DISCOVER HOW TO BUILD YOUR FIRST SECURITY OPERATION CENTER
WE WILL EXPLAIN YOU HOW TO BUILD A SOC USING ELASTIC DETECTOR AND THE OPEN SOURCE SOLUTION ELASTIC STACK
The goal of this document is to explain how to build a first SOC (Security Operation Center) using Elastic Detector and the open source Elastic Stack (Elasticsearch, Kibana, Logstash, Beats).
Nowadays, organisations have a NOC (Network Operation Center) in order to monitor its network and to ensure the availability of the services. These NOCs are usually built on top of monitoring tools or solutions (for network, system, application performance and website) such as Nagios, Icinga, Centreon, Zabbix, …
Once you monitor your network, servers and applications, the next step is to monitor security.
In order to do so, the very first thing is to know the security posture of your IT. Most part of organizations opt for vulnerability assessments, pentests and security audits done one-shot.
Because there were in average during 2015 more than 18 new vulnerabilities everyday and attacks are widespread, best practices prone for continuous vulnerability assessment and continuous log analysis.
A simple and efficient way to achieve this goal is to create a first SOC that could give you the overview of your security status and centralize the logs gathered across your IT. Your first SOC will comprise the two following tools:
● A continuous vulnerability assessment scanner
● A SIEM (System Information and Event Management)
The following sections will explain how to put in place such a first SOC using Elastic Detector (as a Vulnerability Scanner) and Elastic Stack (as a SIEM). We will install Elastic Detector Virtual Appliance in a VMware environment and build an Elastic Stack Virtual Machine in the same VMware environment. It is possible to do the same on public clouds such as AWS, Azure or GCE.