Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 356
  • Last Modified:

Operation senter

what products can be use for Security Operation center?

e.g i found www.secureworks.com, where i can find NEW or infamous products like it
0
osloboy
Asked:
osloboy
  • 9
  • 8
1 Solution
 
btanExec ConsultantCommented:
You are definitely looking at Security Information Event Management (SIEM) solution as well. Check out this past paper [1] and look at the table in it. There is also a list [2] of SIEM provider, they would have other additional technology. Another area is having to heighten situation awareness using analytics and this can be research based as source of intel feeds[3]  or commercial entity providing the platform and tools [4][5]

[1] http://www.sans.org/reading_room/analysts_program/eventMgt_Feb09.pdf
[2] http://jafsec.com/Risk-And-Compliance/SIEM/SIEM-A-B.html
[3] http://www.cyber-ta.org/
[4] http://www.palantirtech.com/government/intelligence
[5] http://www-01.ibm.com/software/data/infosphere/streams/
0
 
osloboyAuthor Commented:
breadtan: & eeRoot:  thanks a lot.

these are almost all are famous products, how i can find product which come NEW to IT world and looking to make their name??????????
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
btanExec ConsultantCommented:
not that straightforward or something you can google off online. But I will say focus on the niche capability the center will need which typically is more of the analysis rather than the collection. The correlation and building of timeline in event of detecting an incident is not straightforward in traditional center. Maybe the CERT website and FIRST global initiative may talk more of technology innovation - not sure if there are slides since it is member only group.

http://www.first.org/global/

There are also honeynet project that may be interesting esp those idea from their Summer of Code

http://www.honeynet.org/gsoc2009/ideas
0
 
osloboyAuthor Commented:
idea here is OLD one: to First Collect LOGs from different sites and then run Analysis on that -----------------------> a SOC (Security Operation Center)

looking for proper and professional tools for that.
0
 
btanExec ConsultantCommented:
yes collection of log is old but that is where the intelligence comes, the new focus should be employing the analytics which is evolving to derive the actionable intelligence. I heard of Ant Colony strategies for intel gathering to detect and track the intruders threatening the network ("kind of system where simple units together do behave in complicated ways")

http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5470103
 
0
 
osloboyAuthor Commented:
still many vendors offer to Place their LOG server at client's location

then

get it at their SOC

and

inform client there is a threat or already attack in way

is it too old way? what's new
what tool as Vendor they use to do Log analysis at their SOC
0
 
btanExec ConsultantCommented:
Probably there is sort of concentrator  that consolidate and sanitise the log prior to forwarding to center. the core function for center is then focus on analysis. Know that arcsight is used as it has flexing connector for each log generated by various device and able to present correlated view. also heard use of rsa archer for response workflow mgmt. in all not that new. for analytic, i believe tool like i2 and palantir are used to derive timeline of event leading to anomalous triggers. i see maltego as similar feature which will crawl social web info on identified trigger or source ipod where possible.
0
 
osloboyAuthor Commented:
great, RSA, Arisight are famous one and expensive.

is there any infamous or new products

have u seen any whitepaper on this ANALYSIS set up
0
 
btanExec ConsultantCommented:
Ossim is one popular one but maynot be some friendly and automated. worth taking a look @ http://alienvault.com/products/open-source-siem

Did not go inept search in open but thought the georgia tech honeynet paper is good read @ http://www.tracking-hackers.com/papers/gatech-honeynet.pdf

Netflow analytic would be another keyword to search..
0
 
osloboyAuthor Commented:
breadtan: is it wise to use Honeypot intentionally ?

alienvault.com is good SiEM option, is there any other open source or new products like it  
0
 
btanExec ConsultantCommented:
OSSIM is one free edition (Subset) of AlienVault - http://alienvault.com/community
Understand there is Cyberroam iView (see software version) - http://www.cyberoam-iview.com/productoverview.html

Honeypot is more for intelligence collection and knowing the threat environment if that is another intent (or core task) for the centre. But primarily I see centre to centralise, monitor and detect all possible perimeter defense - not necessarily building comprehensive threat trends of the environment security posture. Honeypot serves as early warning and give more inputs to build what are the attacker's interest e.g. weapon testing, target selection etc.

Of course we have to make sure the setup objective is to be very clear for such deployment if needed. Importantly, the safeguards also need to be in place (monitored) and not inadvertently create "real" crack, bringing down the whole org. Actually if the attackers are good one, they would know it is Honeypot and stop or "re-invest" for others .... :)
0
 
osloboyAuthor Commented:
well it can be worse also with honeypots, difference of opinion.

my question still stands about build a Security Operation Center for managed services
0
 
btanExec ConsultantCommented:
Agree depends on objective. probably go for the center key role in monitoring and early warning as the priority.
0
 
osloboyAuthor Commented:
what if we are not proactive and let say we think as Service provider HAT, is there any guideline/solution/checklist to build it from scratch
0
 
btanExec ConsultantCommented:
Rightfully every sector has its regulator making the the sector lead is performing its work. In corporate world, thsre would be audit on the center which alzo mapped its efectiveness and efficiency. Service provider would be managing the outsource service from client and set of SLA be define. For guideline and checklist, it sould depnds on scope of work then. Probably code of practice should be considered as well.
0
 
osloboyAuthor Commented:
any general checklist document
0
 
osloboyAuthor Commented:
ok
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now