Onboarding
Table of contents
Introduction
The onboarding of Wortell Managed Detection and Response is devided in two phases. In the first phase, the environment will be prepared for Wortell Managed Detection and Response. In the second phase, the environment will get connected to the cyber security center of Wortell.
Prepare Environment
In the “Prepare Environment” phase, the environment will be prepared for Managed Detection and Response. In order to deliver the MDR service, some controls need to be in place. These controls wil allow MDR security engineers to investigate and respond on alerts and incidents.
The “Prepare Environment” phase will be executed by a onboarding team and security consultants.
Validate Offer
A security expert will quickly investigate wheter the offering corresponds with the customer requirements and expectations.
Assessment
Wortell will execute a security maturity assessment. This assessment is used to do a gap analysis of the security meassurements that are currently in place and the product requirements that Wortell Managed Detection and Response has. A brief of this assessment will be created.
Determine Implementation Actions
Based on the gap analysis that is done as part of the assessment, an implementation plan will be created. As part of this implementation plan, implementation actions will be determined.
Examples of implementation actions:
- Multi factor authentication needs to be enabled
- Defender for Endpoint needs to be deployed and configured
Implementation actions can be executed by Wortell or the customer itself. Wortell has predefined and standardized plans to fullfill the product requirements. When the customer choses to let Wortell fullfill the product requirements, a security consultant will execute the implementation actions. As part of the assessment, Wortell will provide a proposal with all implementation actions and related costs for letting Wortell execute them.
Modular Implementation
Depending on the security packages on which the customer has subscribed, one or more security products need to be configured. In this part of the “Prepare Environment” phase, the implementation of the security products will take place.
Wortell will work closely with the customer to implement the security products.
Validate Configuration
The last step of the “Prepare Environment” phase is to validate the configuration. In this step, Wortell will validate the configuration of all required security products. In normal circumstances, the environment will met with all Wortell Managed Detection and Response requirements. If all requirements are met, the next phase of the onboarding will be started.
Mannaged Detection and Response Onboarding
After the environment has been prepared, the Managed Detection and Response onboarding phase can be started. In this phase, the customer environment will be connected to the Wortell Managed Detection and Response environmnent.
Start MDR onboarding
As start of the MDR onboarding a kick-off will take place. As part of this kick-off the scope, planning en goals of the onboarding project will be determined.
Setup Azure Sentinel
In this step, Azure Sentinel, the SIEM solution that will be used for the Wortell Managed Detection and Response service will be deployed.
Connect to MDR (Vidara)
Vidara™ is a platform driven by artificial intelligence and is used to receive notifications from Microsoft security products. For example, with organization-specific Threat Intelligence and by linking attacks to known frameworks. This makes it possible to understand the behavior and follow-up steps of hackers and to prevent subsequent damage. Within Vidara, a component called Vidara DeepSight, is used for incident response. It is important to have a proper connection between the Vidara platform and the customer environment.
Learning Period
During the Learning Period (burn-in) period, the notifications from Sentinel are sent to the Vidara platform. During that period, there is no active check for notifications that comes in at Wortell. The notifications are first automatically closed. When we see something suspicious, we do pass on feedback to the customer every few days. In this way we get to know the environment of the customer and can immediately give advice to implement improvements. Only when the service is actually live will we actively monitor and respond.
Define DAP
Together with the customer, we are working concretely on a process architecture. An important part of this step is the compilation of a Dossier Agreements and Procedures (DAP), in which it is recorded which responsibilities there are for each stakeholder and how they must implement them.
Schedule periodic meetings
Recurring technical meetings, introduction calls between the teams of Wortell and the customer and monthly reports on SOC performance, newsletters of the upcoming events, updates from Microsoft and updates from Wortell will be planned. Next to the contact between the Wortell Security team and the customer team there is always contact between the Service Delivery Manager of Wortell and the contact person from the customer as we find it very important to have contact on different levels.
Activate monitoring and Response
Once the onboarding is finished the “Managed” phase starts. From this moment on, the Service Level Agreement is active, and the Monthly fee is charged. Our security engineers will start reporting and the threat hunting will start as well. With all the information Vidara is getting forwarded from the Azure Sentinel of the customer it can start on the continuous improvements. Either by Machine learning or by the security engineers to improve the service towards our customers.