From the contact MVM, to the large-scale distributed deployment, to gradually put into operation, finally to the product has a certain understanding, at the company's annual meeting, but also heard the introduction of other related security products, the following is a little knowledge of information collection security products:
The first is data collection : Whether it's SOC or business performance monitoring, whether it's IPs or vulnerability Scanner (MVM). Has an important link---the collection of information and data. No data, everything is empty talk. Only for different purposes of the product, the corresponding data collection difficulty, methods are also different. The vulnerability scanner is mainly collected through the interaction of the network packet, while the SOC collects data mainly through the syslog, the IPs is through the traffic image (according to different deployment scenarios, in-line deployment without mirroring).
The second is the storage of data : Different products to the data storage capacity requirements are different, some require I/O performance, some require data model, some require large storage space, but most of the design database related knowledge.
Another is the analysis of the use of data : This should be the core of most products, and almost for the trend, big data trends, and security on the use of big data is a trend . Security is a process-oriented analysis and process of empowerment, and in order to find the actual attack and discover the security threat, it is necessary to aggregate and correlate the data . Host information, vulnerability information, IPs alarms, log alarms, and so on, only the correlation of these information can really remove the real important information from the massive events, discover the attack and the threat. There are various behavioral model analysis and so on (this aspect is not very understanding)
Finally, the data is presented : the product needs to be interactive, needs to be used, of course, the data collected, the resulting processing results presented, involving UI design and so on.
In fact, for the operation of such products, individuals also think there are three levels, the corresponding also has three levels of operation and maintenance capacity.
The first layer: interface operations, the initial level of operations, just contact with the product, the most will be on the existing interface, to complete some simple tasks and operations.
Second layer: Understand some basic principles, understand some of the functions of the implementation principle, the relationship between components.
The third layer: deeper understanding of the principles and details, knowing a lot of the underlying knowledge, and even understanding the code-level stuff.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/97/wKiom1UM9TzTpJZYAAG_f4ydiHQ912.jpg "title=" Product models for SOC and Accuer. png "alt=" wkiom1um9tztpjzyaag_f4ydihq912.jpg "/>
Model of data collection class security products
This article from "Struggling rookie" blog, declined reprint!
Model of data collection class security products