SlideShare a Scribd company logo
1 of 14
Hunting Hard, Failing Fast,
Maintaining Integrity
Harry McLaren - Managing Consultant @ ECS
Who Am I?
Harry McLaren
• Alumnus of Napier University
• Managing Consultant at ECS [Security]
–Role: Security Engineer, Lead Consultant for Big Data
(Splunk)
–Previous Roles: SOC Analyst, Incident Responder
• Current Interests: DevSecOps, Automation, Enabling Failure
Who Are ECS?
Largest UK Splunk Partner
Splunk's UK Based
SME for Security
Managed SOC Provider for
FTSE 100/250
Advanced Detection &
Threat Hunting Services
Best Security
Company
of the Year
Why Am I Here?
• SOC Capabilities
• Threat Hunting
• Balancing SOC Risk
• Using Splunk for an Agile SIEM
• Evolution of DevSecOps
• DevSecOps Practices for SOC
• Result: Empowered Hunters
• Resources & Questions
~25mins
Monitoring
Security Logs, Simple
Searching,
Compliance Reporting
Correlation Rules,
Multiple Alerts,
Disparate Log Sources
Detection
Analysis
Contextual Information,
Baselining/Thresholds,
Behavioral Insights
Incident Management,
Forensic Investigation,
Escalation, Disruption
of Attack Chain
Response
Hunting
Finding Unknown
Unknowns,
Experimentation,
Gap Analysis
Reducing SOC
Fatigue, Responsive
Actions, Security
Nerve Centre
Automation &
Orchestration
SOC Capabilities
Evolving Security Operations Functions
Threat Hunting - Diamond Model
Source: Sqrrl
Adaptive Threat Hunting
Hypothesis 01
Threat
Discovered
02
Actor
Changes
TTPs

Response to
TTPs
03
Hypothesis & Detection
Changing all the time, various
data analyzed, conflicting
evidence, threat discovery a
priority.
Response
Adapt to threat actors techniques,
tools and procedures. Develop
detection and response capability.
Finding, Confirming & Responding to Threats
Adding Rules/Alerts or
Tuning Existing Ones
Schema
Modification
Changes to
Thresholds
System Change
Change Control
Balancing SOC Risk
DevSecOps
Source: Gartner
Splunk for SIEM (Security Information & Event Management)
Supporting Agile Methods by Default
Schema at Read, Not at Write,
Supporting Multiple Use Cases
All Analytic Tools Exposed to UI,
Empowering Users to Experiment
Plain Text Configuration Files,
Well Documented & Supported
Splunk API is Open, Free (500MB)
License Model, Labs Encouraged
Search Processing
Users Encouraged to Play
No Database, Configuration in Text
Enumerated & Documented API
SPL
Web UI
Plain Text Config
Open API
Monitor
InvestigateBuild Intelligence
Version Control
Implement Version Control
System (VCS) for tracking
change and peer reviewing.
GitLab was chosen.
Full Route-to-Live
Multi-environment setup
(Dev, Test, Prod).
Leveraging identical code base
throughout (99%).
Agile Development
Remove Waterfall method
usage, move to Scrum
based development Sprints
with issue tracking.
Configuration
Management
Remove infrastructure
access (SSH/RDP), require
change to be pushed via
Ansible and stored in VCS.
Solution: DevOps to the Rescue!
Continuous Delivery FTW!
Change
› Track, Monitor & Report
› Revert Defects
› Peer Reviewed Code
SIEM
Detection
› Constantly Evolving Detection
› Change with Adversaries
Build
› Make Everyone a Creator
› Access to Dev for All
Automation
› Enrich Datasets
› Free Up Valuable Resources
Hunt
› Risk-free Hunting
› Rapid Development of Use Cases
SOC Excellence with Empowered Hunters
Resources
Threat Hunting
• Framework
• Security Essentials
• Sans Whitepaper
SOC
• General Building
Guide
• Splunk SOCs
SIEM
• Splunk Enterprise
Security
• Writing SIEM
Rules
Splunk
• Free Download
• Free Training
• User Group
Hunt Respond Detect Big Data
Questions?
@cyberharibu
harry.mclaren@ecs.co.uk
harrymclaren.co.uk
Connect and Say Hello!
Splunk User Group
Cyber Scotland Connect

More Related Content

More from Harry McLaren

More from Harry McLaren (20)

Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
 
Lessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberLessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/Cyber
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
 
Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
 
Cyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementCyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose Statement
 
Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements
 
Securing the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreSecuring the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the Centre
 
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
 
Deconstructing SIEM
Deconstructing SIEMDeconstructing SIEM
Deconstructing SIEM
 
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
 
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy Forwarders
 
Splunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November EventSplunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November Event
 
Splunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventSplunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September Event
 

Recently uploaded

一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理
pyhepag
 
一比一原版西悉尼大学毕业证成绩单如何办理
一比一原版西悉尼大学毕业证成绩单如何办理一比一原版西悉尼大学毕业证成绩单如何办理
一比一原版西悉尼大学毕业证成绩单如何办理
pyhepag
 
一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理
cyebo
 
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
Amil baba
 
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
mikehavy0
 
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
pyhepag
 
一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理
cyebo
 
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotecAbortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
acoha1
 
edited gordis ebook sixth edition david d.pdf
edited gordis ebook sixth edition david d.pdfedited gordis ebook sixth edition david d.pdf
edited gordis ebook sixth edition david d.pdf
great91
 

Recently uploaded (20)

Aggregations - The Elasticsearch "GROUP BY"
Aggregations - The Elasticsearch "GROUP BY"Aggregations - The Elasticsearch "GROUP BY"
Aggregations - The Elasticsearch "GROUP BY"
 
Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...
Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...
Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...
 
一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理
 
Sensing the Future: Anomaly Detection and Event Prediction in Sensor Networks
Sensing the Future: Anomaly Detection and Event Prediction in Sensor NetworksSensing the Future: Anomaly Detection and Event Prediction in Sensor Networks
Sensing the Future: Anomaly Detection and Event Prediction in Sensor Networks
 
How to Transform Clinical Trial Management with Advanced Data Analytics
How to Transform Clinical Trial Management with Advanced Data AnalyticsHow to Transform Clinical Trial Management with Advanced Data Analytics
How to Transform Clinical Trial Management with Advanced Data Analytics
 
一比一原版西悉尼大学毕业证成绩单如何办理
一比一原版西悉尼大学毕业证成绩单如何办理一比一原版西悉尼大学毕业证成绩单如何办理
一比一原版西悉尼大学毕业证成绩单如何办理
 
一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理
 
Digital Marketing Demystified: Expert Tips from Samantha Rae Coolbeth
Digital Marketing Demystified: Expert Tips from Samantha Rae CoolbethDigital Marketing Demystified: Expert Tips from Samantha Rae Coolbeth
Digital Marketing Demystified: Expert Tips from Samantha Rae Coolbeth
 
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
 
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
 
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
 
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
 
What is Insertion Sort. Its basic information
What is Insertion Sort. Its basic informationWhat is Insertion Sort. Its basic information
What is Insertion Sort. Its basic information
 
社内勉強会資料_Object Recognition as Next Token Prediction
社内勉強会資料_Object Recognition as Next Token Prediction社内勉強会資料_Object Recognition as Next Token Prediction
社内勉強会資料_Object Recognition as Next Token Prediction
 
一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理
 
NOAM AAUG Adobe Summit 2024: Summit Slam Dunks
NOAM AAUG Adobe Summit 2024: Summit Slam DunksNOAM AAUG Adobe Summit 2024: Summit Slam Dunks
NOAM AAUG Adobe Summit 2024: Summit Slam Dunks
 
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
 
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotecAbortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
 
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
 
edited gordis ebook sixth edition david d.pdf
edited gordis ebook sixth edition david d.pdfedited gordis ebook sixth edition david d.pdf
edited gordis ebook sixth edition david d.pdf
 

Hunting Hard, Failing Fast, Maintaining Integrity

  • 1. Hunting Hard, Failing Fast, Maintaining Integrity Harry McLaren - Managing Consultant @ ECS
  • 2. Who Am I? Harry McLaren • Alumnus of Napier University • Managing Consultant at ECS [Security] –Role: Security Engineer, Lead Consultant for Big Data (Splunk) –Previous Roles: SOC Analyst, Incident Responder • Current Interests: DevSecOps, Automation, Enabling Failure
  • 3. Who Are ECS? Largest UK Splunk Partner Splunk's UK Based SME for Security Managed SOC Provider for FTSE 100/250 Advanced Detection & Threat Hunting Services Best Security Company of the Year
  • 4. Why Am I Here? • SOC Capabilities • Threat Hunting • Balancing SOC Risk • Using Splunk for an Agile SIEM • Evolution of DevSecOps • DevSecOps Practices for SOC • Result: Empowered Hunters • Resources & Questions ~25mins
  • 5. Monitoring Security Logs, Simple Searching, Compliance Reporting Correlation Rules, Multiple Alerts, Disparate Log Sources Detection Analysis Contextual Information, Baselining/Thresholds, Behavioral Insights Incident Management, Forensic Investigation, Escalation, Disruption of Attack Chain Response Hunting Finding Unknown Unknowns, Experimentation, Gap Analysis Reducing SOC Fatigue, Responsive Actions, Security Nerve Centre Automation & Orchestration SOC Capabilities Evolving Security Operations Functions
  • 6. Threat Hunting - Diamond Model Source: Sqrrl
  • 7. Adaptive Threat Hunting Hypothesis 01 Threat Discovered 02 Actor Changes TTPs  Response to TTPs 03 Hypothesis & Detection Changing all the time, various data analyzed, conflicting evidence, threat discovery a priority. Response Adapt to threat actors techniques, tools and procedures. Develop detection and response capability. Finding, Confirming & Responding to Threats
  • 8. Adding Rules/Alerts or Tuning Existing Ones Schema Modification Changes to Thresholds System Change Change Control Balancing SOC Risk
  • 10. Splunk for SIEM (Security Information & Event Management) Supporting Agile Methods by Default Schema at Read, Not at Write, Supporting Multiple Use Cases All Analytic Tools Exposed to UI, Empowering Users to Experiment Plain Text Configuration Files, Well Documented & Supported Splunk API is Open, Free (500MB) License Model, Labs Encouraged Search Processing Users Encouraged to Play No Database, Configuration in Text Enumerated & Documented API SPL Web UI Plain Text Config Open API Monitor InvestigateBuild Intelligence
  • 11. Version Control Implement Version Control System (VCS) for tracking change and peer reviewing. GitLab was chosen. Full Route-to-Live Multi-environment setup (Dev, Test, Prod). Leveraging identical code base throughout (99%). Agile Development Remove Waterfall method usage, move to Scrum based development Sprints with issue tracking. Configuration Management Remove infrastructure access (SSH/RDP), require change to be pushed via Ansible and stored in VCS. Solution: DevOps to the Rescue! Continuous Delivery FTW!
  • 12. Change › Track, Monitor & Report › Revert Defects › Peer Reviewed Code SIEM Detection › Constantly Evolving Detection › Change with Adversaries Build › Make Everyone a Creator › Access to Dev for All Automation › Enrich Datasets › Free Up Valuable Resources Hunt › Risk-free Hunting › Rapid Development of Use Cases SOC Excellence with Empowered Hunters
  • 13. Resources Threat Hunting • Framework • Security Essentials • Sans Whitepaper SOC • General Building Guide • Splunk SOCs SIEM • Splunk Enterprise Security • Writing SIEM Rules Splunk • Free Download • Free Training • User Group Hunt Respond Detect Big Data

Editor's Notes

  1. 1min
  2. 1min
  3. 1min
  4. 3mins
  5. 2mins
  6. 2mins
  7. 2mins
  8. 2mins
  9. 2mins
  10. 2mins
  11. 5mins
  12. 0min
  13. 10mins