RSA 2012 Series (3) Build SOC best practices sharing

Source: Internet
Author: User

At the RSA2012 conference, there was a technical seminar on the establishment of the SOC (Security Operations Center), the speaker was a former BT man, who is now working in party A. His speech is based on three aspects of the technology, process and organization needed to build a SOC, and focuses on the selection of self-built and outsourced Soc.

The outline outlines are as follows:

1 Soc Planning Considerations: A comprehensive review of existing processes, site selection, resource input plan, training plan, plan for change-"Don't wait until everything is ready", hehe, this is consistent with the best practices of Intel's SOC build (don ' t put everything Prepared ahead).

2 Select the Siem Tool Note: Siem is a tool that assists analysts and improves productivity, but does not replace analysts. More profoundly, the question of automation and human relations is to be clarified. In other words, is there a tool to automate the incident analysis to replace the analyst? This paper has already given us an answer. The problem is more confusing at home. Oh, this is finally cited.

3 self-built or outsourced SOC? Depends essentially on the requirements analysis. Compared with the two methods of establishing SOC, each has its advantages and disadvantages. The speaker focused on the selection principle of the outsourced Soc. For example, you should ask MSSP several key issues include: Service personnel, service stability, scale, performance metrics, SLAs. In addition, you should also consider your own service conversion capabilities, and the strategy for replacing vendors. Finally, the best way to identify the MSSP slogan is to validate it in advance, such as 7x24 response (do you really have a phone call at 2 o'clock?). ), Real-time analysis (real time?) To report on really important events (to verify the frequency of alarms, false positives).

4.--SOC analyst for human problems. Talk about the job-skills requirements of SOC analysts and how to retain good SOC analysts. Oh, if you are in the United States to visit the recruitment site, to find the work of the SOC analyst, there will be a lot of recruitment notices, many companies are chronically understaffed.

5 The problem of the process--emphasis on the "document" work;

6 Measurement of SOC, or measurement of SOC revenue, including human/Analyst metrics (performance) and measurement of the system (ROSI). The key is the selection of metrics.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.