As today, the center for operational management of information security (SOC-center)

In large companies, there are people who only deal with the fact that they control the state of information security and wait for the problems to begin. It's not about the guards in front of the monitors, but about the dedicated people (at least one in the shift) in the information security department.
 
 
As today, the center for operational management of information security (SOC-center)  
 
Most of the time the operator of the SOC-center works with SIEMs. SIEM-systems collect data from various sources throughout the network and, together with other solutions, compare events and assess the threat-individually for each user and service, and in general for groups of users and nodes of the network. As soon as someone starts behaving too suspiciously, the operator of the SOC-center receives a notification. If the level of suspicion goes off scale, a suspicious process or workstation is first isolated, and only then a notification comes. Then the investigation of the incident begins.
 
 
 
Very simplifying, for every suspicious action the user receives penalty points. If the action is typical for him or his colleagues, there are not enough points. If the action is atypical, there are a lot of glasses.
 
 
For UBA-systems (User Behavior Analytics), the sequence of actions also matters. Separately, a sharp jump in traffic volume, connection to a new IP or copying data from a file server happens from time to time. But if the user first opened the letter, then he had an appeal to the domain just registered, and then he began to roam around the neighboring machines and send strange encrypted traffic to the Internet - this is already a suspicion in the attack.
 
We found a large company, which for five years was not engaged in information security, and it is still alive
 
Safety of football stadiums: some implicit features
 
Microsegmentation of networks in the examples: how this cunningly twisted piece reacts to different attacks
 
Directed IT attacks in the sphere of large business: how it happens in Russia
 
My mail is [email protected]
 
+ 0 -

Add comment