Richard Bejtlich has a post on what Dave Aitel and others call Application SOCs. For most companies, I think a SOC is sufficient, its just that an App-enriched SOC is better. The App has visibility into business logic, rules, policies, data, and resources that are simply not available anywhere else in the system. This is contextual information, and as a security person responding to events - context is everything.
So it makes all the sense in the world to leverage it. I would say that it can be fed into a normal SOC and that creating a separate App Soc on its on island is not necessary in most cases.
The context comes from three things - 1) the location of the audit logger in the stack 2) the audit loggers' event model - what events is it aware of 3) the audit record format. Those three areas are the focus of building visibility into apps.
Comments