SIEM and SOC have brought certainty where before there was only hope. A few years ago, a major Slovakian manufacturing company was living in the feeling that its IT infrastructure was in good shape. Logs existed, administrators were doing their best, and security was not an acute emergency. Until the attack came – swift, widespread and crippling. Production stopped, deliveries were interrupted, payments were blocked.
The attack revealed a weakness that, although suspected, had not been visible until then. And until you see the problem, you are under the impression that it does not exist. But reality catches up with you when it’s at its worst – a recurring pattern across the industry. In business, it really can happen to anyone; the important thing is to learn from the experience.
In a particular company, it was this 2023 event that became the impetus that kicked off a major transformation. The business wanted to gain real control over security events. And to do so without having to build its own in-house SOC team – something that is virtually impossible for a manufacturing company today.
Invisibility was the biggest problem. The company felt it was protected but lacked facts. The logs were there, but scattered across systems. When something happened, the solution to each incident started from scratch: manual problem-finding, lengthy reviews, uncertainty about whether something had been forgotten. There was a lack of centralization, automated alerts, and even reliable visibility into security events. It was clear that unless records were collected centrally, their value was minimal.
Decision: the SIEM on Wazuh + SOC surveillance from GAMO
After analyzing several options, ranging from expensive commercial solutions like QRadar or Splunk, the combination of Wazuh’s open-source SIEM technology and GAMO’s Managed SOC service proved to be flexible, affordable, and most importantly, sustainable in the long term for enterprise management.
They opted for a Security Information and Event Management (SIEM) platform, a system that enables the central collection, evaluation and correlation of records and security events across the entire IT infrastructure.
The solution was built on publicly available Wazuh security technology, interfaced with the Security Operation Center (SOC) surveillance service.
The company gained a single location for all records, real-time visibility into what’s happening in the infrastructure, and the ability to respond quickly to threats without having to build its own dedicated team. All of this enabled central collection and correlation of logs from servers, network, applications and endpoints, detection of suspicious activity, attacks and anomalies, reporting to both IT and management, and compliance with audit and legislative requirements.
But the people were the key. “Technology without experts is not enough. You may have the data, but you don’t know what to do with it. The SOC team is essential,” a customer assessed the situation.
“A SIEM is the foundation, but its true power only becomes apparent when it is operated by specialists. Our job is not only to capture incidents, but also to understand them in context, evaluate their impact and propose solutions that protect the customer in the long term,” confirmed the specialists from GAMO.
Deployment and first results: incidents started to surface
After verification of the functionality of the proposed solution, a pilot phase of the project followed, adapting it to live operation and at the same time debugging and completing the scenarios. The company subsequently gained virtually immediate visibility into its infrastructure.
The biggest challenge was reconciling records from legacy systems and setting up specific customized usage rules. Within the first few weeks, the system had already picked up a number of incidents that would have previously gone unnoticed:
- Brute-force attacks on VPNs and systems
Rapid and repeated password guessing attempts that the SOC team/operator identifies by a series of failed logins from the same source or an unusual frequency of attempts. - Attempts to communicate with malicious C&C servers
An infected device attempts to establish a connection with an external management server, which the SOC operator detects through unusual communication with suspicious IP addresses outside of normal operation. - Active Directory accounts blocked after suspicious activity
User accounts are blocked after a series of failed logins or other suspicious activity, this indicates an unauthorized access attempt or an internal security response. - Detected malware files
The system identifies malicious files by identifying characteristics or behavior. They often contain backdoors, ransomware components or spyware code. SOC flags them, isolates them, and verifies the source of the infection. - Accesses to untrusted domains
Detected connections to domains with questionable reputation, (il)legal platforms. In this case, SOC blocks and verifies these connections. - Unwanted user activity
Massive or unexpected data tampering (e.g., deletion) may indicate an internal error, intentional tampering, or the presence of ransomware. The SOC views the event as a critical incident: the priority is to take immediate action and stop the spread.
Before vs. now: Hope has become certainty
Currently, the company has more than 95% of its infrastructure protected, and the SOC team works with dozens of correlation rules tailored to the customer’s environment. It provides real-time and regular insightful reports and recommendations to management. Critical incidents are addressed immediately.
“Before deploying SIEM, we felt that IT was secure, but we were missing the facts. Today, we can see incidents in real time and have the confidence that we have a professional team watching over us,” expressed a satisfied customer.
A customer summed up the change accurately, “We were hoping before. Today we have proof.” Decision-making has moved from the plane of feelings to the plane of measurable data. Detection is faster, response is professional, risks are under control. And prevention costs less than dealing with outages! The company has experienced this first-hand.
The enterprise is already planning to extend monitoring to operational technology (OT) and implement automated responses using security orchestration, automation and response (SOAR), which will significantly speed up incident responses. The goal is clear: to take security to the next level and minimize response time even for more complex threats.
Combining customer courage and team expertise
This case shows that modern SIEM and professional SOC are not the prerogative of corporations. Even a mid-sized company can have top-notch security surveillance without extreme costs or the need for an in-house expert team. The customer made a bold decision, invested in security and openly named their weaknesses. GAMO brought expertise, technical know-how and responsiveness at critical moments.
“It wouldn’t have been possible without the trust and cooperation of the customer’s team. Every step we see as a success today is the result of working together,” concludes the GAMO team.
It is proof that when technological competence is combined with determination, the result can be a more resilient, safer and, above all, more confident enterprise.
