Many organisations have invested millions in building security operations teams, deploying powerful monitoring and reporting tools and then asking for continual improvement in the form of tuning, threat hunting and developing new threat models. However, within large enterprises, these types of changes either represent a risk of making changes to a live production platform or take weeks or months to go through the development and release process or route-to-live. This session outlines some DevOps principals and associate framework for enforcing change management, but still supporting rapid changes to code and configuration.
2. Who Am I?
Harry McLaren
• Alumnus of Napier University
• Managing Consultant at ECS [Security]
–Role: Security Engineer, Lead Consultant for Big Data
(Splunk)
–Previous Roles: SOC Analyst, Incident Responder
• Current Interests: DevSecOps, Automation, Enabling Failure
3. Who Are ECS?
Largest UK Splunk Partner
Splunk's UK Based
SME for Security
Managed SOC Provider for
FTSE 100/250
Advanced Detection &
Threat Hunting Services
Best Security
Company
of the Year
4. Why Am I Here?
• SOC Capabilities
• Threat Hunting
• Balancing SOC Risk
• Using Splunk for an Agile SIEM
• Evolution of DevSecOps
• DevSecOps Practices for SOC
• Result: Empowered Hunters
• Resources & Questions
~25mins
7. Adaptive Threat Hunting
Hypothesis 01
Threat
Discovered
02
Actor
Changes
TTPs
Response to
TTPs
03
Hypothesis & Detection
Changing all the time, various
data analyzed, conflicting
evidence, threat discovery a
priority.
Response
Adapt to threat actors techniques,
tools and procedures. Develop
detection and response capability.
Finding, Confirming & Responding to Threats
8. Adding Rules/Alerts or
Tuning Existing Ones
Schema
Modification
Changes to
Thresholds
System Change
Change Control
Balancing SOC Risk
10. Splunk for SIEM (Security Information & Event Management)
Supporting Agile Methods by Default
Schema at Read, Not at Write,
Supporting Multiple Use Cases
All Analytic Tools Exposed to UI,
Empowering Users to Experiment
Plain Text Configuration Files,
Well Documented & Supported
Splunk API is Open, Free (500MB)
License Model, Labs Encouraged
Search Processing
Users Encouraged to Play
No Database, Configuration in Text
Enumerated & Documented API
SPL
Web UI
Plain Text Config
Open API
Monitor
InvestigateBuild Intelligence
11. Version Control
Implement Version Control
System (VCS) for tracking
change and peer reviewing.
GitLab was chosen.
Full Route-to-Live
Multi-environment setup
(Dev, Test, Prod).
Leveraging identical code base
throughout (99%).
Agile Development
Remove Waterfall method
usage, move to Scrum
based development Sprints
with issue tracking.
Configuration
Management
Remove infrastructure
access (SSH/RDP), require
change to be pushed via
Ansible and stored in VCS.
Solution: DevOps to the Rescue!
Continuous Delivery FTW!
12. Change
› Track, Monitor & Report
› Revert Defects
› Peer Reviewed Code
SIEM
Detection
› Constantly Evolving Detection
› Change with Adversaries
Build
› Make Everyone a Creator
› Access to Dev for All
Automation
› Enrich Datasets
› Free Up Valuable Resources
Hunt
› Risk-free Hunting
› Rapid Development of Use Cases
SOC Excellence with Empowered Hunters
13. Resources
Threat Hunting
• Framework
• Security Essentials
• Sans Whitepaper
SOC
• General Building
Guide
• Splunk SOCs
SIEM
• Splunk Enterprise
Security
• Writing SIEM
Rules
Splunk
• Free Download
• Free Training
• User Group
Hunt Respond Detect Big Data