Slides used at the University of Edinburgh SIGINT group (cybersecurity society). Covering what is big data, the value for security use cases, hunting for threats/actions, using Splunk to detect and respond, SIEM use and some useful searches (which were demoed).
Short Bio: Harry McLaren is a Senior Consultant at ECS and is responsible for service delivery, technical leadership and people development in the rapidly growing Splunk consulting practice and is responsible for growing our team of talented Splunk Consultants. ECS, a specialist in enterprise IT services, has an award-winning IT security capability which is focused on Cybersecurity Operations Centres and IT security consulting.
Few Security based use cases you have leverage big data platforms for, but how?
SIEM evolution and the (often fallacy) that is ‘next-gen’ SIEM. “Next-gen” shouldn’t even be a term as your security operational capability to grow organically and the tools should be able to keep up. How a platform which can grow as your security maturity and technical ability also grows (not limited to only “out-of-the-box features”).
Building full featured SIEMs is hard. Many try, many fail. Big data platforms only provide access to (hopefully) easy to search data. Most end up as very basic rule engines similar in function to a distributed IDS (NIDS or HIDS).
Rules Threshold Based Anomaly/Behaviour Based Boolean Based Context Asset & Identity Awareness Risk Profiling/Analytics Approved Types of Activity vs Not Frameworks Scalability (Volume, Complexity) User Empowerment (without being a platform expert) Expansion and development of custom use cases. Integration Data Source Compatibility (Schema vs Write one, read multiple ways). Workflow Integration & Centralised Investigation Orchestration
Example high-level architecture of a SIEM platform. Lots of components working together. Inputs, procedures and outputs are covered. Five frameworks mentioned covered in more detail. Not going to talk all the way through each one, purpose is to show the types of frameworks required and illustrate the contents of them.
Understand the reasons for the project, use cases, motivations and what constraints might apply. Prepare, prepare, prepare. Ensure you have scoped all required inputs, outputs and the level of dependencies between them. Integrate everything! Not just the data sources, but workflow, automation and orchestration. SIEM can be very powerful tools, however if the team which is going to own it/use it doesn’t know how, it’ll go to waste. SecOps teams should be a the forefront of exploring the data, hunting and defining their own use cases.