Cybersecurity | Kevin Rivera

SIEM

SIEM Ingestion Correlation

A SIEM centralizes logs across endpoints, identity, cloud, and network sources so security teams can search, correlate, alert, and report from one place.

Implementation approach

Plan sources: endpoints, firewall/VPN, Microsoft ecosystem (M365/Entra), cloud apps, servers, and DNS/email security.
Deploy agents/collectors: install endpoint agents (Windows/macOS/Linux) and configure syslog collectors for network devices.
Integrate cloud applications: connect via API/OAuth (audit logs, sign-ins, mailbox activity, CASB sources, etc.).
Normalize + parse: ensure fields map consistently (user, host, IP, action, status, severity) for reliable detection.
Build detections: start with high-signal rules (impossible travel, brute force, suspicious PowerShell, new admin roles).
Tune alerts: define thresholds, suppression logic, and allowlists to reduce false positives.
Dashboards + reporting: create views for identity security, endpoint activity, and compliance evidence.

Outcome: faster investigations, audit-ready logging, and consistent detection across hybrid environments.

SOAR

SOAR Orchestration Workflows

SOAR turns alerts into repeatable response workflows—enriching data, coordinating tools, and executing safe actions through approvals and playbooks.

Workflow & automation building

Trigger: SIEM/EDR alert, email/phishing report, or identity risk event.
Enrichment: query APIs for user/device context (directory, asset inventory, threat intel, known-good locations).
Decision logic: scripting + conditions (severity, confidence, asset criticality, repeated behavior).
Actions: disable account, revoke sessions/tokens, isolate endpoint, block sender/domain, open ticket, notify SOC.
Approvals: require human confirmation for disruptive steps (account disable, isolation, mailbox purge).
AI assist (optional): summarize alerts, recommend next steps, draft ticket notes—while keeping execution controlled.

Outcome: reduced time-to-triage, consistent responses, and better documentation.

EDR

EDR Alerts Dashboards

Endpoint Detection & Response provides visibility into process behavior, persistence, lateral movement, and suspicious activity on endpoints—plus the ability to contain threats.

Operational approach

Deployment: install EDR agents via MDM/RMM/GPO and validate coverage by device group.
Policies: define prevention + detection settings, exclusions (carefully), and tamper protection.
Alert handling: triage by severity, confidence, and affected asset; confirm whether activity is expected or malicious.
Dashboards: build views for top alerts, active incidents, vulnerable devices, and endpoint health/coverage.
Integrations: forward alerts to SIEM/SOAR for correlation and automation.

Outcome: better endpoint visibility and faster containment for high-impact events.

MDR

MDR 24/7 Containment

Managed Detection & Response adds 24/7 monitoring, expert triage, and guided/managed response. MDR typically layers on top of EDR + SIEM and can integrate with third-party tools.

What MDR brings to the table

24/7 monitoring: continuous alert review, escalation, and incident coordination.
Response support: recommended actions, investigation notes, and containment steps.
Containment actions: isolate devices, kill malicious processes, or block indicators—based on agreed runbooks.
Integrations: can connect with ticketing, identity providers, firewalls, email security, and SOAR tooling.
Reporting: incident summaries, trend reporting, and coverage/health metrics.

Outcome: faster response outside business hours and improved overall security operations maturity.

Email & Spam Security

Email Phishing DMARC

Email remains a primary attack vector. Layered email security reduces phishing, spoofing, and malware delivery, and improves user reporting workflows.

Controls & configuration

Authentication: enforce SPF/DKIM/DMARC alignment to reduce spoofing and improve deliverability.
Spam filter strength: tune aggressiveness, bulk thresholds, and attachment controls based on business tolerance.
Safe links/attachments: URL rewriting, attachment detonation/scanning, and blocking risky file types.
Quarantine management: configure quarantine policies and send quarantine digest emails so users can self-review safely.
Reporting: “Report Phishing” button and clear internal workflow to route submissions to the SOC/IT.

Outcome: fewer successful phishing events + better visibility and user-driven reporting.

Frameworks & Compliance

Governance Risk Audit

Frameworks provide a structured way to design controls, document evidence, and demonstrate security program maturity. Below are common frameworks and what they look like in practice.

HIPAA (Healthcare)

Focus: safeguards for PHI (administrative, physical, technical).
Examples: access controls, audit logging, encryption, unique user IDs, device management, incident response documentation.

NIST CSF / NIST 800-53

Focus: Identify / Protect / Detect / Respond / Recover; or control baselines in 800-53.
Examples: MFA, least privilege, vulnerability management, logging/monitoring, response playbooks, backup testing.

ISO 27001

Focus: building an ISMS (policies, risk assessments, continuous improvement).
Examples: risk register, control ownership, change management, supplier risk, internal audits.

PCI-DSS

Focus: protecting cardholder data environments.
Examples: segmentation, strict access controls, logging, quarterly vulnerability scans, secure configs.

SOC 2

Focus: Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy).
Examples: access reviews, monitoring, incident management, vendor management, evidence collection.

GDPR

Focus: personal data protection, lawful processing, privacy rights.
Examples: data minimization, retention policies, breach notification procedures, access requests workflows.

FedRAMP / CMMC

Focus: government/cloud security standards (FedRAMP) and defense contractor maturity (CMMC).
Examples: stronger control baselines, continuous monitoring, documented SSPs/POA&Ms, secure configurations.

Current Threat Landscape

Threats MFA Least Privilege

Common patterns seen across real-world environments today:

Credential phishing & token/session theft
Business Email Compromise (BEC) and invoice fraud
Ransomware paired with data exfiltration
Supply chain vulnerabilities and misconfigurations
Abuse of remote tools, OAuth apps, and exposed services

Baseline defenses: MFA + conditional access, endpoint hardening, logging, backups, and tested response procedures.

Security Awareness

Training Policy Culture

Strengthening human-layer defense through training, simulations, and clear reporting channels.

Program elements

Phishing simulations: targeted campaigns and trend reporting.
Role-based training: admin vs staff vs clinical/finance workflows.
Simple reporting: “Report Phishing” + clear escalation path.
Policy alignment: acceptable use, password/MFA guidance, and device security expectations.

Outcome: better reporting behavior, fewer successful social engineering attacks, and clearer security culture.