Many organisations have invested millions in building security operations teams, deploying powerful monitoring and reporting tools and then asking for continual improvement in the form of tuning, threat hunting and developing new threat models. However, within large enterprises, these types of changes either represent a risk of making changes to a live production platform or take weeks or months to go through the development and release process or route-to-live. This session outlines some DevOps principals and associate framework for enforcing change management, but still supporting rapid changes to code and configuration.
* SOC Capabilities
* OODA & Threat Hunting
* Balancing SOC Risk
* Using Splunk for an Agile SIEM
* Result: Empowered Hunters
* Resources & Questions
7. Topreparefor,detect,andrespondtocybersecuritythreats.
Purpose of a SOC
• Ensure you have the people, processes and technology to support the detection and response to attacks
against your organisation.
Prepare
• Proactively monitor your environment for evidence of threat actors’ activities.
Detect
• Reactively respond to detectedthreats to your organisation, including coordination andsupport of
incident investigations.
Respond
Helper:SOC=SecurityOperationsCentre
15. Risk Management (CI/CD)
Adding Rules/Alerts or Tuning
Existing
Use Cases
Schema Modification
Changes to Thresholds
System
ChangeChange Control
Helper:CI/CD=ContinuousIntegration/ContinuousDeliveryorDeployment
16. Supporting CI/CD in SIEM
Schema at Read, Not at Write, Supporting
MultipleUse Cases
All AnalyticToolsExposedto UI, Empowering Users
to Experiment
PlainText ConfigurationFiles,Well Documented
& Supported
API is Open,Free to Play License Model, LabsEncouraged
& Available
Search Processing
Users Encouraged to Play
No Database, Configuration in Text
Enumerated & Documented API
SPL
Web UI
Plain Text Config
OpenAPI
Helper:SPL=SearchProcessingLanguage,UI=UserInterface,API=ApplicationProgrammableInterface
17. DevOps Tooling Supporting SIEM
Version Control
Git[Lab] Utilized
MultipleProjects/Branches
Key Releases Tagged
FullRoute-to-Live
Multi-Stage Environments
Dev > Staging> Prod
Automated Testing
AgileDevelopment
Short Sprints
Test Driven Development
Issue Management
& Feature Backlog
Configuration
Management
OrchestratedDeployment
Centralized Config
Ansibleused via SSH
Helper:SIEM=SecurityInformationandEventManagement,SSH=SecureShell
18. The Result
Rapid Response to Threat
Full
Route-to-Live
Implemented
Users Educated &
Empowered
Everything Under
Version Control
Promoting Changes in
~ 5mins (Dev>Prod)
FoundationsBuiltfor
Future Development