Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Operation senter

Posted on 2011-09-15
18
343 Views
Last Modified: 2012-06-27
what products can be use for Security Operation center?

e.g i found www.secureworks.com, where i can find NEW or infamous products like it
0
Comment
Question by:osloboy
  • 9
  • 8
18 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 36547268
0
 
LVL 63

Expert Comment

by:btan
ID: 36547749
You are definitely looking at Security Information Event Management (SIEM) solution as well. Check out this past paper [1] and look at the table in it. There is also a list [2] of SIEM provider, they would have other additional technology. Another area is having to heighten situation awareness using analytics and this can be research based as source of intel feeds[3]  or commercial entity providing the platform and tools [4][5]

[1] http://www.sans.org/reading_room/analysts_program/eventMgt_Feb09.pdf
[2] http://jafsec.com/Risk-And-Compliance/SIEM/SIEM-A-B.html
[3] http://www.cyber-ta.org/
[4] http://www.palantirtech.com/government/intelligence
[5] http://www-01.ibm.com/software/data/infosphere/streams/
0
 

Author Comment

by:osloboy
ID: 36553316
breadtan: & eeRoot:  thanks a lot.

these are almost all are famous products, how i can find product which come NEW to IT world and looking to make their name??????????
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 63

Expert Comment

by:btan
ID: 36553566
not that straightforward or something you can google off online. But I will say focus on the niche capability the center will need which typically is more of the analysis rather than the collection. The correlation and building of timeline in event of detecting an incident is not straightforward in traditional center. Maybe the CERT website and FIRST global initiative may talk more of technology innovation - not sure if there are slides since it is member only group.

http://www.first.org/global/

There are also honeynet project that may be interesting esp those idea from their Summer of Code

http://www.honeynet.org/gsoc2009/ideas
0
 

Author Comment

by:osloboy
ID: 36553918
idea here is OLD one: to First Collect LOGs from different sites and then run Analysis on that -----------------------> a SOC (Security Operation Center)

looking for proper and professional tools for that.
0
 
LVL 63

Expert Comment

by:btan
ID: 36561338
yes collection of log is old but that is where the intelligence comes, the new focus should be employing the analytics which is evolving to derive the actionable intelligence. I heard of Ant Colony strategies for intel gathering to detect and track the intruders threatening the network ("kind of system where simple units together do behave in complicated ways")

http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5470103
 
0
 

Author Comment

by:osloboy
ID: 36579530
still many vendors offer to Place their LOG server at client's location

then

get it at their SOC

and

inform client there is a threat or already attack in way

is it too old way? what's new
what tool as Vendor they use to do Log analysis at their SOC
0
 
LVL 63

Expert Comment

by:btan
ID: 36580757
Probably there is sort of concentrator  that consolidate and sanitise the log prior to forwarding to center. the core function for center is then focus on analysis. Know that arcsight is used as it has flexing connector for each log generated by various device and able to present correlated view. also heard use of rsa archer for response workflow mgmt. in all not that new. for analytic, i believe tool like i2 and palantir are used to derive timeline of event leading to anomalous triggers. i see maltego as similar feature which will crawl social web info on identified trigger or source ipod where possible.
0
 

Author Comment

by:osloboy
ID: 36589880
great, RSA, Arisight are famous one and expensive.

is there any infamous or new products

have u seen any whitepaper on this ANALYSIS set up
0
 
LVL 63

Expert Comment

by:btan
ID: 36591048
Ossim is one popular one but maynot be some friendly and automated. worth taking a look @ http://alienvault.com/products/open-source-siem

Did not go inept search in open but thought the georgia tech honeynet paper is good read @ http://www.tracking-hackers.com/papers/gatech-honeynet.pdf

Netflow analytic would be another keyword to search..
0
 

Author Comment

by:osloboy
ID: 36592027
breadtan: is it wise to use Honeypot intentionally ?

alienvault.com is good SiEM option, is there any other open source or new products like it  
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 36594897
OSSIM is one free edition (Subset) of AlienVault - http://alienvault.com/community
Understand there is Cyberroam iView (see software version) - http://www.cyberoam-iview.com/productoverview.html

Honeypot is more for intelligence collection and knowing the threat environment if that is another intent (or core task) for the centre. But primarily I see centre to centralise, monitor and detect all possible perimeter defense - not necessarily building comprehensive threat trends of the environment security posture. Honeypot serves as early warning and give more inputs to build what are the attacker's interest e.g. weapon testing, target selection etc.

Of course we have to make sure the setup objective is to be very clear for such deployment if needed. Importantly, the safeguards also need to be in place (monitored) and not inadvertently create "real" crack, bringing down the whole org. Actually if the attackers are good one, they would know it is Honeypot and stop or "re-invest" for others .... :)
0
 

Author Comment

by:osloboy
ID: 36890713
well it can be worse also with honeypots, difference of opinion.

my question still stands about build a Security Operation Center for managed services
0
 
LVL 63

Expert Comment

by:btan
ID: 36892703
Agree depends on objective. probably go for the center key role in monitoring and early warning as the priority.
0
 

Author Comment

by:osloboy
ID: 36904778
what if we are not proactive and let say we think as Service provider HAT, is there any guideline/solution/checklist to build it from scratch
0
 
LVL 63

Expert Comment

by:btan
ID: 36928353
Rightfully every sector has its regulator making the the sector lead is performing its work. In corporate world, thsre would be audit on the center which alzo mapped its efectiveness and efficiency. Service provider would be managing the outsource service from client and set of SLA be define. For guideline and checklist, it sould depnds on scope of work then. Probably code of practice should be considered as well.
0
 

Author Comment

by:osloboy
ID: 36930240
any general checklist document
0
 

Author Closing Comment

by:osloboy
ID: 36942979
ok
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OnPage: Incident management and secure messaging on your smartphone
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question