如果我们把SOC看作是一个实体,那么如何创建自己的一个SOC呢?在2005年的 一篇文章可以给我们一些启示。
该文章从SOC中心自身建设的安全性考量,SOC技术平台的核心技术 ——SIEM,以及SOC运作的流程三个角度为大家做了分析,最后还讲述了一个SOC运作过程的实例,展示了SOC运作所需的工具。
对于 SIEM,已经讲了很多,不必多言。倒是其中关于SOC中心建设过程中的自身安全问题值得正在考虑自建SOC的人关注一下,包括机房的安全控制,机房的动力、环境、网络连接等安全考量。另外还可能要考虑技术平台的高可用、数据的备份恢复等问题。
最后有个示例,很有趣,摘录如下:
How To Set Up a War Room
It's 6 p.m. All is quiet until you notice a growing number of hits in your IDS. Then you see a mess of trouble tickets from end users complaining about slow network performance. Resources dwindle and become unavailable. No one can get to the intranet or Internet. Servers crash. You've just been hit with an enterprise scope worm. Management, of course, wants answers--now.
Bringing together network staff, security folks, local IT support and management is a challenge, but you're prepared: You have a "war room" designed for such a crisis. The resources are available, and all your "generals" know where it is and how to get to it. Here are the bare essentials:

• Dedicated phone lines. The number of lines you need depends on the size of your SOC. Make sure you have at least two dedicated lines, one for conference calls and the other to make secondary calls.
• A fax line. When my company network went down because of the SQL Slammer worm, we used the fax machine to get remediation instructions out to the field offices.
• A dedicated printer with a local connection.
• Plenty of whiteboards and a large projector screen. Make sure everyone can see what needs to be done.
• A network connection to the Internet separate from your corporate network.
• A secure wireless network. Limit the range of connection, and only allow authorized access. When the war room isn't in use, disconnect the wireless network from the rest of the network.
• A small refrigerator stacked with Red Bull or Mountain Dew. No joke.