Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SOC Resources for System Management

Published: 2016-03-30
Last Updated: 2016-03-30 01:08:56 UTC
by Tom Webb (Version: 1)
2 comment(s)

I have recently started looking at the MITRE 10 strategies for a SOC (hxxps://   Strategy one in their doc is to consolidate the following under one management team: Tier 1 Analysis, Tier 2+, Trending & Intel, SOC System admin and SOC Engineering.  This makes a lot of sense.  But what do you do when you don’t have enough skilled people or positions to have a separate system admins and engineers?


My group has  individuals assigned responsibilities to different products for patching, maintenance  and operational optimization. The current problem I run into is that we get into an engineering mode where a large amount of time is spent deploying, patching or scripting things. While all these items need to be done, it reduces our IR bandwidth with backlogs. One strategy is to have the tier 2+ group alternate between weeks for engineering/maintenance. This will force  them to better plan upgrades within that window or work on other assignments.  


Long term plans should include additional positions that can be assigned the maintenance and engineering of systems  What are other strategies being used by groups that maintain their systems, but without a dedicated resource to it? Please leave comments..


Tom Webb

2 comment(s)
Diary Archives