Terry,
I'm not sure as to your background, but a good place to start would be to
determine what all you want to monitor and during what operational time.
For example, I monitor firewall logs, sys-logs, IDS alerts, Security
Informational Bulletins, and perform regular vulnerability assessments in my
SOC. I am also building an Identity Management practice to be coming soon.
This will entail monitoring login alerts and monitoring expired/lockout
accounts and review logs for duplicates. One thing for sure, if you have to
monitor as much as this, you will need a good log correlation tool. I am
evaluating a couple right now. NetForensics and Network Intelligence are
two that I'm looking at right now. Not endorsing either because I'm not
entirely sold on either at this point. It would help if we knew what your
experience was, to what scale you intend to monitor your systems, and what
your goal is with the SOC. If you don't have much experience with security
and you don't have the staff to support a full operation, you may want to
consider outsourcing some of it until you gain the familiarity with some of
the tools you decide on. This will introduce you to the operational side of
the house and give you some exposure to things without having to rush off to
training and starting from green pastures.
Whatever you decide, it's not an easy task. Good luck with it.
Jerry J. Murtland, CISSP
Sr. Data Security Analyst
Information Security Dept
-----Original Message-----
From: Terry S [mailto:dts15@yahoo.com]
Sent: Tuesday, November 16, 2004 12:17 PM
To: security-management@securityfocus.com
Subject: Designing a Security Operations Center ? Looking for Ideas -
Hello to all,
I have been tasked to design a Security Operations Center (SOC) for my
company and wanted to know if there are any good papers, links, books.....?
I am also looking for anyone who has done one and what advice you can
provide?
Thanks,
Terry
