Many organisations have invested millions in building security operations teams, deploying powerful monitoring and reporting tools and then asking for continual improvement in the form of tuning, threat hunting and developing new threat models. However, within large enterprises, these types of changes either represent a risk of making changes to a live production platform or take weeks or months to go through the development and release process or route-to-live. This session outlines some DevOps principals and associate framework for enforcing change management, but still supporting rapid changes to code and configuration.

1. Hunting Hard, Failing Fast,
Maintaining Integrity
Harry McLaren - Managing Consultant @ ECS

2. Who Am I?
Harry McLaren
• Alumnus of Napier University
• Managing Consultant at ECS [Security]
–Role: Security Engineer, Lead Consultant for Big Data
(Splunk)
–Previous Roles: SOC Analyst, Incident Responder
• Current Interests: DevSecOps, Automation, Enabling Failure

3. Who Are ECS?
Largest UK Splunk Partner
Splunk's UK Based
SME for Security
Managed SOC Provider for
FTSE 100/250
Advanced Detection &
Threat Hunting Services
Best Security
Company
of the Year

4. Why Am I Here?
• SOC Capabilities
• Threat Hunting
• Balancing SOC Risk
• Using Splunk for an Agile SIEM
• Evolution of DevSecOps
• DevSecOps Practices for SOC
• Result: Empowered Hunters
• Resources & Questions
~25mins

5. Monitoring
Security Logs, Simple
Searching,
Compliance Reporting
Correlation Rules,
Multiple Alerts,
Disparate Log Sources
Detection
Analysis
Contextual Information,
Baselining/Thresholds,
Behavioral Insights
Incident Management,
Forensic Investigation,
Escalation, Disruption
of Attack Chain
Response
Hunting
Finding Unknown
Unknowns,
Experimentation,
Gap Analysis
Reducing SOC
Fatigue, Responsive
Actions, Security
Nerve Centre
Automation &
Orchestration
SOC Capabilities
Evolving Security Operations Functions

6. Threat Hunting - Diamond Model
Source: Sqrrl

7. Adaptive Threat Hunting
Hypothesis 01
Threat
Discovered
02
Actor
Changes
TTPs

Response to
TTPs
03
Hypothesis & Detection
Changing all the time, various
data analyzed, conflicting
evidence, threat discovery a
priority.
Response
Adapt to threat actors techniques,
tools and procedures. Develop
detection and response capability.
Finding, Confirming & Responding to Threats

8. Adding Rules/Alerts or
Tuning Existing Ones
Schema
Modification
Changes to
Thresholds
System Change
Change Control
Balancing SOC Risk

9. DevSecOps
Source: Gartner

10. Splunk for SIEM (Security Information & Event Management)
Supporting Agile Methods by Default
Schema at Read, Not at Write,
Supporting Multiple Use Cases
All Analytic Tools Exposed to UI,
Empowering Users to Experiment
Plain Text Configuration Files,
Well Documented & Supported
Splunk API is Open, Free (500MB)
License Model, Labs Encouraged
Search Processing
Users Encouraged to Play
No Database, Configuration in Text
Enumerated & Documented API
SPL
Web UI
Plain Text Config
Open API
Monitor
InvestigateBuild Intelligence

11. Version Control
Implement Version Control
System (VCS) for tracking
change and peer reviewing.
GitLab was chosen.
Full Route-to-Live
Multi-environment setup
(Dev, Test, Prod).
Leveraging identical code base
throughout (99%).
Agile Development
Remove Waterfall method
usage, move to Scrum
based development Sprints
with issue tracking.
Configuration
Management
Remove infrastructure
access (SSH/RDP), require
change to be pushed via
Ansible and stored in VCS.
Solution: DevOps to the Rescue!
Continuous Delivery FTW!

12. Change
› Track, Monitor & Report
› Revert Defects
› Peer Reviewed Code
SIEM
Detection
› Constantly Evolving Detection
› Change with Adversaries
Build
› Make Everyone a Creator
› Access to Dev for All
Automation
› Enrich Datasets
› Free Up Valuable Resources
Hunt
› Risk-free Hunting
› Rapid Development of Use Cases
SOC Excellence with Empowered Hunters

13. Resources
Threat Hunting
• Framework
• Security Essentials
• Sans Whitepaper
SOC
• General Building
Guide
• Splunk SOCs
SIEM
• Splunk Enterprise
Security
• Writing SIEM
Rules
Splunk
• Free Download
• Free Training
• User Group
Hunt Respond Detect Big Data

14. Questions?
@cyberharibu
harry.mclaren@ecs.co.uk
harrymclaren.co.uk
Connect and Say Hello!
Splunk User Group
Cyber Scotland Connect