More Related Content Similar to The Journey from Zero to SOC: How Citadel built its Security Operations from the Ground Up on Elastic (20) More from Elasticsearch (20) The Journey from Zero to SOC: How Citadel built its Security Operations from the Ground Up on Elastic2. About ME
- 12 years experience in IT &
Cyber Security
- 10 years in the Australian
Department of Defence
- Royal Australian Air Force
Veteran
- Built Citadel’s SOC from the
ground up
3. About Us
3
text
Text
© Citadel Group | Journey from Zero to SOC |
Health Solutions
Keeping People &
Information SafeEnterprise Solutions Technology Services
Professional Services
4. About Us – Security Operations
4© Citadel Group | Journey from Zero to SOC |
Where does the
Citadel SOC fit in?
5. About Us – Mission
5© Citadel Group | Journey from Zero to SOC |
Protect Customer Data
6. M
FA
TrustedDevice
About Us – Zero Trust
6© Citadel Group | Journey from Zero to SOC |
MFATrustedDevice
M
FA
Trusted Device
M
FAAny Device
MFA
Trusted Device
MFA
Trusted Device
Credential Manager
Launcher
Tenable.io
ASD Essential Eight
InTune MDM
Citadel SOE
Windows 10
MFAAny Device Elastic Endgame
Elastic Beats
Web Proxy Agents
MSCT/CIS Hardening
ASD Essential Eight
MFA
Any Device
MFA
Any Device
Any Device
Locked down
GooglePlay Store
Device Hardening
InTune MDM
Locked down
Apple App Store
Device Hardening
InTune MDM
Apple IOS Android
MFA
Trusted Device
Customer
Environments
9. Some of the problems we faced…
9© Citadel Group | Journey from Zero to SOC |
• Existing solution didn’t offer native SIEM capabilities
• SIEM capabilities were an expensive add-on
• Very expensive to ingest the all the logs we needed
• The licencing model meant that it would have made it
very costly to ingest the following logs:
- Windows Sysmon Events (Security & Observability)
- Windows Perfmon Events (Observability)
- Azure SQL Database Audit Events (Security)
- Azure NSG Firewall Events (Security)
- Endpoint Protection Agent Logs (Security)
- Azure Diagnostics (Observability)
10. The positives…
10© Citadel Group | Journey from Zero to SOC |
I was very lucky to be working with some very security conscious
Developers, Cloud Engineers & Application Specialists
12. Why Elastic?
12© Citadel Group | Journey from Zero to SOC |
Cost: Perfect for a growing organisation
Security Features: Great out of the box features that a SOC needs
Observability: Allows us to met our service operations needs
Scalability: The SOC can easily grow as the company grows
Machine Learning: Detecting outliers without needing complicated rules
Customisation: Building alerts tailored to our environments
14. Where are we now?
14© Citadel Group | Journey from Zero to SOC |
15. Where are we now?
15© Citadel Group | Journey from Zero to SOC |
ü Windows 10 Endpoint Logs
ü Azure AD Audit & Sign-in Logs
ü Azure Resources Audit Logs
ü SaaS Cloud Application Logs
ü Windows Customer Server Logs
ü Linux Customer Server Logs
ü SQL Database Audit Logs
ü On-prem & Cloud-based Firewall Logs
ü Web Application Firewall Logs
ü Office365 ATP Logs
ü MS Defender ATP Logs
ü Elastic Endgame Logs