Thursday, October 15, 2009

What SOC Should Have?

What do i need for IR or SOC? This is the lists of what i got in my mind for now. If you have any other input, please share with me.

1. People - Of course i will need more people if i want to run the SOC 24/7. At least 2 people per shift if i want to run it on 2 shift which is 12 hours. Well, this got a limitation since we do have a head count.

2. Technology - We already have the technology which is SIEM, IPS, FW, CSS, USD (for ticketing/IR) etc.

3. Room - Yes, we do need room for SOC! It should be private and confidential area that can be accessed by authorize person only. It should be equipped by CCTV, biometric access, PCs (of course), printer, projector, LCDs etc. and i do think it should be a comfort room since people are working 24/7 in this room.

4. Documents - Yes. Documents such as SOP, SLA, manuals, incident forms, analysis forms, asset lists, network diagrams, shift handbooks, monthly reports, executive summary reports, shift schedules etc.

5. Knowledge Bank System - Yes, we do need this system which is can be run intranet. Such as data servers (inclusive movies/ tv series? hehe), wikis, forums etc. The shift handbook can also be in online format since people now days are to environmental like to save a paper :P

6. Training! (and knowledge sharing session) - Yeah, people need training to performing their daily task. Even high level manager still need recognized training. Not only for a specific tools training (SIEM), but include any security domain training too. Anyway, within the hiring process, we still need an experienced people at least have a knowledge in system engineering/system administrator/network, have the skills set of security, have the right attitude and got passionate learning new things.

7. else? please share.

:)