirus logs and our patching service logs.

It's in the cloud. We use their console and we take advantage of their storage. We have them manage our logs and our archivals. 

It's a managed SIEM. It collects our log information, events from different systems. That information gets analyzed to alert us to any problems that are typically security-related issues. We use that database to do our own research as well. For instance, it's handy for figuring out why somebody keeps getting locked out.

We use Netsurion to meet our HIPAA and PCI compliance requirements and to implement best security practices. Before we implemented Netsurion, our company had no visibility into the environment. We use it to alert us about unusual processes that may be executed. After an investigation, we whitelist or blacklist those processes. It also helps us manage our asset inventory and respond to threats as they arrive. 

We use it for security incident and event management, and we use Netsurion's hosted SOC service, meaning their SOC team also assesses our events.

The solution is on-premises. We have the agent running on our Windows systems, and we have the Linux systems pumping the syslog data to the Netsurion server.

The primary use case is SIEM vulnerability and IDS.

We use it to monitor our firewall logs for all of our locations, all of our network logs, and alerts. We also monitor any new users added to the network or who are locked out, any new installs or uninstalls of applications on servers. And we have reports generated for any types of processes or hashes that have been run on computers or servers.

We're getting some daily reports out of it for different systems regarding passwords expiring, accounts locked out, and a number of events in different categories. We're probably not using it to its fullest potential.

We import log data into the solution from Windows Servers and switch-logs from the Cisco switches. Those are the main things that we feed into the system. We don't have any Linux or any other external systems that we feed into it.

We use it for Windows event logs, disk space, and other alerts.

We are using it for audit compliance. Because when we have audits, we are required have a central event log storage location. If we need to do a search for user lockouts, we can go, search, and find locations where they have been locked out, then keep track of those events, historically.