• Guest
HabraHabr
  • Main
  • Users

  • Development
    • Programming
    • Information Security
    • Website development
    • JavaScript
    • Game development
    • Open source
    • Developed for Android
    • Machine learning
    • Abnormal programming
    • Java
    • Python
    • Development of mobile applications
    • Analysis and design of systems
    • .NET
    • Mathematics
    • Algorithms
    • C#
    • System Programming
    • C++
    • C
    • Go
    • PHP
    • Reverse engineering
    • Assembler
    • Development under Linux
    • Big Data
    • Rust
    • Cryptography
    • Entertaining problems
    • Testing of IT systems
    • Testing Web Services
    • HTML
    • Programming microcontrollers
    • API
    • High performance
    • Developed for iOS
    • CSS
    • Industrial Programming
    • Development under Windows
    • Image processing
    • Compilers
    • FPGA
    • Professional literature
    • OpenStreetMap
    • Google Chrome
    • Data Mining
    • PostgreSQL
    • Development of robotics
    • Visualization of data
    • Angular
    • ReactJS
    • Search technologies
    • Debugging
    • Test mobile applications
    • Browsers
    • Designing and refactoring
    • IT Standards
    • Solidity
    • Node.JS
    • Git
    • LaTeX
    • SQL
    • Haskell
    • Unreal Engine
    • Unity3D
    • Development for the Internet of things
    • Functional Programming
    • Amazon Web Services
    • Google Cloud Platform
    • Development under AR and VR
    • Assembly systems
    • Version control systems
    • Kotlin
    • R
    • CAD/CAM
    • Customer Optimization
    • Development of communication systems
    • Microsoft Azure
    • Perfect code
    • Atlassian
    • Visual Studio
    • NoSQL
    • Yii
    • Mono и Moonlight
    • Parallel Programming
    • Asterisk
    • Yandex API
    • WordPress
    • Sports programming
    • Lua
    • Microsoft SQL Server
    • Payment systems
    • TypeScript
    • Scala
    • Google API
    • Development of data transmission systems
    • XML
    • Regular expressions
    • Development under Tizen
    • Swift
    • MySQL
    • Geoinformation services
    • Global Positioning Systems
    • Qt
    • Dart
    • Django
    • Development for Office 365
    • Erlang/OTP
    • GPGPU
    • Eclipse
    • Maps API
    • Testing games
    • Browser Extensions
    • 1C-Bitrix
    • Development under e-commerce
    • Xamarin
    • Xcode
    • Development under Windows Phone
    • Semantics
    • CMS
    • VueJS
    • GitHub
    • Open data
    • Sphinx
    • Ruby on Rails
    • Ruby
    • Symfony
    • Drupal
    • Messaging Systems
    • CTF
    • SaaS / S+S
    • SharePoint
    • jQuery
    • Puppet
    • Firefox
    • Elm
    • MODX
    • Billing systems
    • Graphical shells
    • Kodobred
    • MongoDB
    • SCADA
    • Hadoop
    • Gradle
    • Clojure
    • F#
    • CoffeeScript
    • Matlab
    • Phalcon
    • Development under Sailfish OS
    • Magento
    • Elixir/Phoenix
    • Microsoft Edge
    • Layout of letters
    • Development for OS X
    • Forth
    • Smalltalk
    • Julia
    • Laravel
    • WebGL
    • Meteor.JS
    • Firebird/Interbase
    • SQLite
    • D
    • Mesh-networks
    • I2P
    • Derby.js
    • Emacs
    • Development under Bada
    • Mercurial
    • UML Design
    • Objective C
    • Fortran
    • Cocoa
    • Cobol
    • Apache Flex
    • Action Script
    • Joomla
    • IIS
    • Twitter API
    • Vkontakte API
    • Facebook API
    • Microsoft Access
    • PDF
    • Prolog
    • GTK+
    • LabVIEW
    • Brainfuck
    • Cubrid
    • Canvas
    • Doctrine ORM
    • Google App Engine
    • Twisted
    • XSLT
    • TDD
    • Small Basic
    • Kohana
    • Development for Java ME
    • LiveStreet
    • MooTools
    • Adobe Flash
    • GreaseMonkey
    • INFOLUST
    • Groovy & Grails
    • Lisp
    • Delphi
    • Zend Framework
    • ExtJS / Sencha Library
    • Internet Explorer
    • CodeIgniter
    • Silverlight
    • Google Web Toolkit
    • CakePHP
    • Safari
    • Opera
    • Microformats
    • Ajax
    • VIM
  • Administration
    • System administration
    • IT Infrastructure
    • *nix
    • Network technologies
    • DevOps
    • Server Administration
    • Cloud computing
    • Configuring Linux
    • Wireless technologies
    • Virtualization
    • Hosting
    • Data storage
    • Decentralized networks
    • Database Administration
    • Data Warehousing
    • Communication standards
    • PowerShell
    • Backup
    • Cisco
    • Nginx
    • Antivirus protection
    • DNS
    • Server Optimization
    • Data recovery
    • Apache
    • Spam and antispam
    • Data Compression
    • SAN
    • IPv6
    • Fidonet
    • IPTV
    • Shells
    • Administering domain names
  • Design
    • Interfaces
    • Web design
    • Working with sound
    • Usability
    • Graphic design
    • Design Games
    • Mobile App Design
    • Working with 3D-graphics
    • Typography
    • Working with video
    • Work with vector graphics
    • Accessibility
    • Prototyping
    • CGI (graphics)
    • Computer Animation
    • Working with icons
  • Control
    • Careers in the IT industry
    • Project management
    • Development Management
    • Personnel Management
    • Product Management
    • Start-up development
    • Managing the community
    • Service Desk
    • GTD
    • IT Terminology
    • Agile
    • Business Models
    • Legislation and IT-business
    • Sales management
    • CRM-systems
    • Product localization
    • ECM / EDS
    • Freelance
    • Venture investments
    • ERP-systems
    • Help Desk Software
    • Media management
    • Patenting
    • E-commerce management
    • Creative Commons
  • Marketing
    • Conferences
    • Promotion of games
    • Internet Marketing
    • Search Engine Optimization
    • Web Analytics
    • Monetize Web services
    • Content marketing
    • Monetization of IT systems
    • Monetize mobile apps
    • Mobile App Analytics
    • Growth Hacking
    • Branding
    • Monetize Games
    • Display ads
    • Contextual advertising
    • Increase Conversion Rate
  • Sundry
    • Reading room
    • Educational process in IT
    • Research and forecasts in IT
    • Finance in IT
    • Hakatonas
    • IT emigration
    • Education abroad
    • Lumber room
    • I'm on my way

You bought SIEM and are sure that SOC is in your pocket, is not it?

One month ago, I was invited to my home by an old acquaintance of mine, a director for information security in a fairly large company, with the goal, in his words, of "surprise me". I note that earlier we discussed the challenges faced by many companies in the field of cyberthreats and the problems of building the SOC (Security Operation Center).
 
 
So begins my story about building SOC in the company.
 
 
You bought SIEM and are sure that SOC is in your pocket, is not it?
 
 
With the inherent ceremoniality, the IB director accompanied me to the dispensary of their IT department. And there I was shown a pile of boxes with expensive "iron", as well as a printout of the specification. She pointed to the purchase of licenses by one of all the well-known vendor included in Quadrant for SIEM . The genuine joy on his face spoke of the fact that the voiced problems from the past conversation were resolved overnight. And later he told me that in addition to this "treasure" money was agreed on the implementation of this system, and it is planned to hire three specialists in the staff for this activity. At the same time, he made a special emphasis on the "three specialists", as if making it clear that he had thoroughly worked the question and figured everything out. The calculation was really relatively robust, but unfortunately, not tested empirically.
 
 
We sat down and discussed both the SOC project structure and the proposed economic model. We tried to evaluate the allocated rates, roles and competencies required to reach the required level of service.
 
 
Initially, the idea was to support the working capacity of the "iron" to delegate to the IT Department, sending their engineers to specialized vendor courses. Then the first bet is to be used for the SIEM application engineer. It was expected that this friend will be able to connect the sources of events after the training, and also "it is desirable to write connectors, if necessary" (direct quotation). Also, the rest of the time, participate in the analysis of simple incidents. The second and third rates were planned for experts to disassemble incidents, form new correlation rules, and develop the direction as a whole. It also took into account the fact that there could be many incidents, and at the moment some of the experts might get sick or go on vacation.
 
 
To the question: "What was the forecast: by the number of sources, incidents, the complexity of events and the expected reaction times?", A very chaotic response was received, and then silence and in custody, with sadness in his voice: "Then we'll think of something!" ".
 
 
This case can be called quite typical for those companies that for some reason realized the need to implement SOC, but could not comprehensively assess the "magnitude of the disaster."
 
 


We are "ripe", we need SOC


 
One of the prerequisites for the introduction of SOC is the reached certain level of maturity of the company. This level allowed earlier to close, according to the pyramid of needs, the basic things and realize that now for an integral picture there is one important component missing. Indeed, after the company has put in order the infrastructure (network architecture, segmentation, domains, update procedures and other useful things), and has implemented the necessary and sufficient set of information security tools (security layers, endpoint, etc.), it is involuntarily set the question: "How can I see all my household and how to evaluate what I see?".
 
 
At that time, the company presumably already has built-in processes. Many of them are built in the best traditions of ITIL. Support-division of IT (in some cases, IS) is divided into support lines, and maybe even there are shifts with the mode of operation 24 * 7. However, it is worth noting that such companies are rare, and in my memory only 3 out of 1? with more than ?000 workstations, can boast of all this list of achievements.
 
 
Nevertheless, if as an example, to take these 30% of the lucky ones, then they face the challenge of implementing an integration project that must degenerate into a very important and critical service. Within the framework of the project, describing with thick smears, it is necessary: ​​
 
 
 
Implement and configure a SIEM system (integration with a service desk or an analogue, setting up and connecting event sources, customizing and applying basic correlation rules, etc., etc.).
 
Hire and train staff (specialized vendor courses on the siem-system, conducting investigations, etc.).
 
Document and implement regulations /response instructions (including incident albums, rank criticality /complexity ranking and still a huge set of documents, commensurate, in printed form, with results on government contracts).
 
Identify areas of responsibility between departments, prescribe a clear SLA and run the service.
 
Uncork and taste a bottle of fizzy when the first incidents occur and will be clearly processed. This item is optional and depends solely on the company's internal culture. Sufficient is the verification that the service operates according to the specified SLA.
 
 
It would seem that everything is simple, detail every point, draw a plan and execute it on the scheduled date. But the devil is in the details.
 
 


SOC - these are the technologies used, experts and processes built.


 
Now in order.
 
 
Technology SOC - these are the tools that the service uses to automate the collection of information, correlation and primary analytics. Of course, the toolkit is determined by the available capabilities and functionality.
 
 
Experts SOC - team members, with competences in the directions:
 
 
 
administration of OS, DBMS, AD and network components;
 
administration of IS application systems;
 
administration of applied IT systems;
 
Analytics (monitoring and 2nd line for SOC);
 
an analyst with relevant experience and expertise (3rd line for SOC: from 3 years of work in the profile companies, as well as participation in the investigation of incidents).
 
 
Processes of SOC - a set of organizational and technical procedures, which cover 4 areas:
 
 
 
Support for infrastructure infrastructure (infrastructure support);
 
Monitoring of security events (monitoring);
 
Investigation of incidents (incident investigation /responce);
 
Development (service development).
 
 
All components are aimed at detecting and preventing cyberthreats.
 
 
At the same time, the most important requirement for these processes is that they must be seamlessly embedded in the current business processes of the organization. In other words, SOC processes can not stand separately as a "mansion" and should, firstly, be filigree built, and, secondly, effectively perform their task - to bring the expected value. Also, we note that the "filigree" of a critical service means absolute clarity and consistency in the actions of employees of adjacent units, in which the simple and violation of the specified parameters of the SLA is not allowed even in the case of force majeure. Not to mention popular: "the employee was at dinner" or "could not get through." The result should be clear and on time. For this reason, the SOC work model is similar to military service, and the adopted regulations and instructions - to the unconditionally executed charter.
 
 
Paradoxically, many are confident that the main component of SOC is the toolkit. In this case, it would be appropriate to give the following example. Imagine, you go, God forbid, for an operation. The news is not happy, and you in the clinic are beginning to cheer up with the words that the operation will be done by some surgeon, but he has a tremendous scalpel of one of the most expensive manufacturers. And about the "miracle-scalpel" you will say a few times, and maybe even show a certificate that confirms its sharpness and purity of the metal. I assume that this argument will not be very reassuring to you, and you will want to make inquiries about the doctor, as well as his experience in conducting similar operations.
 
 
Of course, the choice of SIEM-system is extremely important and its functionality should clearly reflect the buyer's requests. However, one should always remember the fact that SIEM is only automation, for the configuration of which you need deep competencies and a very clear logic of work.
 
 


Experts and processes are the cornerstone of SOC


 
From the above list of necessary competencies, it can be understood that SOC specialists are universal and highly qualified employees who must be at the junction of deep technical knowledge, and also have the analyst's experience. In addition, the direction of SOC is quite young for the Russian Federation and the CIS, which means that there are few experts in this subject area. Meet the market of literate and "free" professionals is extremely difficult. First of all, such specialists are interested in working with new and interesting cases that allow developing. Need flow. For this reason, they often "settle" in large service providers and rotate only between similar structures.
 
 
It is worth noting and the level of salaries of these specialists. Previously, colleagues have repeatedly cited analyst . The information is quite relevant to this day, except for only the level of salaries - they have become higher, and the market by an average of 15-20%. This means that the company that expressed the need to hire experts should put quite serious money. How much is this money relevant to the benefits it brings, provided that very little company (exception - "Service Provider") can recycle the time of such an expert at least by 70%? Even if such an expert has a high salary, the likelihood that he will find a more interesting job is high. In addition, there are statistics that the team members of this kind of project-service for 3-7 years are completely updated. This is a reality and it must be reckoned with.
 
 
So, the company bought a wonderful toolkit, a functional and efficient SIEM-system, took a talented and experienced SOC expert, who was able to create a friendly and coordinated team of responsible specialists. Further, this team should take the system to support, develop the necessary procedures and regulations, implement them and start working on them. It should be noted that even after a good consulting from the integrator, who helped to cost SOC (implemented the system, did the audit of the processes, created basic rules and wrote the necessary instructions), the SOC team lay a huge layer of optimization work for the response center created under the company's reality. The combing of processes and work patterns follows in the "case by case" mode.
 
If there was no consulting, and the team must build SOC independently, the story becomes even more interesting and costly. It's like a graduate student (even though with a red diploma) in the first days of work in production put on the most responsible site, and hope that he "somehow navigated."
 
 
It follows that in order to entrust the construction of the SOC to the team being created, you need to be prepared for two scenarios:
 
 
 
To recruit a team of specialists who already created a similar service (either by this team, or each participant individually according to their role).
 
Collect experts from similar fields with relevant knowledge and "flood" with money the way out of erroneous decisions, shortcomings and uncoordinated actions.
 
 
Of the two scenarios more budgetary, it is more likely that there will be a first option because of the guarantee of the result and the timeframe for reaching the target service work. Moreover, in the first version, the project-service sponsor already understands the number of necessary employees and the composition of the required roles (the number of support lines, including the 24 * 7 or 8 * 5 mode of operation, the number of analysts with functionality, support for SIEM and components and so forth). In the second - usually the sponsor argues the following categories: "We have 5 universal units of work, each expert can take 2 units of work in a moment, so we take two experts and one student." However funny this may seem, practice shows that in the hectic flow of tasks, some managers automatically make such decisions. And at the same time they are sure of the result, under the motto: "There would be good employees, but how to use them and load them then come up with."
 
 


Or maybe better SOC as a Service?


 
Now the Internet is full of the latest trends: digital transformation, companies completely go to "clouds", non-core processes are outsourced. Large companies are beginning to offer platforms, with which you can dial the necessary number of services to support and develop business of any size. Outsourcing in accounting, legal services, call-centers, IT "on a turn-key basis": this is only the beginning of global changes. And the types of services can be absolutely any. Those that yesterday seemed incredible and original, such as "print outsourcing", are now in great demand. Moreover, we can see the development trend of the service-oriented model in the Western market, which traditionally is ahead of Russia and the CIS. It is huge and covers all industries.
 
 
SOC as a Service (SOCaaS) is no exception. In the market there are enough players, providers of information security services (MSSP), which offer customers not to "reinvent the wheel", but simply to take advantage of expertise and experience in this area. Experts here, on the "flow", are filling their hands and gaining vast experience, which allows them to draw up clear and efficient processes. They collect all rakes to analyze all possible scenarios and offer options that are relevant to the needs of customers. The client does not need to invent anything, he just tries on the proposed options and chooses the necessary ones.
 
 
What is the most "delicious" in this story, is that:
 
 
 
for quite acceptable money, the client receives the entire list of expensive experts in the required amount;
 
service is qualitatively designed, trained and tested on other companies;
 
the service company is responsible for the implementation of the SLA and the "human factor" in money;
 
the client receives a turnkey service. This means that the client does not need to generate proposals for the development of the service, the service provider will come with them himself. And of course there are no concerns about the motivation of the SOC team or the "turnover" of specialists. Aboutthis will be taken care of by the chosen partner.
 
 


And what in the end?


 
For my friend there are two options for a successful exit from this situation:
 
 
 
Get an additional budget for competent experts who previously built the SOC and expand the staff for at least 4 more people (and in the case of 24 * 7 - for 7 specialists), then perform an ambitious internal project.
 
Get an even bigger budget for building SOC "on a turn-key basis", where a qualified and experienced service provider will act as the executor. This is a whole novel worth tens of millions of rubles (capex), but with a guaranteed result. Opex will also be commensurable with point ? but the required level of service will be obtained much faster.
 
 
In any scenario, both options are commensurate with the cost of spent funds for SIEM licenses and are obtained at times more expensive than a managed service with similar parameters. It is a fact! That is why now this direction is developing so actively and is in great demand among interested companies.
 
 
However, we must admit that even the best service is not a universal means of solving all the problems and pains of the client. And everything as usual remains at the mercy of a specific task, the size of the wallet and the pedantry of the customer SOC.
 
 
Denis Gushchin, Deputy General Director of Infosecurity.

It may be interesting

  • Comments
  • About article
  • Similar news
This publication has no comments.

weber

Author

21-09-2018, 11:21

Publication Date

Development / Information Security

Category
  • Comments: 0
  • Views: 264
Depths of SIEM: Correlations "out of
In Russia, the National Coordination
Cisco StealthWatch or classic corporate
As today, the center for operational
MEPhI invites to the Olympiad on
The miners replaced the cryptographers
Write a comment
Name:*
E-Mail:


Comments
Born and raised in Sarawak, Malaysia. ICE CREAM is now one of the very few DJs who are active in the International scene. He had trained his way into playing at the top clubs all over Borneo since 2010. Check Out: DJ Ice cream
Yesterday, 22:19

noorseo

Thanks for the information your article brings. I see the novelty of your writing, I will share it for everyone to read together. I look forward to reading many articles from you.
<a href="https://sites.google.com/view/escortmumbaishub/"> Mumbai Escorts Service </a> 
<a href="https://vipmumbaiescortshub.blogspot.com/"> Escorts Service in Mumbai </a> 
<a href="https://vipmumbaiescortshub.wordpress.com/"> Independent Mumbai Escorts Service </a> 
<a href="https://vipmumbaiescortshub.weebly.com/"> Independent Mumbai Escorts Girls </a> 
<a href="https://mumbaiescortshub.webgarden.com/"> Call Girls Service in Mumbai </a> 


It's been operating for a long time in this publish for a great concept on it. I truly very experience analyzing your true and beneficial post thanks and you guys doing the sort of a great job keep it up
Premium Call Girls in Mumbai 
Escorts Service in Mumbai 
Escorts Agency in Mumbai 
Mumbai Call Girl Service 
Escorts Agency in Mumbai 


This is a good post. This post gives truly quality information. I’m definitely going to look into it. Really very useful tips are provided here. Thank you so much. Keep up the good works.
Late-night Slim Call Girls in Mumbai 
Slim Call Girls in Mumbai 
New Girl Available in Mumbai Escort 
Collage Escort Girl from Mumbai 
New Girl Available in Mumbai Escort 


Yesterday, 11:12

karishma Agarwal

If you go to file1.php and use an include, then the path is looked at from file1.php to file2.php to include it. But DIR allows us to give file1.php the correct path to file2.php when file1.php is not the file being executed. The interpreter is looking at being inside the project folder. Then if file1 calls to file2 via include, the interpreter will first look for require('file2.php') inside the project folder, NOT the inc geometry dash folder.
Yesterday, 05:25

ferrymalika

The Daily Reports is the reliable and authentic news and blog publisher. Visit The Daily Reports for up-to-date US news, international news and policy analysis. Check out: International Politics News


At Lopez Dario, we strive to serve customers with our online business consultancy services, project management, bookkeeping, & accounting for small businesses. Check Out: Business Consultancy England
21 January 2021 22:30

saifwordpress

nice post, keep up with this interesting work. It really is good to know that this topic is being covered also on this web site so cheers for taking time to discuss this!  https://l23movies.club/
21 January 2021 15:35

Legend SEO

Adv
Website for web developers. New scripts, best ideas, programming tips. How to write a script for you here, we have a lot of information about various programming languages. You are a webmaster or a beginner programmer, it does not matter, useful articles will help to make your favorite business faster.

Login

Registration Forgot password