Solved

Operation senter

Posted on 2011-09-15
18
329 Views
Last Modified: 2012-06-27
what products can be use for Security Operation center?

e.g i found www.secureworks.com, where i can find NEW or infamous products like it
0
Comment
Question by:osloboy
  • 9
  • 8
18 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 36547268
0
 
LVL 61

Expert Comment

by:btan
ID: 36547749
You are definitely looking at Security Information Event Management (SIEM) solution as well. Check out this past paper [1] and look at the table in it. There is also a list [2] of SIEM provider, they would have other additional technology. Another area is having to heighten situation awareness using analytics and this can be research based as source of intel feeds[3]  or commercial entity providing the platform and tools [4][5]

[1] http://www.sans.org/reading_room/analysts_program/eventMgt_Feb09.pdf
[2] http://jafsec.com/Risk-And-Compliance/SIEM/SIEM-A-B.html
[3] http://www.cyber-ta.org/
[4] http://www.palantirtech.com/government/intelligence
[5] http://www-01.ibm.com/software/data/infosphere/streams/
0
 

Author Comment

by:osloboy
ID: 36553316
breadtan: & eeRoot:  thanks a lot.

these are almost all are famous products, how i can find product which come NEW to IT world and looking to make their name??????????
0
 
LVL 61

Expert Comment

by:btan
ID: 36553566
not that straightforward or something you can google off online. But I will say focus on the niche capability the center will need which typically is more of the analysis rather than the collection. The correlation and building of timeline in event of detecting an incident is not straightforward in traditional center. Maybe the CERT website and FIRST global initiative may talk more of technology innovation - not sure if there are slides since it is member only group.

http://www.first.org/global/

There are also honeynet project that may be interesting esp those idea from their Summer of Code

http://www.honeynet.org/gsoc2009/ideas
0
 

Author Comment

by:osloboy
ID: 36553918
idea here is OLD one: to First Collect LOGs from different sites and then run Analysis on that -----------------------> a SOC (Security Operation Center)

looking for proper and professional tools for that.
0
 
LVL 61

Expert Comment

by:btan
ID: 36561338
yes collection of log is old but that is where the intelligence comes, the new focus should be employing the analytics which is evolving to derive the actionable intelligence. I heard of Ant Colony strategies for intel gathering to detect and track the intruders threatening the network ("kind of system where simple units together do behave in complicated ways")

http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5470103
 
0
 

Author Comment

by:osloboy
ID: 36579530
still many vendors offer to Place their LOG server at client's location

then

get it at their SOC

and

inform client there is a threat or already attack in way

is it too old way? what's new
what tool as Vendor they use to do Log analysis at their SOC
0
 
LVL 61

Expert Comment

by:btan
ID: 36580757
Probably there is sort of concentrator  that consolidate and sanitise the log prior to forwarding to center. the core function for center is then focus on analysis. Know that arcsight is used as it has flexing connector for each log generated by various device and able to present correlated view. also heard use of rsa archer for response workflow mgmt. in all not that new. for analytic, i believe tool like i2 and palantir are used to derive timeline of event leading to anomalous triggers. i see maltego as similar feature which will crawl social web info on identified trigger or source ipod where possible.
0
 

Author Comment

by:osloboy
ID: 36589880
great, RSA, Arisight are famous one and expensive.

is there any infamous or new products

have u seen any whitepaper on this ANALYSIS set up
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 61

Expert Comment

by:btan
ID: 36591048
Ossim is one popular one but maynot be some friendly and automated. worth taking a look @ http://alienvault.com/products/open-source-siem

Did not go inept search in open but thought the georgia tech honeynet paper is good read @ http://www.tracking-hackers.com/papers/gatech-honeynet.pdf

Netflow analytic would be another keyword to search..
0
 

Author Comment

by:osloboy
ID: 36592027
breadtan: is it wise to use Honeypot intentionally ?

alienvault.com is good SiEM option, is there any other open source or new products like it  
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 36594897
OSSIM is one free edition (Subset) of AlienVault - http://alienvault.com/community
Understand there is Cyberroam iView (see software version) - http://www.cyberoam-iview.com/productoverview.html

Honeypot is more for intelligence collection and knowing the threat environment if that is another intent (or core task) for the centre. But primarily I see centre to centralise, monitor and detect all possible perimeter defense - not necessarily building comprehensive threat trends of the environment security posture. Honeypot serves as early warning and give more inputs to build what are the attacker's interest e.g. weapon testing, target selection etc.

Of course we have to make sure the setup objective is to be very clear for such deployment if needed. Importantly, the safeguards also need to be in place (monitored) and not inadvertently create "real" crack, bringing down the whole org. Actually if the attackers are good one, they would know it is Honeypot and stop or "re-invest" for others .... :)
0
 

Author Comment

by:osloboy
ID: 36890713
well it can be worse also with honeypots, difference of opinion.

my question still stands about build a Security Operation Center for managed services
0
 
LVL 61

Expert Comment

by:btan
ID: 36892703
Agree depends on objective. probably go for the center key role in monitoring and early warning as the priority.
0
 

Author Comment

by:osloboy
ID: 36904778
what if we are not proactive and let say we think as Service provider HAT, is there any guideline/solution/checklist to build it from scratch
0
 
LVL 61

Expert Comment

by:btan
ID: 36928353
Rightfully every sector has its regulator making the the sector lead is performing its work. In corporate world, thsre would be audit on the center which alzo mapped its efectiveness and efficiency. Service provider would be managing the outsource service from client and set of SLA be define. For guideline and checklist, it sould depnds on scope of work then. Probably code of practice should be considered as well.
0
 

Author Comment

by:osloboy
ID: 36930240
any general checklist document
0
 

Author Closing Comment

by:osloboy
ID: 36942979
ok
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now