Ascending one step in the Maslow’s hierarchy when we go beyond the basic needs, we reach at the second step which entails security as the next basic need of mankind. But when it comes to business, security is the privilege of a few. Much of this is attributed to the cost incurred for securing an enterprise. At the same time, the technologies for implementing security are progressing by leaps and bounds. This kind of results in a vicious circle, especially for the small and medium industries.
Last year, during my summers I came across this concept of a Security Operations Center (SOC) and how it contributes towards securing an organization’s information boundaries, if implemented properly. Then I found a wonderful paper from SANS about log management and its relevance in a SOC . There were a few commercial and open source tools listed here and there for setting up a SOC. OSSIM is the undoubted choice in open source software. It contains a combination of few wonderful open source tools which can aid in Incident Management. But one big gap which I as a management student felt in these open source tools was lack of compliance specific reporting capabilities. Compliance being one the major drivers for security, can prove to be a boon if introduced in the open source world. It can also help SMEs in cutting the cost of abiding by the mandatory compliances.
This chain of thoughts motivated me to combine the processes taking place within a SOC with open source tools which can help carry out these processes. And further I mapped these processes with a few compliances I knew at that time. I ignored a few factors like skills required to run these open source tools, cost of support and maintenance etc. These factors would surely add to the Total Cost of Ownership (TCO) if implemented in real, but for the sake of theoretical simplicity I’ve ignored them for a while.
The final sheet prepared, contains FIPS (Federal Information Processing Standards) domains as the classification criteria for the SOC processes. Open source tools (if any) to fulfil the process requirements have been listed alongwith the process. Finally these processes have been mapped with the following compliances/standards/frameworks:
1. ISO 27001 & 27005
An overview of the mapping can be taken here: SOC_process_tool_compliance
Although I’ve tried to compile the list with the best of my knowledge, there’s still a lot of scope for correction. I’d be looking forward for reader’s comment on the same.
PS: Metasploit Pro is now coming with compliance capabilities. Hope they soon introduce the feature in open source version as well.
 NIST SP 800-92: Guide to Computer Security Log Management