SIEM,Soc,Mssthe difference and connection of the threePreface
Siem and Soc are not a new term in China, but in the domestic security circle after the struggle of ten grieving,Siem has matured, but the SOC is still in a position of a chicken, I think the main reason is that SOC is restricted by domestic system, policy, relevant log standards, application environment and traditional cognition, so it appears in the product form at the beginning of China. The lack of an Auxiliary soc for MSS is like asking a driver to drive a maintenance plane, which is the main reason why the domestic SOC has not been used.
and to The SOC- based MSS(Managed Security Service) has been unable to develop for two reasons.
Europe and the United States Technical blockade of MSS services.
provide MSS Service requires experienced senior security analysis expert, complete SOC operations team, standard security incident response and processing process,SLA,mature information security detection model, threat scene library, accurate alarm system, reporting system. Learning and building this service system not only consumes a lot of money, time and manpower, but also needs a huge amount of operational resources to practice, it is obvious to pull out a team like this is not easy.
High labor costs conflict with customer site operations.
do the above The requirements of MSS services are very expensive, which means that if the best way to commercialize them is to centrally manage operations, this is in conflict with the high-end customers in the country who generally require service providers to operate on-site. In Europe and the United States, the MSS service is prevalent, the reason is that its relevant information security standards have been very mature, the state and commercial organizations have been widely implemented and recognized, so MSS required log out + Centralized management operations (security log generation) are accepted and recognized.
SIEM ( Security information and event management ) is a combination of software and services, a fusion of SIM(Security information Management) and SEM(Security event Management). The difference between the two is that the SEM focuses on real-time monitoring and event handling,and SIM focuses on historical log analysis and forensics. SIEM provides unified real-time monitoring and historical analysis of security information (including logs, alarms, etc.) from all IT resources (including networks, systems, and applications) in the enterprise and the organization, monitoring and auditing of intrusion and internal violations from the outside, and the operation of Misoperation. , investigate and collect evidence, issue various report reports, achieve the goal of IT Resource Compliance management, and improve the security operation, threat management and emergency response ability of enterprise and organization.
The SOC(Security Operations Center) is sourced from the NOC(Network Operations Center).
with the increasing prominence of information security, the development of the theory and technology of security management requires the management of the whole network and system from a security point of view, while the traditional The NOC lacks technical support in this area, so the concept of SOC emerges.
what is said at the moment Soc is the SOC 1.0 phase, only in the core part of the SOC, Siem Trading, the foreign Soc is a complex system, it uses the Siem Products for operation and maintenance to provide services to customers, which is what we call SOC 2.0/mss.
SOC ( Security Operation Center ) is based on assets as the core, take security incident management as key process, adopt the idea of security domain partition, set up a real-time asset risk model, assist administrator to carry out incident and risk analysis, early warning management and emergency response centralized security management system.
Soc is a complex system, it has both products, services, and operations,Soc is the technology, process and human organic integration.
MSS(Managed security services) is asecure operations outsourcing service provided by a professional MSSP (managed Security Service provider).
MSS can bring the following benefits to customers.
1. Reduce costs: staffing, skill requirements, site requirements.
2. 24x7 Monitoring:7x monitoring services.
3. risk Monitoring: Effective monitoring of security risks, the first time to provide solutions.
4. identify and resolve problems: identify and resolve possible security issues in a timely manner.
5. Trend Analysis: Professional safety trend analysis, monthly, quarterly, Annual Safety Analysis report.
6. Log storage and query: Log effective storage and backup, fast query location.
SIEM focuses on centralized management and auditing of logs,while the SOC is used for security log analysis and security risk monitoring and positioning. Depending on the focus of the two,SIEM can be delivered with the product and the SOC must be added to the manual intervention of the MSS service to perfect it.
for the difference between the two, S IEM only did it the traditional number of security log statistics, Soc+mss is the redefinition of security logs and the generation of new security events, the merging of security logs, filtering and threat grading, and the quantification of security alerts. For example, a company was compromised by a hacker's DDoS attack and received a security log related to 20W in 15 minutes. Siem reported to the customer alarm is 20W, and the SOC reported to the customer alarm is 1, obviously in the security risk management point of view, Siem Count Way is unscientific.
MSS Service Integration Soc can be intelligent monitoring, analysis, early warning services, change the past self-maintenance of complex security information and event management platform habits, abandon the security information and incident management platform complexity, from the management of simplicity, event rendering, event processing and other perspectives to provide solutions, You can get the content of concern through the mode of the portal website, also can obtain the security response and the corresponding security solution through the telephone and so on in the specified time, also can obtain the more detailed solution content on the portal website.
This article is from the MSS and SOC blog, so be sure to keep this source http://ricktang.blog.51cto.com/1097764/1739317
The difference and connection between SIEM, SOC and MSS