RSA 2012 Series (3) Build SOC best practices sharing

At the RSA2012 conference, there was a technical seminar on the establishment of the SOC (Security Operations Center), the speaker was a former BT man, who is now working in party A. His speech is based on three aspects of the technology, process and organization needed to build a SOC, and focuses on the selection of self-built and outsourced Soc.

The outline outlines are as follows:

1 Soc Planning Considerations: A comprehensive review of existing processes, site selection, resource input plan, training plan, plan for change-"Don't wait until everything is ready", hehe, this is consistent with the best practices of Intel's SOC build (don ' t put everything Prepared ahead).

2 Select the Siem Tool Note: Siem is a tool that assists analysts and improves productivity, but does not replace analysts. More profoundly, the question of automation and human relations is to be clarified. In other words, is there a tool to automate the incident analysis to replace the analyst? This paper has already given us an answer. The problem is more confusing at home. Oh, this is finally cited.

3 self-built or outsourced SOC? Depends essentially on the requirements analysis. Compared with the two methods of establishing SOC, each has its advantages and disadvantages. The speaker focused on the selection principle of the outsourced Soc. For example, you should ask MSSP several key issues include: Service personnel, service stability, scale, performance metrics, SLAs. In addition, you should also consider your own service conversion capabilities, and the strategy for replacing vendors. Finally, the best way to identify the MSSP slogan is to validate it in advance, such as 7x24 response (do you really have a phone call at 2 o'clock?). ), Real-time analysis (real time?) To report on really important events (to verify the frequency of alarms, false positives).

4.--SOC analyst for human problems. Talk about the job-skills requirements of SOC analysts and how to retain good SOC analysts. Oh, if you are in the United States to visit the recruitment site, to find the work of the SOC analyst, there will be a lot of recruitment notices, many companies are chronically understaffed.

5 The problem of the process--emphasis on the "document" work;

6 Measurement of SOC, or measurement of SOC revenue, including human/Analyst metrics (performance) and measurement of the system (ROSI). The key is the selection of metrics.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/