Solved

Operation senter

Posted on 2011-09-15
18
347 Views
Last Modified: 2012-06-27
what products can be use for Security Operation center?

e.g i found www.secureworks.com, where i can find NEW or infamous products like it
0
Comment
Question by:osloboy
  • 9
  • 8
18 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 36547268
0
 
LVL 63

Expert Comment

by:btan
ID: 36547749
You are definitely looking at Security Information Event Management (SIEM) solution as well. Check out this past paper [1] and look at the table in it. There is also a list [2] of SIEM provider, they would have other additional technology. Another area is having to heighten situation awareness using analytics and this can be research based as source of intel feeds[3]  or commercial entity providing the platform and tools [4][5]

[1] http://www.sans.org/reading_room/analysts_program/eventMgt_Feb09.pdf
[2] http://jafsec.com/Risk-And-Compliance/SIEM/SIEM-A-B.html
[3] http://www.cyber-ta.org/
[4] http://www.palantirtech.com/government/intelligence
[5] http://www-01.ibm.com/software/data/infosphere/streams/
0
 

Author Comment

by:osloboy
ID: 36553316
breadtan: & eeRoot:  thanks a lot.

these are almost all are famous products, how i can find product which come NEW to IT world and looking to make their name??????????
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 63

Expert Comment

by:btan
ID: 36553566
not that straightforward or something you can google off online. But I will say focus on the niche capability the center will need which typically is more of the analysis rather than the collection. The correlation and building of timeline in event of detecting an incident is not straightforward in traditional center. Maybe the CERT website and FIRST global initiative may talk more of technology innovation - not sure if there are slides since it is member only group.

http://www.first.org/global/

There are also honeynet project that may be interesting esp those idea from their Summer of Code

http://www.honeynet.org/gsoc2009/ideas
0
 

Author Comment

by:osloboy
ID: 36553918
idea here is OLD one: to First Collect LOGs from different sites and then run Analysis on that -----------------------> a SOC (Security Operation Center)

looking for proper and professional tools for that.
0
 
LVL 63

Expert Comment

by:btan
ID: 36561338
yes collection of log is old but that is where the intelligence comes, the new focus should be employing the analytics which is evolving to derive the actionable intelligence. I heard of Ant Colony strategies for intel gathering to detect and track the intruders threatening the network ("kind of system where simple units together do behave in complicated ways")

http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5470103
 
0
 

Author Comment

by:osloboy
ID: 36579530
still many vendors offer to Place their LOG server at client's location

then

get it at their SOC

and

inform client there is a threat or already attack in way

is it too old way? what's new
what tool as Vendor they use to do Log analysis at their SOC
0
 
LVL 63

Expert Comment

by:btan
ID: 36580757
Probably there is sort of concentrator  that consolidate and sanitise the log prior to forwarding to center. the core function for center is then focus on analysis. Know that arcsight is used as it has flexing connector for each log generated by various device and able to present correlated view. also heard use of rsa archer for response workflow mgmt. in all not that new. for analytic, i believe tool like i2 and palantir are used to derive timeline of event leading to anomalous triggers. i see maltego as similar feature which will crawl social web info on identified trigger or source ipod where possible.
0
 

Author Comment

by:osloboy
ID: 36589880
great, RSA, Arisight are famous one and expensive.

is there any infamous or new products

have u seen any whitepaper on this ANALYSIS set up
0
 
LVL 63

Expert Comment

by:btan
ID: 36591048
Ossim is one popular one but maynot be some friendly and automated. worth taking a look @ http://alienvault.com/products/open-source-siem

Did not go inept search in open but thought the georgia tech honeynet paper is good read @ http://www.tracking-hackers.com/papers/gatech-honeynet.pdf

Netflow analytic would be another keyword to search..
0
 

Author Comment

by:osloboy
ID: 36592027
breadtan: is it wise to use Honeypot intentionally ?

alienvault.com is good SiEM option, is there any other open source or new products like it  
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 36594897
OSSIM is one free edition (Subset) of AlienVault - http://alienvault.com/community
Understand there is Cyberroam iView (see software version) - http://www.cyberoam-iview.com/productoverview.html

Honeypot is more for intelligence collection and knowing the threat environment if that is another intent (or core task) for the centre. But primarily I see centre to centralise, monitor and detect all possible perimeter defense - not necessarily building comprehensive threat trends of the environment security posture. Honeypot serves as early warning and give more inputs to build what are the attacker's interest e.g. weapon testing, target selection etc.

Of course we have to make sure the setup objective is to be very clear for such deployment if needed. Importantly, the safeguards also need to be in place (monitored) and not inadvertently create "real" crack, bringing down the whole org. Actually if the attackers are good one, they would know it is Honeypot and stop or "re-invest" for others .... :)
0
 

Author Comment

by:osloboy
ID: 36890713
well it can be worse also with honeypots, difference of opinion.

my question still stands about build a Security Operation Center for managed services
0
 
LVL 63

Expert Comment

by:btan
ID: 36892703
Agree depends on objective. probably go for the center key role in monitoring and early warning as the priority.
0
 

Author Comment

by:osloboy
ID: 36904778
what if we are not proactive and let say we think as Service provider HAT, is there any guideline/solution/checklist to build it from scratch
0
 
LVL 63

Expert Comment

by:btan
ID: 36928353
Rightfully every sector has its regulator making the the sector lead is performing its work. In corporate world, thsre would be audit on the center which alzo mapped its efectiveness and efficiency. Service provider would be managing the outsource service from client and set of SLA be define. For guideline and checklist, it sould depnds on scope of work then. Probably code of practice should be considered as well.
0
 

Author Comment

by:osloboy
ID: 36930240
any general checklist document
0
 

Author Closing Comment

by:osloboy
ID: 36942979
ok
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question