...
In order to understand the needs and requirements of SOC users for Metron, we are going to use this page to collect questions to ask SOC users.two audiences:
- SOC users - Security Analysts and Investigators
- CISO executives - executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program
The below is the process that will be followed to create final questionnaire:
- The community is providing feedback via the following apache metron mailing thread on customer survey . If you have input to this for this questionnaire, please send via this thread.
- Feedback from the thread in (1) will be added to this wiki page.
- On 12/21, the questions from this wiki will be used to create a formal survey via Survey Monkey, Google form, or something similartwo formal surveys for the 2 audiences identified above
- The final survey will be published for anyone to send out.
Running List of Questions for the Survey/Questionnaire for Security Analysts Audience
Identifier | Question |
---|---|
Q1 | What are key challenges and limitations of the current SIEM and security analytics tools that you use today? |
Q2 | How would you prioritize the challenges today with the existing security tooling you use:
|
Q3 | In your day to day activities, what types of data sources(logs, pcap, ldap user info, netflow, bro etc..) do you work with the most? |
Q4 | Are there data sources that your current tools don't support that if did have access to it, it would allow you to do your job more effectively? |
Q5 | What types of automated and real-time enrichment would you like to see on the raw data that would allow you to do your job more effectively? |
Q6 | What third party intel feeds do you find most valuable that lead to credible threats? |
Q7 | What third party intel feeds are you not using that you would like the platform to provide? |
Q8 | What elements of your data are you not getting the adequate threat intel feeds for? |
Q9 | Please provide a redacted dump of common correlation rules that you use the most? (e.g: if you see ip from geo-region A with domain that was registered in the last 3 days, then alert), 30 failed logged attempts in the last 30 minutes..). |
Q10 | What are other actions you would like to perform on the data in real-time (outside of enrichment, cross reference of intel feeds)? |
Q11 | If the analytics tool only provided a single panel, what will be critical things you want to see? |
Q12 | What are 3 of the most important KPIs (metrics, Key Performance Indicators) that you would like see on that single panel? |
Q13 | What deails would you expect an alert to contain? |
Q14 | Which way of filtering/search for events would be your preferred one?
|
Running List of Questions for the Survey/Questionnaire for CISCO Audience
Identifier | QuestionSubmitted By | ||||
---|---|---|---|---|---|
Q1 | What specific use cases and cyber security domain problems are you trying to solve with Metron? | Dave Hirko | |||
Q2 | How would you prioritize, in terms of importance, the use cases and challenges below that the SOC is tasked to solve:
Dave Hirko Action Items: Group use cases by industry... | ||||
Q3 | What are key challenges and limitations of the current SIEM and security analytics tools that you use today?George Vetticaden | ||||
Q4 | How would you prioritize the challenges today with the existing security tooling you use:
| George Vetticaden | Q5 | ||
What analytical and/or correlation capabilities and features would you like Metron to support for the data:
| David Hirko | Q6 | How would you rate your SOC’s data science and analytical capabilities today? | David Hirko | |
Q7 | Does your SOC have any plans to enhance its data science and analytical capabilities now or in the future? | David Hirko | |||
Q8 | What data retention capabilities do you require Metron to support? David Hirko | ||||
Q9 | What compliance regimes, if any, does your SOC tools and capabilities need to comply with to support the needs of your business? | David Hirko | |||
Q10 | What are the key challenges with the collection, ingestion and storage of telemetry data with your current security tooling? | George Vetticaden | |||
Q11 | What security/telemetry sources are important to stream into Metron Security Data Lake Platform? Supporting a device on the Metron platform means providing: agent to collect data from the source | George Vetticaden | |||
Q12 | What type of enrichment would you like to do to the security telemetry data? (e.g: Geo, Whois) | George Vetticaden | |||
Q13 | What type of enrichment capabilities does your current security tooling NOT provide? Is enrichment of the data in real-time a critical requirement? Is storing the enriched and raw data a critical requirement? | George Vetticaden | |||
Q14 | What are the different threat intel feeds you subscribe to (public, private, tec..)? Which vendor do you get the feed from and what is the format. Supporting an out of the box threat intel feed means the following supporting parsers for the intel feed to persist the feed store in normalized form. George Vetticaden | ||||
Q15 | What are critical requirements for threat intel feed integration with Metron? For example, is cross referencing your threat intel feeds against the original and enriched telemetry data a critical requirement? | George Vetticaden | |||
Q16 | What are the critical functions you would like to perform on the streaming security telemetry data as its coming in real-time in as opposed to after it lands? | George Vetticaden | Q17 | Most the major security/SIEM vendors claim to have capabilities that reduce and prioritize the number of alerts. What has been your experience with these capabilities? Are risk/priority based correlation engines working to reduce the number of alerts? What are the challenges that you are experiencing? What are key requirements/capabilities that you would like to see in a next-gen correlation engine in Metron? | George Vetticaden |
Q19 | Most of the major security/SIEM vendors have static rules engine where an analyst can define simple static rules that get applied after the data has landed or been indexed. Do you feel Metron should provide similar functionality or rather focus its efforts on building relevancy/correlation data science engines/models that can create higher level meta alerts? Does Metron need to provide both? What is most important to build out first? | George Vetticaden | |||
Q20 | Can you provide a list of your common static rules that you would like to have Out of the box support for in Metron? | George Vetticaden | |||
Q21 | Do you envision Metron replacing your SIEM solution or complimenting it?George Vetticaden |
Context for the Questions Above
...