[OWASP-SOCFramework-Project] Presentation feedback/comments

Eduardo estevao eduardoeo.azevedo at owasp.org
Sat Oct 13 13:08:58 UTC 2018


Dear Naqvi,

One consideration not directly on the presentation.

The project is slow moving, we could list the initial points and focus on
writing the basic documents and setup a calendar to check if the project is
running forward.


Regarding the presentation, my opinion:

1. On the modals type the fact that is centralized don't dictates how many
set of dashboards in my vision, you could have a centralized SOC, with one
Team, one HQ, but multiples set of dashboards and even dashboards for
specific customers, or compliance. (Page 4 & 5)

2. Another point is the 24x7 its not on the Page 4 slide, if its a global
organization or a organization selling SOC services globally, i think is
cheaper to have one team in one place 24x7 than have multiple teams with
different timezones (Follow the Sun on slide 5)

3. As if I’m correct on point 2, it’s no good to say that Distributed SOC
is the best SOC for Global Organization, i think this recommendation is bad
because it depends on a lot of factors, should the organization have
Pentesters on all locations? Reverse Malware Engineers on all locations?
This could be a very expensive option and probably not 100% the best
strategy.


4. I think it should have an organizational chart as example, and discuss
which positions could be remote or could be shared between locations.
Mittre has a book called "Ten Strategies of a World-Class Cybersecurity
Operation Center" (link) on page 45 there is a basic example for the chart,
the full organization is discussed on the section 4.2, and in the page 68
there is an example of a SOC integrated with minors SOCs remotely.

5. I recommend the reading of the book above, and the use of this book as a
guideline for the project.

6. Also the Centralized and Distributed SOC is a discussion for in-house
SOC ( maybe in Hybrid?), so maybe you could separate in the slide 3 the
points, my suggestion:

• In-house

o Centralized

o Distributed

• Managed

• Hybrid


7. I didnt understood the slide 7, the constituency, are you talking about
in-house SOC constituency? If so why there a topic saying external?  Is a
SOC Type? I don’t know and didn’t find anything related on the internet.

8. I think the Hybrid SOC could be the second to be presented, it had part
of the In-House SOC and part of Managed SOC, so it could be more clear to
the audience to make a link between the types

9. On the slide 8, the Managed SOC, another risk is that sometimes it could
be out of compliance, so for example you need to check where the vendor is
and where the data is stored, some countries has a requirement that the
data has to be stored physically in the country.

10. In slide 10, Authority, in Proactive it could include maybe the threat
hunting part.

11. In slide 16, you could add External Feeds, (Taxii and other formats)
and OSINT, IOCs and IOAs collections

12. In slide 19, you could add UEBA, or UBA.

13. In slide 22, in the Analysis probably it could be defined a signature
for the malware or the attack, at least define some IOCs or IOAs

14. In slide 24, the response is probably connected to the IOCs, IOAs or
signatures created in the Analysis part.

15. In the slide 29, about  the signatures it could be a validation of the
signature and replication of the signature for others (if needed), also I
think it’s the moment to check the metrics of the incident.

16. In slide 30, two important metrics are MTTD (Mean time to detect) and
MTTR (mean time to respond)

17. In slide 31, it’s very important to have template reports for each
service, and the frequency for this reports delivery and for who this
reports should go. Eg: Its very very important to have frequent reports
with metrics for the stakeholders

18. I think it’s important in a moment in the presentation explain which
documents are a must in every SOC, such as, a SOC Chart, a SOC Roles &
Responsibilities, Tools procedures etc..



Em sáb, 6 de out de 2018 às 05:00, Muhammad Naqvi <muhammad.naqvi at owasp.org>
escreveu:

> Dear Project Team,
>
> Please send your feedback/ comments on the presentation latest by 15th
> October.
>
> Regards
> Muhammad Faisal Naqvi
> _______________________________________________
> OWASP-SOCFramework-Project mailing list
> OWASP-SOCFramework-Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-socframework-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-socframework-project/attachments/20181013/8c0a74fb/attachment.html>


More information about the OWASP-SOCFramework-Project mailing list