Practioners Guide to SOC

2,153 views

Published on

Building a security operations center, on a real-world budget. Get SOC essentials from AlienVault.

Published in: Technology
  • Can you download this or e-mail me the slides? John.Gomez@sensato.co
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Practioners Guide to SOC

  1. 1. Practitioners Guide to SOCJoe SchreiberSolutions Architect
  2. 2. Security Operations CenterTopics:• SOC: Evolution• SOC & SIEM: BFF 4 Ever!• SOC: Know the Limits• SOC: Workflow• SOC: Incident Response• KTHXBYE
  3. 3. SOC: How did we get here?
  4. 4. Operations!
  5. 5. Humans meet computers Something isdown?YouTube is upthough.
  6. 6. No SOCs in Utopia?It wasn’teven Zero-Day…#!/usr/bin/perlprint "Hello Worldn";
  7. 7. IRP?Justrebootit!Ugh!
  8. 8. SIEM to the rescue!SIEM
  9. 9. Maybe this will catch on?
  10. 10. Will it ever be automated?
  11. 11. SIEM is your friend. It works with you.
  12. 12. What’s Important?ManualHuman EffortAutomatedVulnerability ScanningBusinessWhat does your business do?
  13. 13. SIEM does magic?Risk Scoring( (0-5) * (0-5) * (0-10) ) / 25=RISK OF THE EVENT (0-10)ASSET VALUE PRIORITY RELIABILITY
  14. 14. Events != AlarmsWorkflow is based on alerts
  15. 15. SOC must have boundsKnow your limitsNotificationRemediation
  16. 16. SOC WorkflowAnomaliesAlertsResponseWhat is this doing here?Almost seems like….an Anomaly.
  17. 17. NOC Work Center
  18. 18. SOC Work Center
  19. 19. Checkbox Security?Insecure
  20. 20. SOC RolesAnalystMulti-disciplinedInvestigates alerts, possibly remediationOperatorSIEM and device expertTunes and maintains policy
  21. 21. Feedback/Tune/RefineFeedbackTuneRefineImplementwhile [ 1 = 1 ] do;getFeedback();TuneSystem();RefineProcess();Implement();done;
  22. 22. Analyze This!Tools for an IDS analystSignature and descriptionName and owner of source and destinationIf application, then version actually runningFirst occurrence?Previously notified?Previous remediation?Other devices involved?And of course…the actual PCAP!
  23. 23. Incident ResponseHave a notification planHave an escalation plan
  24. 24. Two Man Rule
  25. 25. ConclusionTakeawaysPeopleSOC & SIEMContinual processContext
  26. 26. Next Steps / Q&ARequest an AlienVault USM demo at:www.alienvault.com/schedule-demo.htmlRequest a free trial of AlienVault USM:http://www.alienvault.com/free-trialNot quite ready for all that? Test drive our opensource project - OSSIM here:communities.alienvault.com/Need more info to get started? Try our knowledgebase here:alienvault.bloomfire.comThese resources are also in the Attachments sectionJoin theconversation!@alienvault#AlienIntel29

×