Shulou(Shulou.com)06/01 Report--

The difference and connection preface of SIEM, SOC and MSS

SIEM and SOC are not a new term in China, on the contrary, after more than 10 years of struggle in the domestic security circle, SIEM has tended to mature, but SOC is still in a chicken rib position. I think the main reason is that SOC is restricted by domestic system, policy, relevant log standards, application environment and traditional understanding, so it appears as a product at the very beginning in China. The lack of auxiliary SOC of MSS is like requiring drivers to drive and maintain aircraft, which is also the main reason why domestic SOC has been unable to be used.

There are two reasons why MSS (manageable security service) based on SOC has not been able to develop.

Technical blockade of MSS services in Europe and the United States.

The provision of MSS services requires experienced senior security analysts, a complete SOC operation and maintenance team, standard security incident response and handling flow, SLA; mature information security detection model, threat scenario library, accurate alarm system and reporting system. Learning and establishing this set of service system not only takes a lot of money, time and manpower, but also needs massive operational resources to practice. It can be seen that it is not easy to pull out such a team.

The high labor cost conflicts with the customer's on-site operation and maintenance.

The cost of achieving the above MSS service requirements is very high, which means that the best way to commercialize it is centralized management and operation, which conflicts with the general requirements of domestic high-end customers for service providers to operate and maintain on-site. The reason for the popularity of MSS services in Europe and the United States is that its relevant information security standards have been very mature, and the state and commercial organizations have generally implemented and recognized them, so the log transmission + centralized management operation (security log operation and maintenance) required by MSS has been accepted and recognized.

What is SIEM?

SIEM (Security Information and event Management) is the combination of software and services, and it is the integration of SIM (Security Information Management) and SEM (Security event Management). The difference between the two is that SEM focuses on real-time monitoring and event processing, while SIM focuses on historical log analysis and forensics. SIEM carries out unified real-time monitoring and historical analysis of security information (including logs, alarms, etc.) generated from all IT resources (including networks, systems and applications) in enterprises and organizations, and monitors external and internal violations and misoperations, audit analysis, investigation and forensics, and issues various report reports, so as to achieve the goal of IT resource compliance management. At the same time, improve the security operation, threat management and emergency response capabilities of enterprises and organizations.

What is SOC?

SOC (Security Operations Center) comes from NOC (Network Operations Center).

With the increasingly prominent problem of information security and the continuous development of security management theory and technology, it is necessary to manage the whole network and system from the perspective of security, but the traditional NOC lacks technical support in this respect, so the concept of SOC appears.

At present, SOC is the stage of SOC 1.0, which is only the sale of SIEM, the core component of SOC. Foreign countries say that SOC is a complex system, which uses SIEM products for operation and maintenance and provides services to customers, that is, what we call SOC 2.0/MSS.

SOC (Security Operations Center) is a centralized security management system that takes assets as the core, security incident management as the key process, and adopts the idea of security domain division to establish a set of real-time asset risk model to assist administrators in event and risk analysis, early warning management and emergency response.

SOC is a complex system, it has both products, services, and operation and maintenance. SOC is an organic combination of technology, process and people.

What is MSS?

MSS (manageable security service) is a security operation and maintenance outsourcing service provided by a professional MSSP (manageable security service provider).

MSS can bring the following benefits to customers.

1. Reduce costs: staffing, skill requirements, site requirements.

two。 Round-the-clock monitoring: 7 × 24 monitoring service.

3. Risk monitoring: effectively monitor security risks and provide solutions as soon as possible.

4. Identify and solve problems: identify and resolve possible security problems in a timely manner.

5. Trend analysis: professional safety trend analysis, monthly, quarterly and annual safety analysis reports.

6. Log storage and query: effective log storage and backup, fast query location.

The difference and relevance of SIEM, SOC and MSS

SIEM focuses on centralized log management and audit, while SOC is used for security log analysis and security risk monitoring and positioning. The different emphasis of the two determines that SIEM can be delivered with products while SOC must be improved by human intervention of MSS services.

For the difference between the two, SIEM only does the traditional statistics of the number of security logs, while SOC+MSS redefines the security logs and generates new security events, realizes the merging, filtering and threat grading of the security logs, and quantifies the security alerts. For example, company A received 20W security logs within minutes of the DDoS***,15. The alarm reported by SIEM to the customer is 20W, while the alarm reported by SOC to the customer is 1. Obviously, from the point of view of security risk management, the counting method of SIEM is unscientific.

MSS services combined with SOC can achieve intelligent monitoring, analysis and early warning services, change the past habit of maintaining complicated security information and event management platforms, abandon the complexity of security information and event management platforms, and provide solutions from the point of view of management simplicity, event presentation and event handling, and the concerned content can be obtained through the portal mode. At the same time, security responses and corresponding security solutions can be obtained by phone and other forms within a specified period of time, and more detailed solution content can also be obtained on the portal.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.