ProVision Top 10 Frequently Asked Questions (FAQs)
1) Is Foresite’s ProVision a SIEM or an MSSP?
Let’s start by defining the terms. SIEM stands for Security Information and Event Management, and a SIEM tool collects logs for the analysis of security alerts. MSSP stands for Managed Security Service Provider, a technology company that provides cybersecurity monitoring and management.
2) Can I use ProVision if I already own a SIEM or cybersecurity tool?
Yes! Our services actually complements what many of the common tools provide.
When an organization purchases a tool, hardware device, or software solution in an effort to make their network more secure, there are a number of steps that need to happen. The technology must be installed and tuned properly to be effective, and ongoing tuning is also required for many tools. In the case of SIEM tools, someone needs to determine all of the scenarios that the organizations wants to be alerted to and create rules to generate these alerts. Let’s then assume that everything has been configured and rules exist to alert. Who is going to be monitoring 24/7 to see the alerts, be trained to investigate them to determine if there is a threat, technical issue, or just a “false alarm” that can be ignored? And if a true threat is detected, who will have the experience to know what steps to take for incident response?
3) How does ProVision differ from a SIEM tool?
First and foremost it comes back to the additional services, expertise and experience that our human team provides. There are other important differences as well, including our ticketing system and ability to integrate it with the customer’s ticketing system, our logging and auditing that addresses compliance requirements, our pre-set business rules and knowledge base to enrich detection of suspicious behaviors, our ability to manage or co-manage firewalls, and the multi-tenancy of our portal for customers to be able to view by location or department or Resellers to be able to have a single portal log in with drop down to view individual customers, but each customer only able to view their own portal.
4) How does the cost of ProVision compare to SIEM tools and other MSSPs?
We use fixed cost device-based pricing, so the most important aspect is that your pricing will not fluctuate based on bandwidth, alerts or tickets generated, firewall management requirements, business rule tuning or any other usage. ProVision does not require the up-front purchase of an expensive tool or proprietary appliance, our VisionLink log collector is a one-time license fee per location with minimal onboarding labor, as opposed to the cost of a SIEM implementation project. ProVision also includes ongoing business rule tuning via the assigned Technical Account Manager. Our pricing is extremely competitive with other MSSPs that are providing similar services, and we do offer competitive discounts.
Depending on the size and nature of the estate, ProVision often costs less than SIEM tools and also includes all the human analysis, interaction, escalation and notification plus ongoing tuning.
5) What are some of the key differentiators between ProVision and other solutions? (How does Foresite ProVision compare to XYZ”)?
ProVision is both a SIEM-like tool for log collection and aggregation, plus our trained security analysts, solutions architects, compliance auditors, and incident response resources. Our solutions also includes our ticketing system with the ability to integrate it with other ticketing systems (Service Now, ConnectWise Manage, etc.), our logging and auditing that addresses compliance requirements, our pre-set business rules and knowledge base to enrich detection of suspicious behaviors, our ability to manage or co-manage firewalls, and the multi-tenancy of our portal for customers to be able to view by location or department or Resellers to be able to have a single portal log in with drop down to view individual customers, but each customer only able to view their own portal.
Taking advantage of a multi-tenant platform that services multiple customers enables you to capitalize on the everything that is being seeing across the entire base and not just specific traffic on your infrastructure. For example, if a threat is seen on another account, it can be mitigated across all customers quickly and efficiently
6) What are the technical requirements to run ProVision?
Unless logging for the in scope technologies is centralized, a VisionLink log collector needs to be installed at each location. The VisionLink download requires a virtual or physical server with minimum specs of 500GB HDD, quad-core CPU, 4 GB RAM. The rest of the service is all run in the Foresite cloud.
7) How long are logs retained with ProVision?
Logs are stored locally on the VisionLink log collector for 90 days, and in the ProVision SOC cloud for 1 year by default. Log retention can be customized for longer retention on client-provided at no additional cost, or in the ProVision cloud archives for an additional storage fee.
8) Does Foresite collect sensitive data from our environment?
The log data collected via VisionLink is normalized and aggregated locally before being sent into our portal. Most of the log files are not considered sensitive data, however, all transmissions are encrypted and the portal access is protected with multi-factor authentication
9) Does data collected by Foresite leave the U.S.?
All data currently resides within our US Data centers. Cloud data centers can be set up within other supported countries (including EU and Canada).
10) Does Foresite incorporate any outside threat feeds?
Yes, we incorporate 10-15 outside threat feeds at any given time, and we continually adjust the feeds we find most effective and relevant. We can incorporate a specific feed (or feeds) for a particular customer as well.