7

I am looking for resources and details on establishing a security operation center (SoC) or network operation center (NoC) based on ITIL or any other applicable regulations. Where can I find good details or experiences of others except for hiring consultants.

AviD
  • 72,138
  • 22
  • 136
  • 218
Yasser Sobhdel
  • 309
  • 1
  • 8
  • 1
    http://www.mitre.org/publications/all/ten-strategies-of-a-world-class-cybersecurity-operations-center – atdre Jan 09 '15 at 21:00

1 Answers1

7

Here is some experience about establishing projects, especially security projects, that applies to consulting and outsourcing that I wrote up on a security stackexchange answer about incident compromises.

As for resources, well it is highly dependent on your environment as to what you would need to build and how many people to hire (and at what levels of qualifications). In many ways, a good strategy consultant or two could push you into making better decisions, but if you want the real story -- let me give you some additional advice.

Security events and incidents are best tracked by personnel that are already familiar with SIEM and incident detection & response (IDR) panels -- so look for candidate with past hands-on and strategic long-term experience with SIEM/log-management/IDR. For staffing, Lance Hayden analyzes the current security event/incident stream using Poisson distribution in Minitab, as explained in his book, "IT Security Metrics". He also goes into business workflow and other concepts that are highly important to building a quality SOC.

For IDR panels, consider AIRT or RTIR -- or build a custom one, perhaps based on their wireframes and workflow. Many organizations integrate IDR into their ticketing system, such as Remedy.

SIEM costs money, but there are books and resources to get a SOC started. Most security incidents in 2011 are SQL injection (or other web app layer attacks) and client-side browser/document attacks (e.g. Adobe Reader/Flash, Microsoft IE/Office/ActiveX, Oracle Java applets, etc). It is highly suggested that your SOC team be familiar with the techniques and tools outlined in this blog post entitled Closing The Loop. While not to tone down the other, more important information in that blog post -- there is something of specific interest to you, [PDF] [the CSIRT Handbook]6 [download]. That paper is old, but still very relevant.

For more up-to-date resources, check out the guides and many other resources at FIRST.

These books will also be helpful, in order of necessity:

  • Security Information and Event Management (SIEM) Implementation
  • Security Strategies in Windows Platforms and Applications
  • Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
  • Malware Forensics: Investigating and Analyzing Malicious Code
  • Network Security Hacks, Second Edition
  • Security Power Tools
  • Pro Open Source Mail: Building an Enterprise Mail Solution
Community
  • 1
atdre
  • 18,885
  • 6
  • 58
  • 107
  • 1
    How about NOC? I know this is a security forum but I think these two must have tight interaction especially in a medium corporation without too many staffs for such separate centers. BTW, thank you for your invaluable comments and time. – Yasser Sobhdel Apr 15 '11 at 07:20
  • 1
    Also see this paper for more information -- http://www.sans.org/reading_room/whitepapers/incident/creating-siem-incident-response-toolkit-open-source-tools_33689 – atdre Jul 06 '11 at 16:07