January 1, 0001
Capturing logs and visualising them in a SOC (Security Operation Center) is a key activity in the asymmetric arms race against malicious actors and bugs.
In addition to providing high-value actionable information, a good SOC will provide a wealth of valuable metrics and visualisations for the business, from user activities and behaviour to system performance.
The Working Session will assess the role, the work, and the importance of a SOC within a business.
- What are the key technical and operational components of SOCs?
- Map examples of SOC implementations (people, processes and technologies)
- What are the best practices for capturing logs and feeding them into central locations?
- What is the business case for a larger SOC which is sponsored by another business unit (i.e. not just Security)?
- What are the best practices for using tools like ELK or Splunk?
- How to secure SOCs data and infrastructure
- How to visualise the data collected in actionable/meaningful graphs
- How to use Machine Learning and AI to improve data capture and analysis
- How to use Business Intelligence Techniques and Big Data tools to improve analysis and visualisations
- Using AppSensor to feed data into SOC and to respond to analysis results
- Exploring specific security incidents:
- Malware infection
- Web Injection attack
- Account Brute Force attacks
- Login/activities from non-common locations
- Business logic exploitation
- Data extraction
- How does SOC help with GDPR requirements
- What to look for - tricks, tips and ideas
This Working Session will publish a document containing the following:
- List of best practices for capturing logs and feeding them into central locations
- List of best practices for using tools like ELK or Splunk
- Guidelines for visualising SOC data collected in actionable/meaningful graphs
- Tricks, tips and ideas
Synopsis and Takeaways
List of best practices for capturing logs and feeding them into central locations
What do we put on a list of best practices? (discussion)
- Good RegEx tutorials
- Plug-ins pages links for parservs
- Syslog integration procedure
- Read the meta data, process for understanding
- Feed MISP with threat intelligence information
Best Practice list
- Check time synchronisation of NTP servers
- Evaluate which alerts can be converted into automatic or manual actions
- Send your CI / CD information to the SOC
Guidelines for visualising SOC data collected in actionable/meaningful graphs
- Correlation of events
- Out of bounds activities
- Main DC KPPI
- Availability monitoring
- False positive feedback and deeper understanding
- From Dev perspective, false positives cause delays, visualising them makes them easier to filter
- Modify test/ alerts for improvement
- Provide feedback for not-fixed alerts
- Add some risk management accept, mitigate, or transfer
- Generate and maintain a baseline
- Detect anomalies
The target audience for this Working Session is:
- SOC and Network Operations teams
- InfoSec and AppSec professionals
- Business analysts