我们要介绍的第一篇报道来自ZDNet对Symantec在英国的SOC的采访,是一篇2005年的旧文。那时,欧美的SOC建设正处于热潮消退期。而那时候国内的SOC建设虽刚刚起步不久,但也如火如荼,概念引人注目,虽然不够成熟,但那时还有运营商愿意买单。
这里有这篇文章的中文版。文中提到“SOC温彻斯特分部是Symantec的全球信息监控站点网络的一部分。顾客数据由位于悉尼,慕尼黑,英国以及美国的亚历山大和圣安东尼奥的五个SOC进行监控(Customerdata is monitored in five SOCs located in Sydney, Munich, the UK andtwo in the US — in Alexandria and San Antonio)。SOC和Symantec的七个安全响应中心(SRC)密切配合。SOC的首要任务是识别针对客户的***,SRC工作在更高的等级并且比较来自更广泛的各种来源的信息。七个SRC遍布全球,其地点包括美国,加拿大,爱尔兰,日本和澳大利亚。 ”
此外,还有一篇来自 blogspot的文章,讲述作者在2006年探访Symantec的Alexander分部的情况。不过需要×××过去看一下。所以,我就摘录出来:
Last week I was invited to visit the symantec Security Operations Center (SOC) in Alexandria, VA. I had been there twice before, before they acquire Riptech and after. Jonah Paransky, Director of Product Management for MSS, answered many of my technical and business questions.
On this trip I learned that Symantec operates two 24x7x365 SOCs (in the USA and the UK), along with one in Europe, one in Japan, and other support centers. They do not collect and store security data at the SOC; instead, they have they data pouring into colocation facilities elsewhere.
Jonah said they see 3000-4000 "potential" incidents per day, of which about 100 are considered "hard kills." I couldn't tell if that meant actual compromise or not, but those 100 events per day prompt calls to customers.
We discussed the nature of their customer base. Symantec provides managed security services to many global 500 companies, some "with security staffs larger than Symantec's." I asked why such a company would bother with MSSP? Jonah responded with these points:
It's expensive to hire a team of analysts to inspect and react to security events on a 24x7x265 basis. My own experience says that requires hiring 12 people if you want 2 people on shift.
Analysts watching a single company -- even a very large one -- get bored fast. This is true. If your company cares enough to staff a security operation like this, they are probably not bleeding like a .edu. (Ever notice the best papers come from .edu's and not finance.com's?)
Symantec's global perspective, combined with local data, gives customers a sense of what is happening on the Internet and their networks. In other words, customers hire Symantec to provide a data feed that those large security staffs can interpret and work. Customers see "everything" that Symantec's analysts see. This is a change from the environment five years ago.
Jonah noted that Symantec undergoes a Statment on Auditing Standards (SAS) No. 70 Type II audit every year[注:通过相关的认证有助于提升MSSP的信誉,但是一般的,认证只能证明你做事情正规,有流程,并且按照流程办事。但是流程是否够好,发现和处理问题的能力如何,认证无法证明这些]. The process takes 2 months out of 12 (ouch). The end result, however, is a document that shows all of the processes Symantec follows, along with a measurement of Symantec's adherence to those processes. This is very valuable for customers, who previously would require Symantec to undergo on-demand audits prior to signing up for MSS. Now, Symantec hands them the SAS 70 Type II audit report and the customer is SOX-satisfied. Symantec also follows ISO 27000 standards.
Overall, I was impressed by what I saw. I was a little concerned by the emphasis on process over outcomes, however. While it's good to be audited for adherence to processes, it would be better to determine if those processes result in improved incident detection and response. I doubt the auditors attack Symantec clients to test the responsiveness of the analyst staff.
This thought came to mind during the visit, and also later when one of my customers called. They're planning to bring their monitoring services back in-house, as they fear their vendor is too malware-focused. This customer wants me to help them build an in-house network security monitoring, incident response, and forensics operation, to be completed by the end of next year. That should be a great project.
I'm considering the value of something like Symantec Early Warning Service for my customers who run their own MSS SOCs. An early warning service can provide indicators that might be absent in an operation focused on a single company.[注:专业MSS比自建SOC的一个优势在于它能够获悉更大范围的安全威胁,从而更好地提供早期预警 ]
Thank you to Jonah and the other folks from Symantec and their partners who answered my questions and let us tour their facility.
Copyright 2006 Richard Bejtlich
这里有的Richard Bejtlich简介。
此外,这里还有一篇文章,也是揭秘Symantec的SOC的,时间已经到了2008年。可以看看。发帖者也是 SOC/SIEM的国内同好 :-),这篇文章应该是在2008年10月份的时候一次Symantec Partner Engage Conference。有多人受邀参观了他们在佛州亚历山大(注意,共4个SOC中心,另外三个是Reading, England; Sydney, Australia; and Chennai, India,与2005年ZDNet的叙述已经不同了)的SOC中心。然后大家各自写出了自己的体会。这里可以参考,还有这里。重点摘录如下:
赛门铁克SOC分为3个区域,在第一区域要进入第二区,门口有一个徽章读取器和一个生物技术扫描器,进入后是一个环绕高墙的等候区(waiting area),进入第三个区域会发现这里像一个玻璃鱼缸,里面有很多的工作人员,左边是监控分析人员,他们监控所有的安全事故并实时通知客户做好防范,右边是安全工程师,安全工程师负责服务的配置管理、故障管理、性能管理等事务,比如防火墙策略变更、系统需要打补丁等。他们的SOC每天收到20亿(2 billion)条日志,一般可以提炼出3300个需要进行深入调查的安全事故,而平均每天也就100条最终需要紧急响应(About 100 per day end up being severe incidents that need action)。
在2009年,又有人探访了Symantec位于的欧洲SOC。这次写的最详细了。文章提到:Apart from the European SOC, there are three other SOCs; one in the US, one in India and one in Australia. According to Dipper, each of them is online for 19 hours at a time, ensuring that there are always two centres available simultaneously.All the centres have identical set-ups and access the same customer data and log files. 总共有200来人。
The system can handle log files generated by any product of any hardware or software vendor. Symantec initially stores all the information in a database before sending it for analysis to the actual SOC core component【注:这种超级SOC的架构跟一般企业级的架构是完全不同的】: Caltarian. This is Symantec's name for the system which first formats the various log files in a uniform. way and then screens the data for suspicious network activities. The collected data is later also anonymised and combined into a Security Threat Report Symantec publishes twice a year.
the SOC's job is done once the alert has been issued; the customer's IT experts are then responsible for tracking down and fixing the cause of the problem.【看看他们如何界定SOC工作流程的边界的】Caltarian对所有事件进行分级,有4级,不同的级别对应不同的响应时间。3级和4级的事件也就200来条每天。
the SOC can only ever be as successful as the quality and number of the log files provided by the customer.【巧妇难为无米之炊啊】only a third of all attacks can be detected using the logs generated by IPS/IDS components. He said that Combining the entries with the corresponding firewall logs increases the detection rate to just over 80 per cent.Only merging these data with the data produced by the virus scanners and other monitoring systems installed on the PCs and servers themselves allows the experts to recognise almost all the attacks【IDS日志最重要,但也只占三分之一,还需要防火墙日志,与IDS日志关联后上升到80%,后面还要再加上病毒日志、主机日志,其他检测日志】
最后,尽管Caltarian引擎有74,000个 patterns,也无法确保安全。
在2009年Symantec的MSS的VP还在SOC接受了一次视频采访,可以看这里。
最后,有必要提示一下读者,Symantec自己的SOC建的好,不代表他们的SOC 相关的产品(例如SIM)就好,这两者是不搭架的,或者说完全是不同的TEAM来负责,互相可能都不认识。实际上,他们的SIM技术和产品并不如他们的那套SOC运营的组织和流程更令人值得参考。我转载这些文章也是为了更多地让大家了解SOC的组织和流程,并了解到什么叫做Security Operations Center,场所、人员,就像大学里的计算中心,网络中心,都是Center,一个意思。