Tuesday, February 3, 2015

Setup your own securiry operation centre

What Is SOC ??

SOC can be define as the process of implementing below mentioned components

Management System
Analyst Systems
Contextual Info
Incident Response

Why do you need SOC ?

Central location to collect information on threats
• External Threats
• Internal Threats
• User activity
• Loss of systems and personal or sensitive data
• Provide evidence in investigations

Keeping your organization running by maintaining 
• Health of your network and systems

Isn't Firewall, IDS AV enough ?

Firewall is active and known by attackers protect your system not your users

Anti-Virus Lag time to catch new threats by match files but not traffic patterns.

IDS alert on Event but doesn't provide context

  • System Log
  • proxy log
  • DNS log
  • Information From other People

Single IDS with Switch

Multiple IDS on Switch

Activities that can help you to discover the criteria to build custom rules for IDS

  • Test by creating rules on IDS
  • Test configuration Changes
  • can be used as a backup
  • use malware to test system 
  • try hack procedures

How to Analyze something like malware


step1 Collect Input from IDS
Step2 look at network capture
Step3 Look at firewall log
Step4 Look at proxy logs
Step5 Look at AV logs
Step6 look at system logs
Step7 talk to user for more analyzing in detail
Step8 Take Action (Incident Response)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.