Slides used at the University of Edinburgh SIGINT group (cybersecurity society). Covering what is big data, the value for security use cases, hunting for threats/actions, using Splunk to detect and respond, SIEM use and some useful searches (which were demoed).
Short Bio:
Harry McLaren is a Senior Consultant at ECS and is responsible for service delivery, technical leadership and people development in the rapidly growing Splunk consulting practice and is responsible for growing our team of talented Splunk Consultants. ECS, a specialist in enterprise IT services, has an award-winning IT security capability which is focused on Cybersecurity Operations Centres and IT security consulting.
1min
Few Security based use cases you have leverage big data platforms for, but how?
1mins
SIEM evolution and the (often fallacy) that is ‘next-gen’ SIEM. “Next-gen” shouldn’t even be a term as your security operational capability to grow organically and the tools should be able to keep up.
How a platform which can grow as your security maturity and technical ability also grows (not limited to only “out-of-the-box features”).
2mins
Building full featured SIEMs is hard.
Many try, many fail.
Big data platforms only provide access to (hopefully) easy to search data.
Most end up as very basic rule engines similar in function to a distributed IDS (NIDS or HIDS).
2mins
Rules
Threshold Based
Anomaly/Behaviour Based
Boolean Based
Context
Asset & Identity Awareness
Risk Profiling/Analytics
Approved Types of Activity vs Not
Frameworks
Scalability (Volume, Complexity)
User Empowerment (without being a platform expert)
Expansion and development of custom use cases.
Integration
Data Source Compatibility (Schema vs Write one, read multiple ways).
Workflow Integration & Centralised Investigation
Orchestration
3mins
Example high-level architecture of a SIEM platform.
Lots of components working together.
Inputs, procedures and outputs are covered.
Five frameworks mentioned covered in more detail.
Not going to talk all the way through each one, purpose is to show the types of frameworks required and illustrate the contents of them.
2mins
Understand the reasons for the project, use cases, motivations and what constraints might apply.
Prepare, prepare, prepare. Ensure you have scoped all required inputs, outputs and the level of dependencies between them.
Integrate everything! Not just the data sources, but workflow, automation and orchestration.
SIEM can be very powerful tools, however if the team which is going to own it/use it doesn’t know how, it’ll go to waste. SecOps teams should be a the forefront of exploring the data, hunting and defining their own use cases.
2mins