the other day I was talking with a service provider (MSSP) who have experience with operating SOC (security operations centre) 24x7. Their price was rather steep (in the millions range). I don't understand why it would be so steep. My impression of a SOC is :
a) getting a log collector such as HP arcsight
b) implement IDS on different locations, eg snort which is low cost.
c) forward the logs from these IDS (and other devices) to Arcsight
d) Let ARcsight do the magic of correlating events.
e) 2-3 Analysts on the Arcsight console monitoring 24x7 (on shifts) and
doing incident response. this I could probably do in-sourcing as I don't
have the staff to do this.the console could use vmware or some other
virtual technology, thus I save on the hardware cost?
With the above, I don't think my SOC would cost in the millions. Or is setting up an SOC really not that simple?
Disadvantage I can think of when using MSSP:
a) Lack of resource to monitor full time as MSSP may use shared resources for different clients
b) Slow response to incident?
c) Could not customize the way I want to run the show
What are your thoughts of engaging MSSP? What other things do I need to consider if I wish to set up my own low cost SOC?
thank you
Aucun commentaire:
Enregistrer un commentaire