Many organisations have invested millions in building security operations teams, deploying powerful monitoring and reporting tools and then asking for continual improvement in the form of tuning, threat hunting and developing new threat models. However, within large enterprises, these types of changes either represent a risk of making changes to a live production platform or take weeks or months to go through the development and release process or route-to-live. This session outlines some DevOps principals and associate framework for enforcing change management, but still supporting rapid changes to code and configuration. * SOC Capabilities * OODA & Threat Hunting * Balancing SOC Risk * Using Splunk for an Agile SIEM * Result: Empowered Hunters * Resources & Questions

1. ©2019 ADARMA. ALL RIGHTS RESERVED
Prepared for ScotSoft by Harry McLaren
October 2019
Hunting Hard & Failing Fast
(AKA: Threat Hunting with CI/CD)

2. ManagingConsultant atAdarma
Co-Founder of Cyber ScotlandConnect
ProblemSolver, Rock Climber, & Regular Failure
Who is Harry McLaren?
Previous Roles
• 2016-2018: SecurityEngineer & SOCConsultant
• 2013-2015: SOC Analyst &Incident Investigator
• 2006-2012: ComputerTechnician& DesksideSupport

4. Objective:OutlinethepurposeofaSOC,describethreathunting,describethetechnologyrequired,explainusing
DevOps&safefailure.
Agenda
- SOC Purpose & Capabilities
- ThreatHunting 101
- Enabling Technology (Splunk for SIEM &Hunting)
- Operationalising ThreatHunting
- CI/CD Adds Risk[ish]
- ImplementingCI/CD for SIEMConfiguration & Use Cases
~35mins

5. Terms of Reference
• SecurityTeams, IncidentInvestigators,SecurityOperationsAnalysts
SOC (Security OperationsCentre)
• ProactiveDefensiveAction, Hypothesizing& Searching, Looking forThreats
ThreatHunting
• Big Data Platform,Correlation,ContextualAnalysis,Tool Usedfor Hunting
SecurityInformation andEvent Management(SIEM)
• VersionControl, ConfigurationManagement,Agile Methodology,ValueDriven
ContinuousIntegration,Deliveryor Deployment(CI/CD)

6. Security Operations Centre
(SOC)

7. Topreparefor,detect,andrespondtocybersecuritythreats.
Purpose of a SOC
• Ensure you have the people, processes and technology to support the detection and response to attacks
against your organisation.
Prepare
• Proactively monitor your environment for evidence of threat actors’ activities.
Detect
• Reactively respond to detectedthreats to your organisation, including coordination andsupport of
incident investigations.
Respond
Helper:SOC=SecurityOperationsCentre

8. SOC Capabilities
Monitoring
Security Logs, Simple
Searching, Compliance
Reporting
Correlation Rules, Multiple
Alerts, Disparate Log Sources
Detection
Analysis
ContextualInformation,
Baselining/Thresholds,Behavioral
Insights
Finding
UnknownThreats,
Experimentation,
Gap Analysis
Hunting
Response
IncidentManagement,Forensic
Investigation, Escalation,
Disruption of Attack Chains
ReducingSOC Fatigue,
Responsive Actions, Security
Nerve Centre
Automation &
Orchestration
Helper:SOC=SecurityOperationsCentre

9. Threat Hunting

10. Threat Hunting:
Source:Sqrrl-FrameworkforThreatHunting(2018)
Diamond Model
“The process of proactively anditeratively
searching throughnetworks todetect and
isolate advanced threats thatevade existing
security solutions”

11. Threat Hunting
Hypothesis 01
Threat Discovered 02
Actor Changes TTPs
Response toThreat 03
Detection
Changing allthe time, variousdataanalysed, conflicting
evidence, threat discovery a priority.
Response
Adapt tothreat actors’tactics, techniques and
procedures.
Develop protection,detectionand response
capability.
Helper:TTPs=Tactics,Techniques,,&Procedures

12. SIEM = Hunt Platform?

13. SOC Capabilities via Splunk
TechnologyMustSupportanAgileApproachtoHunting
Definerules to
detect threats
Analyze & investigate
incidents
Enterprise-wide
coordination & response
Add context
toqualifyincidents
ReportAd-hoc
Search
AnalyseCollect Store
Review Determine1 2 3 4Decide Act & AdaptPROCESS
MONITOR RESPONDDETECT
SOC
FUNCTIONS
INVESTIGATE
& HUNT
ANALYTIC ENABLED SIEM
Helper:SIEM=SecurityInformationandEventManagement,SOC=SecurityOperationCentre

14. Operationalise Threat Hunting
KnowYourEnemy,ReviewYourDefences
Develop Hypothesis Investigate Patterns Document Findings Develop Use Cases
InformationLifecycle ControlGap

15. Risk Management (CI/CD)
Adding Rules/Alerts or Tuning
Existing
Use Cases
Schema Modification
Changes to Thresholds
System
ChangeChange Control
Helper:CI/CD=ContinuousIntegration/ContinuousDeliveryorDeployment

16. Supporting CI/CD in SIEM
Schema at Read, Not at Write, Supporting
MultipleUse Cases
All AnalyticToolsExposedto UI, Empowering Users
to Experiment
PlainText ConfigurationFiles,Well Documented
& Supported
API is Open,Free to Play License Model, LabsEncouraged
& Available
Search Processing
Users Encouraged to Play
No Database, Configuration in Text
Enumerated & Documented API
SPL
Web UI
Plain Text Config
OpenAPI
Helper:SPL=SearchProcessingLanguage,UI=UserInterface,API=ApplicationProgrammableInterface

17. DevOps Tooling Supporting SIEM
Version Control
 Git[Lab] Utilized
 MultipleProjects/Branches
 Key Releases Tagged
FullRoute-to-Live
 Multi-Stage Environments
 Dev > Staging> Prod
 Automated Testing
AgileDevelopment
 Short Sprints
 Test Driven Development
 Issue Management
& Feature Backlog
Configuration
Management
 OrchestratedDeployment
 Centralized Config
 Ansibleused via SSH
Helper:SIEM=SecurityInformationandEventManagement,SSH=SecureShell

18. The Result
Rapid Response to Threat
Full
Route-to-Live
Implemented
Users Educated &
Empowered
Everything Under
Version Control
Promoting Changes in
~ 5mins (Dev>Prod)
FoundationsBuiltfor
Future Development

19. AlltheseslideswillbeuploadedtoSlideShare(User:HarryMcLaren)
Resources
ThreatHunting
• Framework
• Security Essentials
• Sans Whitepaper
SOC
• General Building Guide
• SplunkSOCs
SIEM
• SplunkEnterprise Security
• WritingSIEM Rules
Splunk
• Free Download
• Free Training
• User Group
Hunt Respond Detect Big Data

20. Thank You!
Twitter: @cyberharibu
Email: harry.mclaren@adarma.com
We’re Hiring!

21. ©2019 ADARMA. ALL RIGHTS RESERVED