For many CSOCs, there was a simpler time. A time when their security event collection and monitoring problems could, in theory, be solved by buying, installing, and optimizing one product. Today, life is not so simple. The SIEM marketspace started with many startups, consolidated to a handful of leaders, and has diversified again. Acquiring and operating an analytic platform for large and mature CSOCs is a major investment of time, money and effort. The best approach to common tasks–normalization, near-real-time correlation, analyst triage, pivot, and workflow–is not always cut and dry. In this talk, the presenter will give an overview of major design considerations and opportunities in implementing, and evolving the modern CSOC analytic platform.
Carson Zimmerman is currently a CSOC engineering team lead with Microsoft. He has worked in and around CSOCs for about 15 years, holding roles in the CSOC ranging from tier 1 analyst to CSOC architect. Previously with MITRE, Carson wrote “Ten Strategies of a World-Class Cybersecurity Operations Center,” which can be downloaded for free at http://bit.ly/1sKCOH9. He received a BS in Computer Engineering from Purdue University and an MS in Information Systems from George Mason University. Spotting Carson at Shmoocon is easy–just look for the guy in a kilt running around with two cameras.