What Is SOC ??
SOC can be define as the process of implementing below mentioned components
Events
IDS
Management System
Analyst Systems
Analysts
Contextual Info
Reporting
Incident Response
Why do you need SOC ?
Central location to collect information on threats
• External Threats
• Internal Threats
• User activity
• Loss of systems and personal or sensitive data
• Provide evidence in investigations
Keeping your organization running by maintaining
• Health of your network and systems
Isn't Firewall, IDS AV enough ?
Firewall is active and known by attackers protect your system not your users
Anti-Virus Lag time to catch new threats by match files but not traffic patterns.
IDS alert on Event but doesn't provide context
- System Log
- proxy log
- DNS log
- Information From other People
Single IDS with Switch
Multiple IDS on Switch
Activities that can help you to discover the criteria to build custom rules for IDS
- Test by creating rules on IDS
- Test configuration Changes
- can be used as a backup
- use malware to test system
- try hack procedures
How to Analyze something like malware
Procedure:
step1 Collect Input from IDS
Step2 look at network capture
Step3 Look at firewall log
Step4 Look at proxy logs
Step5 Look at AV logs
Step6 look at system logs
Step7 talk to user for more analyzing in detail
Step8 Take Action (Incident Response)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.