Professional Documents
Culture Documents
a Security
Operations Center
v1.1
Nicolas FISCHBACH
Senior Manager, Network Engineering Security, COLT Telecom
nico@securite.org - http://www.securite.org/nico/
MEITSEC 2008
About
Nicolas Fischbach
MEITSEC 2008
Agenda
Non-technical requirements
Technical requirements
Technology deployment
Challenges
Conclusion
MEITSEC 2008
Usually non-existing
Reactive security
etc...
MEITSEC 2008
SOC
CERT
CSIRT (Company/Computer/Corporate)
PSIRT (Product)
C(I)SO organization
MEITSEC 2008
Forensics
Vulnerability management
Audit/Pen-test
Technical Infrastructure
MEITSEC 2008
Facilities Management
MEITSEC 2008
Integrated/outside helpdesk
MEITSEC 2008
Processes
Policies
Authorization system
Bureaucracy vs flexibility
MEITSEC 2008
What is a change ?
MEITSEC 2008
What triggers it ?
Security events
Change requests / TTs
Forensics / event analysis
Law enforcement
MEITSEC 2008
MEITSEC 2008
Separate network(s)
MEITSEC 2008
Management platforms
Monitoring platforms
AAA systems
Chain of custody
MEITSEC 2008
Data visualization
MSSP-only ?
MEITSEC 2008
Third parties
Customers
MEITSEC 2008
MEITSEC 2008
Visualization is key
MEITSEC 2008
Physical access
Logical access
MEITSEC 2008
Challenges
Humans
Legacy
Technology
Noise
MEITSEC 2008
Challenges :: Humans
Skills
24x7
Language
MEITSEC 2008
Challenges :: P&Ps
Key procedures
Key processes
Bureaucracy vs flexibility
Challenges :: Legacy
MEITSEC 2008
Technologies / vendors
EoS/EoL
Undocumented configurations / setups
People
Challenges :: Noise
MEITSEC 2008
MEITSEC 2008
Challenges :: Technology
How to pick
The right AAA system
The right SEM platform
The right management and monitoring platform
MEITSEC 2008
Challenges :: Technical
MEITSEC 2008
Challenges :: SEM/SIM
Events/second driven
Rules/AI/NNs/marketing
MEITSEC 2008
Conclusion
Remember
1) Its all about people
2) Its all about having the right technology in place
3) Its all about trying to make the 3Ps work by
finding the right mix of flexibility and bureaucracy