Chapter 20. On Working with Ops
In this chapter, I will discuss how an analysis team can effectively interact with and support an ops team. The concept of an independent âanalysis teamâ is still new in information security, and there are no experts at this yet. There are, however, a good number of traps we can avoid.
This chapter is divided into two major sections. The first section is a brief discussion of the roles and stresses of operations environments. The second section attempts to classify major operational workflowsâhow operations environments are likely to execute decisionsâand provides some guidelines for ensuring that ops and analytics can effectively support each other.
Ops Environments: An Overview
A Security Operations Center (SOC) is an organization focused on active security incident response.1 The SOCâs role is to process information about the state of an organizationâs security and respond to that information; they are effectively first responders to security alerts. Everything that goes wrong in information security ends up on the SOC floor.
SOC work is stressful; the stress comes from the constant flow of alerts the SOC must process. The penalty for conducting an attack is very low, and because of this, any open network is subject to a constant stream of attacks. New attacks do not replace old attacks; they supplement them. Any analyst with more than a monthâs experience may be conversant with attacks that have been going on for more than five ...
Get Network Security Through Data Analysis, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.