SlideShare a Scribd company logo
SACON 2020
SACON 2020
Who are we anyway?
SACON 2020
SACON 2020
Some subject gyan
SACON 2020
We’ve got the stuff!
SACON 2020
And…..
SACON 2020
Proprietary SIEM challenges
● Device Integration and log parsing
● Log enrichment
● Log correlation from multiple sources
● Cost
● Scaling SIEM components
● Updates
● Customisations
SACON 2020
We needed something more…
o ~4000 events per second (this is going up) – parsed, enriched and indexed!
o ~30 million events per day - long term data retention and analytics
o ~150 alerts post correlation
o Horizontally scalable platform
o Attribute level statistical profiling
o Threat visualization
o Threat hunting
SACON 2020
Statistical Profiling
SACON 2020
SACON 2020
Tech Stack - Metron, Homegrown, AWS
ParseIngest Enrich
& Index
STELLAR
Alerting
Framework
Block
Escalate
Scan
JIRA
Alert &
Action
Kafka
Filebeat
Analytics, ML,
Visualisation
AWS Athena
Zeppelin
SACON 2020
Scale
SACON 2020
Architecture
HTTPD
Firewall
IDS/IPS
VPN
Application
Proxy
Mail
Network
Enrichment
(Storm)
Indexing
(Storm)
Profiler
(Storm)
Blitz
( Alerting &
Ticketing )
Parsing
(Storm)
S3
Elastic
Search
Kibana
Redash
Athena
Zeppelin
AWS
Biz Events
SageMaker
SACON 2020
Metron - Enrichment & Profiler
Destination Geo
Profiling
For each
geolocation,
aggregate the
bytes sent out
Profile expiry : 1
day
Check if current
volume is greater
than mean
volume
Lookup
Enrichment
Check if
destination
host/port is
whitelisted or
destination is a
legit SMTP
No
Set alert = True for
the eventPush to indexing
IPS
Logs
SACON 2020
Some Use Cases
SACON 2020
Objective:
● to flag change in server behavior basis it’s producer / consumer ratio
● to detect server compromise and bypass of security controls
● to detect data exfiltration
Profile Created:
● Server’s Producer / Consumer Ratio
Rules:
● If abs(current avg PCR – previous avg PCR) > 0.5
Change in server behaviour basis PCR
SACON 2020
Objective:
● to detect malware injected in server / code
● to detect security control bypass
Profile Created:
● Known User Agents per server or VLAN
Rules:
● Flag any new User Agent that a server or VLAN has never used before
Un-usual User Agents used by a server or VLAN
SACON 2020
Objective :
● to detect misconfiguration & security bypass
● to detect insider threat
Profile Created:
● Unique AWS Events triggered per bucket retained over a period of X days
Rules:
● Flag any event triggered for an S3 resource that has not been observed
for it in the past X days
AWS Anomalous S3 Activity
SACON 2020
Objective :
● to detect credential compromise
● to detect credential sharing
Profile Created:
● User agent, IP address and geolocation of each user logging in for X days
Rules:
● Alert if a new user agent for the user is observed
● Alert if a new IP address for the user is observed
● Alert if a new geolocation (country) is observed
AWS Anomalous User Login
SACON 2020
AWS Anomalous Activity
Objective :
● to detect lateral movement of threat
● to detect misconfiguration and security bypass
Profile Created:
● For all combinations of account, event source and aws_region, profile
events, user agent and geolocation (country)
Rules:
● Alert if a new user agent for the profile is observed
● Alert if a new event for the profile is observed
● Alert if a new geolocation (country) is observed
SACON 2020
SOARing over threats
SACON 2020
What is this … Blitz ?
Well, now that Metron has helped you identify an anomaly, WHAT IF
● You can get the anomaly alert details on a neatly generated email
/ JIRA ticket?
● You can custom enrich alert information with data from internal
and external sources ?
○ WHOIS info
○ Known Hosting IP
○ Reverse DNS Info
○ Customer Reputation & History
SACON 2020
● And have action buttons in the alert itself to respond in real time ?
○ Block IP or source
○ Raise a ticket
○ Forward to concerned team
○ Remediate endpoint
SACON 2020
Blitz - Overview
● Open Source incident response automation framework aimed at
accelerating incident triage, tracking and response capabilities
● Ingests device agnostic alert data structured in JSON format
● Enriches alerts and makes them actionable using embedded
custom response buttons
● Easily integrated with Metron using Nifi.
● Code and deployment instructions can be found at :
https://github.com/makemytrip/blitz
SACON 2020
Blitz - Architecture
Enrichments
Configuration
Output
Templates
Core Driver
&
Helper
Modules
Alert
Output
Modules
SACON 2020
SACON 2020
Blitz - Components
● Core Driver (Logic Engine) - processing alert data, calling
enrichments and building output
● Enrichment Engine - Container for enrichment modules that
fetch information from other sources/APIs.
● Device Configuration - Configure enrichments, actions, tokens
for all integrated devices
● Output Templates - Building and adjusting your alert UI
● Output Integrations - choosing SOC alert integration : email,
JIRA, Http, JSON/File
SACON 2020
Building Configuration
SACON 2020
Routing alert data to Blitz -
Parsing / Deduplicating
SACON 2020
Blitz - In Action
SACON 2020
Blitz - In Action
SACON 2020
Visualizations on Data Lake
Using Redash
SACON 2020
Privileged Activity & Sensitive Asset Monitoring
Redash - Data Lake (PAM/SAM Reports)
SACON 2020
Redash - Data Lake (WAF Events)
SACON 2020
Helium Charts Redash - Data Lake (AWS Events)
SACON 2020
Helium Charts Redash - Data Lake (IPS Events)
SACON 2020
Helium Charts
Redash - Data Lake (End User Events)
SACON 2020
Serverless Security Data Lake
Indexing Topology
SACON 2020
Anatomy of a Hunt - ML aided
Security Data
Lake
Feature
Extraction
Model
Persistence/Up
dates
Model Training
Anomaly Detection
&
Analysis
SACON 2020
Thank you
Questions? Fire !
SACON 2020
Backup Slides
SACON 2020
Metron Profiler Explained

More Related Content

What's hot

Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone
 
SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)
Priyanka Aash
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined Perimeter
Cryptzone
 
Beyond the mcse red teaming active directory
Beyond the mcse  red teaming active directoryBeyond the mcse  red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
Priyanka Aash
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
Cryptzone
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
Cryptzone
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
Priyanka Aash
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
Priyanka Aash
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
DevOps.com
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of Things
Priyanka Aash
 
SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)
Priyanka Aash
 
SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)
Priyanka Aash
 
(SACON) Wasim Halani - OSINT threat hunting
(SACON) Wasim Halani - OSINT threat hunting(SACON) Wasim Halani - OSINT threat hunting
(SACON) Wasim Halani - OSINT threat hunting
Priyanka Aash
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Priyanka Aash
 

What's hot (20)

Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
 
SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined Perimeter
 
Beyond the mcse red teaming active directory
Beyond the mcse  red teaming active directoryBeyond the mcse  red teaming active directory
Beyond the mcse red teaming active directory
 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of Things
 
SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)
 
SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)
 
(SACON) Wasim Halani - OSINT threat hunting
(SACON) Wasim Halani - OSINT threat hunting(SACON) Wasim Halani - OSINT threat hunting
(SACON) Wasim Halani - OSINT threat hunting
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
 

Similar to (SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling your own Open Source SIEM & SOAR

IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
Amazon Web Services
 
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
Amazon Web Services
 
Data analytics master class: predict hotel revenue
Data analytics master class: predict hotel revenueData analytics master class: predict hotel revenue
Data analytics master class: predict hotel revenue
Kris Peeters
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product Overview
WSO2
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
VMware Tanzu
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
VMware Tanzu
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Sumo Logic
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoring
John Varghese
 
KFServing Payload Logging for Trusted AI
KFServing Payload Logging for Trusted AIKFServing Payload Logging for Trusted AI
KFServing Payload Logging for Trusted AI
Animesh Singh
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWS
javier ramirez
 
batbern43 Events - Lessons learnt building an Enterprise Data Bus
batbern43 Events - Lessons learnt building an Enterprise Data Busbatbern43 Events - Lessons learnt building an Enterprise Data Bus
batbern43 Events - Lessons learnt building an Enterprise Data Bus
BATbern
 
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
Kocapep
 
SEC302-S-143971-AWS-Prismacloud.pptx
SEC302-S-143971-AWS-Prismacloud.pptxSEC302-S-143971-AWS-Prismacloud.pptx
SEC302-S-143971-AWS-Prismacloud.pptx
DubemJavapi
 
AWS Summit Auckland- Developing Applications for IoT
AWS Summit Auckland-  Developing Applications for IoTAWS Summit Auckland-  Developing Applications for IoT
AWS Summit Auckland- Developing Applications for IoT
Amazon Web Services
 
AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...
AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...
AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...
Amazon Web Services
 
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
Amazon Web Services
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
SRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoTSRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoT
Amazon Web Services
 
WSO2Con USA 2015: WSO2 Platform for IoT
WSO2Con USA 2015: WSO2 Platform for IoTWSO2Con USA 2015: WSO2 Platform for IoT
WSO2Con USA 2015: WSO2 Platform for IoT
WSO2
 
AWS IoT Deep Dive
AWS IoT Deep DiveAWS IoT Deep Dive
AWS IoT Deep Dive
Kristana Kane
 

Similar to (SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling your own Open Source SIEM & SOAR (20)

IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
 
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
 
Data analytics master class: predict hotel revenue
Data analytics master class: predict hotel revenueData analytics master class: predict hotel revenue
Data analytics master class: predict hotel revenue
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product Overview
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoring
 
KFServing Payload Logging for Trusted AI
KFServing Payload Logging for Trusted AIKFServing Payload Logging for Trusted AI
KFServing Payload Logging for Trusted AI
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWS
 
batbern43 Events - Lessons learnt building an Enterprise Data Bus
batbern43 Events - Lessons learnt building an Enterprise Data Busbatbern43 Events - Lessons learnt building an Enterprise Data Bus
batbern43 Events - Lessons learnt building an Enterprise Data Bus
 
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
 
SEC302-S-143971-AWS-Prismacloud.pptx
SEC302-S-143971-AWS-Prismacloud.pptxSEC302-S-143971-AWS-Prismacloud.pptx
SEC302-S-143971-AWS-Prismacloud.pptx
 
AWS Summit Auckland- Developing Applications for IoT
AWS Summit Auckland-  Developing Applications for IoTAWS Summit Auckland-  Developing Applications for IoT
AWS Summit Auckland- Developing Applications for IoT
 
AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...
AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...
AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...
 
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
SRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoTSRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoT
 
WSO2Con USA 2015: WSO2 Platform for IoT
WSO2Con USA 2015: WSO2 Platform for IoTWSO2Con USA 2015: WSO2 Platform for IoT
WSO2Con USA 2015: WSO2 Platform for IoT
 
AWS IoT Deep Dive
AWS IoT Deep DiveAWS IoT Deep Dive
AWS IoT Deep Dive
 

More from Priyanka Aash

Keynote : Presentation on SASE Technology
Keynote : Presentation on SASE TechnologyKeynote : Presentation on SASE Technology
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Demystifying Neural Networks And Building Cybersecurity ApplicationsDemystifying Neural Networks And Building Cybersecurity Applications
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
Priyanka Aash
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Priyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
Priyanka Aash
 

More from Priyanka Aash (20)

Keynote : Presentation on SASE Technology
Keynote : Presentation on SASE TechnologyKeynote : Presentation on SASE Technology
Keynote : Presentation on SASE Technology
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
Demystifying Neural Networks And Building Cybersecurity Applications
Demystifying Neural Networks And Building Cybersecurity ApplicationsDemystifying Neural Networks And Building Cybersecurity Applications
Demystifying Neural Networks And Building Cybersecurity Applications
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
 
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
 
(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 

Recently uploaded

July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
Ivanti
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
softsuave
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 

Recently uploaded (20)

July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 

(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling your own Open Source SIEM & SOAR

  • 2. SACON 2020 Who are we anyway?
  • 7. SACON 2020 Proprietary SIEM challenges ● Device Integration and log parsing ● Log enrichment ● Log correlation from multiple sources ● Cost ● Scaling SIEM components ● Updates ● Customisations
  • 8. SACON 2020 We needed something more… o ~4000 events per second (this is going up) – parsed, enriched and indexed! o ~30 million events per day - long term data retention and analytics o ~150 alerts post correlation o Horizontally scalable platform o Attribute level statistical profiling o Threat visualization o Threat hunting
  • 11. SACON 2020 Tech Stack - Metron, Homegrown, AWS ParseIngest Enrich & Index STELLAR Alerting Framework Block Escalate Scan JIRA Alert & Action Kafka Filebeat Analytics, ML, Visualisation AWS Athena Zeppelin
  • 13. SACON 2020 Architecture HTTPD Firewall IDS/IPS VPN Application Proxy Mail Network Enrichment (Storm) Indexing (Storm) Profiler (Storm) Blitz ( Alerting & Ticketing ) Parsing (Storm) S3 Elastic Search Kibana Redash Athena Zeppelin AWS Biz Events SageMaker
  • 14. SACON 2020 Metron - Enrichment & Profiler Destination Geo Profiling For each geolocation, aggregate the bytes sent out Profile expiry : 1 day Check if current volume is greater than mean volume Lookup Enrichment Check if destination host/port is whitelisted or destination is a legit SMTP No Set alert = True for the eventPush to indexing IPS Logs
  • 16. SACON 2020 Objective: ● to flag change in server behavior basis it’s producer / consumer ratio ● to detect server compromise and bypass of security controls ● to detect data exfiltration Profile Created: ● Server’s Producer / Consumer Ratio Rules: ● If abs(current avg PCR – previous avg PCR) > 0.5 Change in server behaviour basis PCR
  • 17. SACON 2020 Objective: ● to detect malware injected in server / code ● to detect security control bypass Profile Created: ● Known User Agents per server or VLAN Rules: ● Flag any new User Agent that a server or VLAN has never used before Un-usual User Agents used by a server or VLAN
  • 18. SACON 2020 Objective : ● to detect misconfiguration & security bypass ● to detect insider threat Profile Created: ● Unique AWS Events triggered per bucket retained over a period of X days Rules: ● Flag any event triggered for an S3 resource that has not been observed for it in the past X days AWS Anomalous S3 Activity
  • 19. SACON 2020 Objective : ● to detect credential compromise ● to detect credential sharing Profile Created: ● User agent, IP address and geolocation of each user logging in for X days Rules: ● Alert if a new user agent for the user is observed ● Alert if a new IP address for the user is observed ● Alert if a new geolocation (country) is observed AWS Anomalous User Login
  • 20. SACON 2020 AWS Anomalous Activity Objective : ● to detect lateral movement of threat ● to detect misconfiguration and security bypass Profile Created: ● For all combinations of account, event source and aws_region, profile events, user agent and geolocation (country) Rules: ● Alert if a new user agent for the profile is observed ● Alert if a new event for the profile is observed ● Alert if a new geolocation (country) is observed
  • 22. SACON 2020 What is this … Blitz ? Well, now that Metron has helped you identify an anomaly, WHAT IF ● You can get the anomaly alert details on a neatly generated email / JIRA ticket? ● You can custom enrich alert information with data from internal and external sources ? ○ WHOIS info ○ Known Hosting IP ○ Reverse DNS Info ○ Customer Reputation & History
  • 23. SACON 2020 ● And have action buttons in the alert itself to respond in real time ? ○ Block IP or source ○ Raise a ticket ○ Forward to concerned team ○ Remediate endpoint
  • 24. SACON 2020 Blitz - Overview ● Open Source incident response automation framework aimed at accelerating incident triage, tracking and response capabilities ● Ingests device agnostic alert data structured in JSON format ● Enriches alerts and makes them actionable using embedded custom response buttons ● Easily integrated with Metron using Nifi. ● Code and deployment instructions can be found at : https://github.com/makemytrip/blitz
  • 25. SACON 2020 Blitz - Architecture Enrichments Configuration Output Templates Core Driver & Helper Modules Alert Output Modules
  • 27. SACON 2020 Blitz - Components ● Core Driver (Logic Engine) - processing alert data, calling enrichments and building output ● Enrichment Engine - Container for enrichment modules that fetch information from other sources/APIs. ● Device Configuration - Configure enrichments, actions, tokens for all integrated devices ● Output Templates - Building and adjusting your alert UI ● Output Integrations - choosing SOC alert integration : email, JIRA, Http, JSON/File
  • 29. SACON 2020 Routing alert data to Blitz - Parsing / Deduplicating
  • 30. SACON 2020 Blitz - In Action
  • 31. SACON 2020 Blitz - In Action
  • 32. SACON 2020 Visualizations on Data Lake Using Redash
  • 33. SACON 2020 Privileged Activity & Sensitive Asset Monitoring Redash - Data Lake (PAM/SAM Reports)
  • 34. SACON 2020 Redash - Data Lake (WAF Events)
  • 35. SACON 2020 Helium Charts Redash - Data Lake (AWS Events)
  • 36. SACON 2020 Helium Charts Redash - Data Lake (IPS Events)
  • 37. SACON 2020 Helium Charts Redash - Data Lake (End User Events)
  • 38. SACON 2020 Serverless Security Data Lake Indexing Topology
  • 39. SACON 2020 Anatomy of a Hunt - ML aided Security Data Lake Feature Extraction Model Persistence/Up dates Model Training Anomaly Detection & Analysis