Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hunting Hard, Failing Fast, Maintaining Integrity

246 views

Published on

Many organisations have invested millions in building security operations teams, deploying powerful monitoring and reporting tools and then asking for continual improvement in the form of tuning, threat hunting and developing new threat models. However, within large enterprises, these types of changes either represent a risk of making changes to a live production platform or take weeks or months to go through the development and release process or route-to-live. This session outlines some DevOps principals and associate framework for enforcing change management, but still supporting rapid changes to code and configuration.

Published in: Data & Analytics

Hunting Hard, Failing Fast, Maintaining Integrity

  1. 1. Hunting Hard, Failing Fast, Maintaining Integrity Harry McLaren - Managing Consultant @ ECS
  2. 2. Who Am I? Harry McLaren • Alumnus of Napier University • Managing Consultant at ECS [Security] –Role: Security Engineer, Lead Consultant for Big Data (Splunk) –Previous Roles: SOC Analyst, Incident Responder • Current Interests: DevSecOps, Automation, Enabling Failure
  3. 3. Who Are ECS? Largest UK Splunk Partner Splunk's UK Based SME for Security Managed SOC Provider for FTSE 100/250 Advanced Detection & Threat Hunting Services Best Security Company of the Year
  4. 4. Why Am I Here? • SOC Capabilities • Threat Hunting • Balancing SOC Risk • Using Splunk for an Agile SIEM • Evolution of DevSecOps • DevSecOps Practices for SOC • Result: Empowered Hunters • Resources & Questions ~25mins
  5. 5. Monitoring Security Logs, Simple Searching, Compliance Reporting Correlation Rules, Multiple Alerts, Disparate Log Sources Detection Analysis Contextual Information, Baselining/Thresholds, Behavioral Insights Incident Management, Forensic Investigation, Escalation, Disruption of Attack Chain Response Hunting Finding Unknown Unknowns, Experimentation, Gap Analysis Reducing SOC Fatigue, Responsive Actions, Security Nerve Centre Automation & Orchestration SOC Capabilities Evolving Security Operations Functions
  6. 6. Threat Hunting - Diamond Model Source: Sqrrl
  7. 7. Adaptive Threat Hunting Hypothesis 01 Threat Discovered 02 Actor Changes TTPs  Response to TTPs 03 Hypothesis & Detection Changing all the time, various data analyzed, conflicting evidence, threat discovery a priority. Response Adapt to threat actors techniques, tools and procedures. Develop detection and response capability. Finding, Confirming & Responding to Threats
  8. 8. Adding Rules/Alerts or Tuning Existing Ones Schema Modification Changes to Thresholds System Change Change Control Balancing SOC Risk
  9. 9. DevSecOps Source: Gartner
  10. 10. Splunk for SIEM (Security Information & Event Management) Supporting Agile Methods by Default Schema at Read, Not at Write, Supporting Multiple Use Cases All Analytic Tools Exposed to UI, Empowering Users to Experiment Plain Text Configuration Files, Well Documented & Supported Splunk API is Open, Free (500MB) License Model, Labs Encouraged Search Processing Users Encouraged to Play No Database, Configuration in Text Enumerated & Documented API SPL Web UI Plain Text Config Open API Monitor InvestigateBuild Intelligence
  11. 11. Version Control Implement Version Control System (VCS) for tracking change and peer reviewing. GitLab was chosen. Full Route-to-Live Multi-environment setup (Dev, Test, Prod). Leveraging identical code base throughout (99%). Agile Development Remove Waterfall method usage, move to Scrum based development Sprints with issue tracking. Configuration Management Remove infrastructure access (SSH/RDP), require change to be pushed via Ansible and stored in VCS. Solution: DevOps to the Rescue! Continuous Delivery FTW!
  12. 12. Change › Track, Monitor & Report › Revert Defects › Peer Reviewed Code SIEM Detection › Constantly Evolving Detection › Change with Adversaries Build › Make Everyone a Creator › Access to Dev for All Automation › Enrich Datasets › Free Up Valuable Resources Hunt › Risk-free Hunting › Rapid Development of Use Cases SOC Excellence with Empowered Hunters
  13. 13. Resources Threat Hunting • Framework • Security Essentials • Sans Whitepaper SOC • General Building Guide • Splunk SOCs SIEM • Splunk Enterprise Security • Writing SIEM Rules Splunk • Free Download • Free Training • User Group Hunt Respond Detect Big Data
  14. 14. Questions? @cyberharibu harry.mclaren@ecs.co.uk harrymclaren.co.uk Connect and Say Hello! Splunk User Group Cyber Scotland Connect

×