Download - Tips for a More Effective SOC 2-15-12
-
2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Training Your Analysts: Tips for a More Effective Security Operations Center
Steven Wimmer HP Enterprise Security Services
-
Training Analysts: Tips for a more effective SOC
Why train? Training and development ROI Positions targeted for training On what topics should you be training? Training methodology Measuring Success Case Study HP ESP Global Services
-
Training and Development ROI
Well trained analysts are more productive Well trained analysts perform better analysis Well trained analysts require less supervision Training maintains employee certifications Training inspires engagement Auditors like formalized training programs
HP ESP Global Services
-
The relationship between training spending and project success
n = 515 Note: Respondents are IT managers responsible for 515 IT projects. Source: IDC's Training Impact on Projects Survey, 2011
Projects allocating more than 6% of the project budget to training were significantly more successful than projects that spent less than 3% Source: The Value of Training the IT Organization by Cushing Anderson, IDC Nov. 2011
HP ESP Global Services
-
Who needs training?
Who doesnt?
We should be enacting formalized training for:
Level 1 analysts Level 2 analysts Level 3 analysts/incident handlers
HP ESP Global Services
-
What does a competent analyst know?
Use a proven training plan that fires on all five of these cylinders: Technical skill development Analytical skill development Communication skill enhancement Information security knowledge Compliance requirements
HP ESP Global Services
-
HP ArcSight Technical Development
ArcSight ESM Operations
ArcSight ESM Security Analyst
ArcSight ESM Use Case Foundation
Building ArcSight ESM Advanced Content for Use Cases
Design in g You r Secu r it y En v iron m ent**
Modelin g You r Secu r it y En v iron m ent**
SOC Operator Analyst
Senior Analyst Author Architect
Skills On-Demand 1. Incident Handling on Active
Attacks 2. Advanced Correlation Scenarios
** Coming 2012
HP ESP Global Services
-
Additional Technical Development
Level 1 Analysts
CISSP, SANS GCIA Level 2 Analysts
SANS GCIH, vendor specific certifications, programming/scripting
Level 3 Analysts
SANS GCIH, GCFA, vendor specific certifications
HP ESP Global Services
-
Analysis
Analysis is the process of breaking a complex topic or substance into smaller parts to gain a better understanding
http://en/wikipedia/org/wiki/Analysis
HP ESP Global Services
-
Communication skills
Written communications across the business
Speaking across the business
HP ESP Global Services
-
Information security knowledge
Hacker Methodology Scanning Trojans Root kits Denial of service attacks Defensive measures
HP ESP Global Services
-
Compliance Requirements
PCI SOX HIPPA GLBA
HP ESP Global Services
-
Have a training plan
HP ESP Global Services
-
Methodologies
Computer/web based OJT Instructor led training Labs Group discussions and tutorials Required reading assignments
HP ESP Global Services
-
Computer/Web Based Training
Advantages: Available 24x7 No travel expenses Modular format Affordable Standardized
Disadvantages:
One size fits all Potential training may be pushed down the priority stack Level of interaction
HP ESP Global Services
-
OJT You and me!
Advantages: Low cost Task based Works well for small groups
Disadvantages:
Inconsistent Task based Incomplete Lack of Founding Principles Bad Habits
HP ESP Global Services
-
Instructor Led Training
Advantages Developed quickly Easy to revise Face to face interactions
Disadvantages Potential differences between classes Travel costs Scheduling conflicts
HP ESP Global Services
-
Labs
Linux, IP Tables, Apache MySQL, Snort, Base Nessus/OpenVAS Wireshark labs TCP/IP labs
HP ESP Global Services
-
Required Reading Assignments
Advantages Portable Self paced
Disadvantages Difficult to modify Possibly less interesting Some people just do not like to read
HP ESP Global Services
-
In-house vs. Outsourced
In house Advantages: - Specific to your
organization - Cost Disadvantages: - Incomplete or low
quality material that is not updated regularly
- Inexperienced training staff
Outsourced - Professionally
produced material
- Experienced trainers
Considerations: - Cost - Scheduling
HP ESP Global Services
-
Best Practice? Measurable ROI?
HP ESP Global Services
-
Measuring Success
Analyst effectiveness surveys Analyst demonstrations of acquired skills Benchmark testing Measure performance improvement
HP ESP Global Services
-
Case Study
New Security Operations Center for fortune 500 company.
Originally scoped for one division New Analysts hired Sept 2011, majority with
no SOC experience
HP ESP Global Services
-
What happened
Large attack at the end of the year Impacting other business units as well The SOC was ready Result Scope of SOC is increasing across
other business units.
HP ESP Global Services
-
Questions?
Questions: [email protected]
@HPSecure www.facebook.com/hpsecure
www.hpenterprisesecurity.com
Twitter:
Website:
Facebook:
Training Your Analysts: Tips for a More Effective Security Operations CenterTraining Analysts: Tips for a more effective SOCTraining and Development ROIThe relationship between training spending and project successWho needs training?What does a competent analyst know?HP ArcSight Technical DevelopmentAdditional Technical DevelopmentAnalysisCommunication skillsInformation security knowledgeCompliance RequirementsHave a training planMethodologiesComputer/Web Based TrainingOJT You and me!Instructor Led TrainingLabsRequired Reading AssignmentsIn-house vs. OutsourcedBest Practice? Measurable ROI?Measuring SuccessCase StudyWhat happenedQuestions?