Editer l'article Suivre ce blog Administration + Créer mon blog
23 mai 2013 4 23 /05 /mai /2013 00:47

Just sharing my thoughts and experience here... hope that will help some folks.


Main missions of the SOC are in bold.




  • External:
  • Technology watch: new softwares, new OS, new languages, new protocol specs
  • Security watch: new attacks, new threats, what to expect, new tools
  • Legal watch: what no to do, how to do things, copyright/trademark cunterfeit issues, PII, jus soli issues, regulations


  • Internal:
  • Software & hardware inventories updates and improvements
  • Security instructions: patch deployment requests (could be linked to RFC)
  • Security trainings delivery, education.



Incident Response:

  • Detection: from stats, internal data capture (honeypot, netw trace, etc) , and directly from security administrators reports. Correlation
  • Cases handling; investigation instruction supply (on the behalf of the internal control/police dept), analysis/forensics
  • Confidentiality loop enforcement
  • Court of law procedure / pure internal procedure specific due care (choice to be made)
  • Feedbacks to management, business



Security crisis:

  • Alert VIP/management when an incident is either production critical, or concerns several internal entities (transverse)
  • Secucity crisis management (operations, roles/missions dispatch, coordination, reportings)




  • AV/proxies/NIPS detections stats
  • Sec fixes deployment stats
  • Global current trend of ongoing security incidents
  • Major security incidents status/sum-up
  • Users accounts activity report (passwords activity, provisionning sum-up)
  • Inventories correlation/cross: IP (network), AD, park management, IAM, etc.



Operational security support to projects

  • Assistance: help in understanding the current security policy, help in finding relevant solutions that are compliant with sec policy, help with risk assessment
  • Make sure remaining risks are associated to relevant management.
  • Supply of security best practices docs: procedures, admin guides, etc.


Security policy exemption management:

  • Analyse the need and risk for a claimant not to be compliant with internal security policy
  • Raise the case, then, to management, to have them make a decision
  • Ask management about situations that are not covered by current internal security policy


Identity management support

  • Check accounts are properly disabled then deleted
  • Check traceability capability, according to needs and policy compliancy
  • Monitor the deprovisioning of high privileges
Partager cet article