Many organisations have invested millions in building security operations teams, deploying powerful monitoring and reporting tools and then asking for continual improvement in the form of tuning, threat hunting and developing new threat models. However, within large enterprises, these types of changes either represent a risk of making changes to a live production platform or take weeks or months to go through the development and release process or route-to-live. This session outlines some DevOps principals and associate framework for enforcing change management, but still supporting rapid changes to code and configuration.
2. Who Am I?
Harry McLaren
âą Alumnus of Napier University
âą Managing Consultant at ECS [Security]
âRole: Security Engineer, Lead Consultant for Big Data
(Splunk)
âPrevious Roles: SOC Analyst, Incident Responder
âą Current Interests: DevSecOps, Automation, Enabling Failure
3. Who Are ECS?
Largest UK Splunk Partner
Splunk's UK Based
SME for Security
Managed SOC Provider for
FTSE 100/250
Advanced Detection &
Threat Hunting Services
Best Security
Company
of the Year
4. Why Am I Here?
âą SOC Capabilities
âą Threat Hunting
âą Balancing SOC Risk
âą Using Splunk for an Agile SIEM
âą Evolution of DevSecOps
âą DevSecOps Practices for SOC
âą Result: Empowered Hunters
âą Resources & Questions
~25mins
7. Adaptive Threat Hunting
Hypothesis 01
Threat
Discovered
02
Actor
Changes
TTPs
ï
Response to
TTPs
03
Hypothesis & Detection
Changing all the time, various
data analyzed, conflicting
evidence, threat discovery a
priority.
Response
Adapt to threat actors techniques,
tools and procedures. Develop
detection and response capability.
Finding, Confirming & Responding to Threats
8. Adding Rules/Alerts or
Tuning Existing Ones
Schema
Modification
Changes to
Thresholds
System Change
Change Control
Balancing SOC Risk
10. Splunk for SIEM (Security Information & Event Management)
Supporting Agile Methods by Default
Schema at Read, Not at Write,
Supporting Multiple Use Cases
All Analytic Tools Exposed to UI,
Empowering Users to Experiment
Plain Text Configuration Files,
Well Documented & Supported
Splunk API is Open, Free (500MB)
License Model, Labs Encouraged
Search Processing
Users Encouraged to Play
No Database, Configuration in Text
Enumerated & Documented API
SPL
Web UI
Plain Text Config
Open API
Monitor
InvestigateBuild Intelligence
11. Version Control
Implement Version Control
System (VCS) for tracking
change and peer reviewing.
GitLab was chosen.
Full Route-to-Live
Multi-environment setup
(Dev, Test, Prod).
Leveraging identical code base
throughout (99%).
Agile Development
Remove Waterfall method
usage, move to Scrum
based development Sprints
with issue tracking.
Configuration
Management
Remove infrastructure
access (SSH/RDP), require
change to be pushed via
Ansible and stored in VCS.
Solution: DevOps to the Rescue!
Continuous Delivery FTW!
12. Change
âș Track, Monitor & Report
âș Revert Defects
âș Peer Reviewed Code
SIEM
Detection
âș Constantly Evolving Detection
âș Change with Adversaries
Build
âș Make Everyone a Creator
âș Access to Dev for All
Automation
âș Enrich Datasets
âș Free Up Valuable Resources
Hunt
âș Risk-free Hunting
âș Rapid Development of Use Cases
SOC Excellence with Empowered Hunters
13. Resources
Threat Hunting
âą Framework
âą Security Essentials
âą Sans Whitepaper
SOC
âą General Building
Guide
âą Splunk SOCs
SIEM
âą Splunk Enterprise
Security
âą Writing SIEM
Rules
Splunk
âą Free Download
âą Free Training
âą User Group
Hunt Respond Detect Big Data