SlideShare una empresa de Scribd logo

Hunting Hard, Failing Fast, Maintaining Integrity

Descargar como PPTX, PDF
H
Harry McLaren

Many organisations have invested millions in building security operations teams, deploying powerful monitoring and reporting tools and then asking for continual improvement in the form of tuning, threat hunting and developing new threat models. However, within large enterprises, these types of changes either represent a risk of making changes to a live production platform or take weeks or months to go through the development and release process or route-to-live. This session outlines some DevOps principals and associate framework for enforcing change management, but still supporting rapid changes to code and configuration.

Datos y análisis
1 de 14
Hunting Hard, Failing Fast, Maintaining Integrity Harry McLaren - Managing Consultant @ ECS
Who Am I? Harry McLaren • Alumnus of Napier University • Managing Consultant at ECS [Security] –Role: Security Engineer, Lead Consultant for Big Data (Splunk) –Previous Roles: SOC Analyst, Incident Responder • Current Interests: DevSecOps, Automation, Enabling Failure
Who Are ECS? Largest UK Splunk Partner Splunk's UK Based SME for Security Managed SOC Provider for FTSE 100/250 Advanced Detection & Threat Hunting Services Best Security Company of the Year
Why Am I Here? • SOC Capabilities • Threat Hunting • Balancing SOC Risk • Using Splunk for an Agile SIEM • Evolution of DevSecOps • DevSecOps Practices for SOC • Result: Empowered Hunters • Resources & Questions ~25mins
Monitoring Security Logs, Simple Searching, Compliance Reporting Correlation Rules, Multiple Alerts, Disparate Log Sources Detection Analysis Contextual Information, Baselining/Thresholds, Behavioral Insights Incident Management, Forensic Investigation, Escalation, Disruption of Attack Chain Response Hunting Finding Unknown Unknowns, Experimentation, Gap Analysis Reducing SOC Fatigue, Responsive Actions, Security Nerve Centre Automation & Orchestration SOC Capabilities Evolving Security Operations Functions
Threat Hunting - Diamond Model Source: Sqrrl
Adaptive Threat Hunting Hypothesis 01 Threat Discovered 02 Actor Changes TTPs  Response to TTPs 03 Hypothesis & Detection Changing all the time, various data analyzed, conflicting evidence, threat discovery a priority. Response Adapt to threat actors techniques, tools and procedures. Develop detection and response capability. Finding, Confirming & Responding to Threats
Adding Rules/Alerts or Tuning Existing Ones Schema Modification Changes to Thresholds System Change Change Control Balancing SOC Risk
DevSecOps Source: Gartner
Splunk for SIEM (Security Information & Event Management) Supporting Agile Methods by Default Schema at Read, Not at Write, Supporting Multiple Use Cases All Analytic Tools Exposed to UI, Empowering Users to Experiment Plain Text Configuration Files, Well Documented & Supported Splunk API is Open, Free (500MB) License Model, Labs Encouraged Search Processing Users Encouraged to Play No Database, Configuration in Text Enumerated & Documented API SPL Web UI Plain Text Config Open API Monitor InvestigateBuild Intelligence
Version Control Implement Version Control System (VCS) for tracking change and peer reviewing. GitLab was chosen. Full Route-to-Live Multi-environment setup (Dev, Test, Prod). Leveraging identical code base throughout (99%). Agile Development Remove Waterfall method usage, move to Scrum based development Sprints with issue tracking. Configuration Management Remove infrastructure access (SSH/RDP), require change to be pushed via Ansible and stored in VCS. Solution: DevOps to the Rescue! Continuous Delivery FTW!
Change › Track, Monitor & Report › Revert Defects › Peer Reviewed Code SIEM Detection › Constantly Evolving Detection › Change with Adversaries Build › Make Everyone a Creator › Access to Dev for All Automation › Enrich Datasets › Free Up Valuable Resources Hunt › Risk-free Hunting › Rapid Development of Use Cases SOC Excellence with Empowered Hunters
Resources Threat Hunting • Framework • Security Essentials • Sans Whitepaper SOC • General Building Guide • Splunk SOCs SIEM • Splunk Enterprise Security • Writing SIEM Rules Splunk • Free Download • Free Training • User Group Hunt Respond Detect Big Data
Questions? @cyberharibu harry.mclaren@ecs.co.uk harrymclaren.co.uk Connect and Say Hello! Splunk User Group Cyber Scotland Connect

Recomendados

Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Harry McLaren
 
Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)Harry McLaren
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsHarry McLaren
 
Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Harry McLaren
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Harry McLaren
 
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Harry McLaren
 

Recomendados

Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Harry McLaren
 
Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)Harry McLaren
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsHarry McLaren
 
Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Harry McLaren
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Harry McLaren
 
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Harry McLaren
 
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Harry McLaren
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsHarry McLaren
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...Harry McLaren
 
Lessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberLessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberHarry McLaren
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & ResponseHarry McLaren
 
OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?Harry McLaren
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentHarry McLaren
 
Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Harry McLaren
 
Cyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementCyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementHarry McLaren
 
Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Harry McLaren
 
Securing the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreSecuring the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreHarry McLaren
 
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Harry McLaren
 
Deconstructing SIEM
Deconstructing SIEMDeconstructing SIEM
Deconstructing SIEMHarry McLaren
 
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...Harry McLaren
 
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics Harry McLaren
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersHarry McLaren
 
Splunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November EventSplunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November EventHarry McLaren
 
Splunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventSplunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventHarry McLaren
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSAishani27
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998YohFuh
 

Más contenido relacionado

Más de Harry McLaren

Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Harry McLaren
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsHarry McLaren
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...Harry McLaren
 
Lessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberLessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberHarry McLaren
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & ResponseHarry McLaren
 
OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?Harry McLaren
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentHarry McLaren
 
Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Harry McLaren
 
Cyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementCyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementHarry McLaren
 
Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Harry McLaren
 
Securing the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreSecuring the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreHarry McLaren
 
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Harry McLaren
 
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...Harry McLaren
 
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics Harry McLaren
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersHarry McLaren
 
Splunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November EventSplunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November EventHarry McLaren
 
Splunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventSplunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventHarry McLaren
 

Más de Harry McLaren (20)

Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
 
Lessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberLessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/Cyber
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
 
Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
 
Cyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementCyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose Statement
 
Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements
 
Securing the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreSecuring the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the Centre
 
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
 
Deconstructing SIEM
Deconstructing SIEMDeconstructing SIEM
Deconstructing SIEM
 
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
 
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy Forwarders
 
Splunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November EventSplunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November Event
 
Splunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventSplunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September Event
 

Último

Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSAishani27
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998YohFuh
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionfulawalesam
 
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一ffjhghh
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxolyaivanovalion
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiSuhani Kapoor
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysismanisha194592
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxolyaivanovalion
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingNeil Barnes
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Edukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxEdukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxolyaivanovalion
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfLars Albertsson
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxfirstjob4
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 

Último (20)

Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICS
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptx
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysis
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptx
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data Storytelling
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
 
Edukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxEdukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFx
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdf
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptx
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 

Hunting Hard, Failing Fast, Maintaining Integrity

  • 1. Hunting Hard, Failing Fast, Maintaining Integrity Harry McLaren - Managing Consultant @ ECS
  • 2. Who Am I? Harry McLaren • Alumnus of Napier University • Managing Consultant at ECS [Security] –Role: Security Engineer, Lead Consultant for Big Data (Splunk) –Previous Roles: SOC Analyst, Incident Responder • Current Interests: DevSecOps, Automation, Enabling Failure
  • 3. Who Are ECS? Largest UK Splunk Partner Splunk's UK Based SME for Security Managed SOC Provider for FTSE 100/250 Advanced Detection & Threat Hunting Services Best Security Company of the Year
  • 4. Why Am I Here? • SOC Capabilities • Threat Hunting • Balancing SOC Risk • Using Splunk for an Agile SIEM • Evolution of DevSecOps • DevSecOps Practices for SOC • Result: Empowered Hunters • Resources & Questions ~25mins
  • 5. Monitoring Security Logs, Simple Searching, Compliance Reporting Correlation Rules, Multiple Alerts, Disparate Log Sources Detection Analysis Contextual Information, Baselining/Thresholds, Behavioral Insights Incident Management, Forensic Investigation, Escalation, Disruption of Attack Chain Response Hunting Finding Unknown Unknowns, Experimentation, Gap Analysis Reducing SOC Fatigue, Responsive Actions, Security Nerve Centre Automation & Orchestration SOC Capabilities Evolving Security Operations Functions
  • 6. Threat Hunting - Diamond Model Source: Sqrrl
  • 7. Adaptive Threat Hunting Hypothesis 01 Threat Discovered 02 Actor Changes TTPs  Response to TTPs 03 Hypothesis & Detection Changing all the time, various data analyzed, conflicting evidence, threat discovery a priority. Response Adapt to threat actors techniques, tools and procedures. Develop detection and response capability. Finding, Confirming & Responding to Threats
  • 8. Adding Rules/Alerts or Tuning Existing Ones Schema Modification Changes to Thresholds System Change Change Control Balancing SOC Risk
  • 10. Splunk for SIEM (Security Information & Event Management) Supporting Agile Methods by Default Schema at Read, Not at Write, Supporting Multiple Use Cases All Analytic Tools Exposed to UI, Empowering Users to Experiment Plain Text Configuration Files, Well Documented & Supported Splunk API is Open, Free (500MB) License Model, Labs Encouraged Search Processing Users Encouraged to Play No Database, Configuration in Text Enumerated & Documented API SPL Web UI Plain Text Config Open API Monitor InvestigateBuild Intelligence
  • 11. Version Control Implement Version Control System (VCS) for tracking change and peer reviewing. GitLab was chosen. Full Route-to-Live Multi-environment setup (Dev, Test, Prod). Leveraging identical code base throughout (99%). Agile Development Remove Waterfall method usage, move to Scrum based development Sprints with issue tracking. Configuration Management Remove infrastructure access (SSH/RDP), require change to be pushed via Ansible and stored in VCS. Solution: DevOps to the Rescue! Continuous Delivery FTW!
  • 12. Change › Track, Monitor & Report › Revert Defects › Peer Reviewed Code SIEM Detection › Constantly Evolving Detection › Change with Adversaries Build › Make Everyone a Creator › Access to Dev for All Automation › Enrich Datasets › Free Up Valuable Resources Hunt › Risk-free Hunting › Rapid Development of Use Cases SOC Excellence with Empowered Hunters
  • 13. Resources Threat Hunting • Framework • Security Essentials • Sans Whitepaper SOC • General Building Guide • Splunk SOCs SIEM • Splunk Enterprise Security • Writing SIEM Rules Splunk • Free Download • Free Training • User Group Hunt Respond Detect Big Data

Notas del editor

  1. 1min
  2. 1min
  3. 1min
  4. 3mins
  5. 2mins
  6. 2mins
  7. 2mins
  8. 2mins
  9. 2mins
  10. 2mins
  11. 5mins
  12. 0min
  13. 10mins