I’ve worked in our Security Operations Center for the last 6 years and we monitor ever potential intrusion issue our customers face, mitigate these threats and perform forensic analysis when required. We also and manage their PCI scans, their AIP modules and their Fortigate UTM devices.I feel that as a company need to back away from the UTM/IDS/IPS all in one based security model where we are trusting device’s that provides our analyst’s with little to no packet data back to our original IDS model of a snort/vortex hybrid as we can never truly understand the full depth of an attack or even potential threats being thrown against our customers networks with the data we currently use. Our false positive rate is through the roof and though it may cost us more now we need to focus on getting our analysts the data they need to fully understand these intrusion events or else we will never be able to truly compete at large scale enterprise level.We need to provide our PCI customers with actual mitigation strategies for when they fail their PCI scans instead of simply sending them a auto generated report compiled from nessus, saint and nexpose results. I feel we are under utilizing our entire staff whom are all potential points of infiltration and defense as well. We need to keep all of our teams on their toes and potentially provide incentives for those who question the person walking towards the data center theyve never seen before about why they are there or to notify our security team when they receive an email that may seem slightly abnormal. We need a good mixture of internal security testing, random internal penetration tests and audits. Another great way to imrpove on this would be phishing our own employee’s to see if our minimal internal security training is truly enough and will show us the employees who may need slightly more training.
If we truly want to perform well in the security field we need to
provide our customers and the security community in general with more
information regarding our research on botnet reverse engineering, more
information regarding mitigating current and active threats such as
infection campaigns. We should also be working with our russian and
chinese speaking analysts to infiltrate many of the known underground
forums to provide our company, customers, partners and the industry as
a whole with as much information as possible regarding the threats and
targets we could obtain from this intelligence.