SlideShare une entreprise Scribd logo

(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling your own Open Source SIEM & SOAR

Priyanka Aash
Priyanka Aash

Open Source technologies are being widely adopted to help SOC / DevSecOps teams in day to day operations. We'll be showcasing how we've built our SIEM using Apache Metron with a custom SOAR layer - Blitz over it to alert and respond to threats in real time. We'll deep dive into the architecture of both platforms and demonstrate various use cases covering cloud infra, endpoint devices, outbound traffic and perimeter security threats. We'll also present how to automate remediation to alerts and scale the setup for orchestration and threat hunting.

Technologie
1  sur  42
SACON 2020
SACON 2020 Who are we anyway?
SACON 2020
SACON 2020 Some subject gyan
SACON 2020 We’ve got the stuff!
SACON 2020 And…..
SACON 2020 Proprietary SIEM challenges ● Device Integration and log parsing ● Log enrichment ● Log correlation from multiple sources ● Cost ● Scaling SIEM components ● Updates ● Customisations
SACON 2020 We needed something more… o ~4000 events per second (this is going up) – parsed, enriched and indexed! o ~30 million events per day - long term data retention and analytics o ~150 alerts post correlation o Horizontally scalable platform o Attribute level statistical profiling o Threat visualization o Threat hunting
SACON 2020 Statistical Profiling
SACON 2020
SACON 2020 Tech Stack - Metron, Homegrown, AWS ParseIngest Enrich & Index STELLAR Alerting Framework Block Escalate Scan JIRA Alert & Action Kafka Filebeat Analytics, ML, Visualisation AWS Athena Zeppelin
SACON 2020 Scale
SACON 2020 Architecture HTTPD Firewall IDS/IPS VPN Application Proxy Mail Network Enrichment (Storm) Indexing (Storm) Profiler (Storm) Blitz ( Alerting & Ticketing ) Parsing (Storm) S3 Elastic Search Kibana Redash Athena Zeppelin AWS Biz Events SageMaker
SACON 2020 Metron - Enrichment & Profiler Destination Geo Profiling For each geolocation, aggregate the bytes sent out Profile expiry : 1 day Check if current volume is greater than mean volume Lookup Enrichment Check if destination host/port is whitelisted or destination is a legit SMTP No Set alert = True for the eventPush to indexing IPS Logs
SACON 2020 Some Use Cases
SACON 2020 Objective: ● to flag change in server behavior basis it’s producer / consumer ratio ● to detect server compromise and bypass of security controls ● to detect data exfiltration Profile Created: ● Server’s Producer / Consumer Ratio Rules: ● If abs(current avg PCR – previous avg PCR) > 0.5 Change in server behaviour basis PCR
SACON 2020 Objective: ● to detect malware injected in server / code ● to detect security control bypass Profile Created: ● Known User Agents per server or VLAN Rules: ● Flag any new User Agent that a server or VLAN has never used before Un-usual User Agents used by a server or VLAN
SACON 2020 Objective : ● to detect misconfiguration & security bypass ● to detect insider threat Profile Created: ● Unique AWS Events triggered per bucket retained over a period of X days Rules: ● Flag any event triggered for an S3 resource that has not been observed for it in the past X days AWS Anomalous S3 Activity
SACON 2020 Objective : ● to detect credential compromise ● to detect credential sharing Profile Created: ● User agent, IP address and geolocation of each user logging in for X days Rules: ● Alert if a new user agent for the user is observed ● Alert if a new IP address for the user is observed ● Alert if a new geolocation (country) is observed AWS Anomalous User Login
SACON 2020 AWS Anomalous Activity Objective : ● to detect lateral movement of threat ● to detect misconfiguration and security bypass Profile Created: ● For all combinations of account, event source and aws_region, profile events, user agent and geolocation (country) Rules: ● Alert if a new user agent for the profile is observed ● Alert if a new event for the profile is observed ● Alert if a new geolocation (country) is observed
SACON 2020 SOARing over threats
SACON 2020 What is this … Blitz ? Well, now that Metron has helped you identify an anomaly, WHAT IF ● You can get the anomaly alert details on a neatly generated email / JIRA ticket? ● You can custom enrich alert information with data from internal and external sources ? ○ WHOIS info ○ Known Hosting IP ○ Reverse DNS Info ○ Customer Reputation & History
SACON 2020 ● And have action buttons in the alert itself to respond in real time ? ○ Block IP or source ○ Raise a ticket ○ Forward to concerned team ○ Remediate endpoint
SACON 2020 Blitz - Overview ● Open Source incident response automation framework aimed at accelerating incident triage, tracking and response capabilities ● Ingests device agnostic alert data structured in JSON format ● Enriches alerts and makes them actionable using embedded custom response buttons ● Easily integrated with Metron using Nifi. ● Code and deployment instructions can be found at : https://github.com/makemytrip/blitz
SACON 2020 Blitz - Architecture Enrichments Configuration Output Templates Core Driver & Helper Modules Alert Output Modules
SACON 2020
SACON 2020 Blitz - Components ● Core Driver (Logic Engine) - processing alert data, calling enrichments and building output ● Enrichment Engine - Container for enrichment modules that fetch information from other sources/APIs. ● Device Configuration - Configure enrichments, actions, tokens for all integrated devices ● Output Templates - Building and adjusting your alert UI ● Output Integrations - choosing SOC alert integration : email, JIRA, Http, JSON/File
SACON 2020 Building Configuration
SACON 2020 Routing alert data to Blitz - Parsing / Deduplicating
SACON 2020 Blitz - In Action
SACON 2020 Blitz - In Action
SACON 2020 Visualizations on Data Lake Using Redash
SACON 2020 Privileged Activity & Sensitive Asset Monitoring Redash - Data Lake (PAM/SAM Reports)
SACON 2020 Redash - Data Lake (WAF Events)
SACON 2020 Helium Charts Redash - Data Lake (AWS Events)
SACON 2020 Helium Charts Redash - Data Lake (IPS Events)
SACON 2020 Helium Charts Redash - Data Lake (End User Events)
SACON 2020 Serverless Security Data Lake Indexing Topology
SACON 2020 Anatomy of a Hunt - ML aided Security Data Lake Feature Extraction Model Persistence/Up dates Model Training Anomaly Detection & Analysis
SACON 2020 Thank you Questions? Fire !
SACON 2020 Backup Slides
SACON 2020 Metron Profiler Explained

Recommandé

(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ... (SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
Priyanka Aash
 
(SACON) M T Karunakaran  - Quantum safe Networks
(SACON) M T Karunakaran  - Quantum safe Networks(SACON) M T Karunakaran  - Quantum safe Networks
(SACON) M T Karunakaran  - Quantum safe Networks
Priyanka Aash
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security
Priyanka Aash
 
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
Priyanka Aash
 
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
Priyanka Aash
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting
Priyanka Aash
 
Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)
Priyanka Aash
 
SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)
Priyanka Aash
 

Recommandé

(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ... (SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
Priyanka Aash
 
(SACON) M T Karunakaran  - Quantum safe Networks
(SACON) M T Karunakaran  - Quantum safe Networks(SACON) M T Karunakaran  - Quantum safe Networks
(SACON) M T Karunakaran  - Quantum safe Networks
Priyanka Aash
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security
Priyanka Aash
 
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
Priyanka Aash
 
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
Priyanka Aash
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting
Priyanka Aash
 
Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)
Priyanka Aash
 
SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)
Priyanka Aash
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone
 
SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)
Priyanka Aash
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined Perimeter
Cryptzone
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
Priyanka Aash
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
Cryptzone
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
Cryptzone
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
Priyanka Aash
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
Priyanka Aash
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
DevOps.com
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of Things
Priyanka Aash
 
SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)
Priyanka Aash
 
SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)
Priyanka Aash
 
(SACON) Wasim Halani - OSINT threat hunting
(SACON) Wasim Halani - OSINT threat hunting(SACON) Wasim Halani - OSINT threat hunting
(SACON) Wasim Halani - OSINT threat hunting
Priyanka Aash
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Priyanka Aash
 
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
Amazon Web Services
 
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
Amazon Web Services
 

Contenu connexe

Tendances

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
DevOps.com
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of Things
Priyanka Aash
 

Tendances (20)

Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
 
SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined Perimeter
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical Architecture
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of Things
 
SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)
 
SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)
 
(SACON) Wasim Halani - OSINT threat hunting
(SACON) Wasim Halani - OSINT threat hunting(SACON) Wasim Halani - OSINT threat hunting
(SACON) Wasim Halani - OSINT threat hunting
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
 

Similaire à (SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling your own Open Source SIEM & SOAR

Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWS
javier ramirez
 
batbern43 Events - Lessons learnt building an Enterprise Data Bus
batbern43 Events - Lessons learnt building an Enterprise Data Busbatbern43 Events - Lessons learnt building an Enterprise Data Bus
batbern43 Events - Lessons learnt building an Enterprise Data Bus
BATbern
 
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
Kocapep
 
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
Amazon Web Services
 

Similaire à (SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling your own Open Source SIEM & SOAR (20)

IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
 
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
IoT at Scale: Monitor and Manage Devices with AWS IoT Device Management (IOT3...
 
Data analytics master class: predict hotel revenue
Data analytics master class: predict hotel revenueData analytics master class: predict hotel revenue
Data analytics master class: predict hotel revenue
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product Overview
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoring
 
KFServing Payload Logging for Trusted AI
KFServing Payload Logging for Trusted AIKFServing Payload Logging for Trusted AI
KFServing Payload Logging for Trusted AI
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWS
 
batbern43 Events - Lessons learnt building an Enterprise Data Bus
batbern43 Events - Lessons learnt building an Enterprise Data Busbatbern43 Events - Lessons learnt building an Enterprise Data Bus
batbern43 Events - Lessons learnt building an Enterprise Data Bus
 
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
 
SEC302-S-143971-AWS-Prismacloud.pptx
SEC302-S-143971-AWS-Prismacloud.pptxSEC302-S-143971-AWS-Prismacloud.pptx
SEC302-S-143971-AWS-Prismacloud.pptx
 
AWS Summit Auckland- Developing Applications for IoT
AWS Summit Auckland- Developing Applications for IoTAWS Summit Auckland- Developing Applications for IoT
AWS Summit Auckland- Developing Applications for IoT
 
AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...
AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...
AWS re:Invent 2016: Innovation After Installation: Establishing a Digital Rel...
 
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
 
SRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoTSRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoT
 
WSO2Con USA 2015: WSO2 Platform for IoT
WSO2Con USA 2015: WSO2 Platform for IoTWSO2Con USA 2015: WSO2 Platform for IoT
WSO2Con USA 2015: WSO2 Platform for IoT
 
AWS IoT Deep Dive
AWS IoT Deep DiveAWS IoT Deep Dive
AWS IoT Deep Dive
 
Apache Kafka® and Analytics in a Connected IoT World
Apache Kafka® and Analytics in a Connected IoT WorldApache Kafka® and Analytics in a Connected IoT World
Apache Kafka® and Analytics in a Connected IoT World
 

Plus de Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Plus de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Dernier

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Dernier (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 

(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling your own Open Source SIEM & SOAR

  • 2. SACON 2020 Who are we anyway?
  • 7. SACON 2020 Proprietary SIEM challenges ● Device Integration and log parsing ● Log enrichment ● Log correlation from multiple sources ● Cost ● Scaling SIEM components ● Updates ● Customisations
  • 8. SACON 2020 We needed something more… o ~4000 events per second (this is going up) – parsed, enriched and indexed! o ~30 million events per day - long term data retention and analytics o ~150 alerts post correlation o Horizontally scalable platform o Attribute level statistical profiling o Threat visualization o Threat hunting
  • 11. SACON 2020 Tech Stack - Metron, Homegrown, AWS ParseIngest Enrich & Index STELLAR Alerting Framework Block Escalate Scan JIRA Alert & Action Kafka Filebeat Analytics, ML, Visualisation AWS Athena Zeppelin
  • 13. SACON 2020 Architecture HTTPD Firewall IDS/IPS VPN Application Proxy Mail Network Enrichment (Storm) Indexing (Storm) Profiler (Storm) Blitz ( Alerting & Ticketing ) Parsing (Storm) S3 Elastic Search Kibana Redash Athena Zeppelin AWS Biz Events SageMaker
  • 14. SACON 2020 Metron - Enrichment & Profiler Destination Geo Profiling For each geolocation, aggregate the bytes sent out Profile expiry : 1 day Check if current volume is greater than mean volume Lookup Enrichment Check if destination host/port is whitelisted or destination is a legit SMTP No Set alert = True for the eventPush to indexing IPS Logs
  • 16. SACON 2020 Objective: ● to flag change in server behavior basis it’s producer / consumer ratio ● to detect server compromise and bypass of security controls ● to detect data exfiltration Profile Created: ● Server’s Producer / Consumer Ratio Rules: ● If abs(current avg PCR – previous avg PCR) > 0.5 Change in server behaviour basis PCR
  • 17. SACON 2020 Objective: ● to detect malware injected in server / code ● to detect security control bypass Profile Created: ● Known User Agents per server or VLAN Rules: ● Flag any new User Agent that a server or VLAN has never used before Un-usual User Agents used by a server or VLAN
  • 18. SACON 2020 Objective : ● to detect misconfiguration & security bypass ● to detect insider threat Profile Created: ● Unique AWS Events triggered per bucket retained over a period of X days Rules: ● Flag any event triggered for an S3 resource that has not been observed for it in the past X days AWS Anomalous S3 Activity
  • 19. SACON 2020 Objective : ● to detect credential compromise ● to detect credential sharing Profile Created: ● User agent, IP address and geolocation of each user logging in for X days Rules: ● Alert if a new user agent for the user is observed ● Alert if a new IP address for the user is observed ● Alert if a new geolocation (country) is observed AWS Anomalous User Login
  • 20. SACON 2020 AWS Anomalous Activity Objective : ● to detect lateral movement of threat ● to detect misconfiguration and security bypass Profile Created: ● For all combinations of account, event source and aws_region, profile events, user agent and geolocation (country) Rules: ● Alert if a new user agent for the profile is observed ● Alert if a new event for the profile is observed ● Alert if a new geolocation (country) is observed
  • 22. SACON 2020 What is this … Blitz ? Well, now that Metron has helped you identify an anomaly, WHAT IF ● You can get the anomaly alert details on a neatly generated email / JIRA ticket? ● You can custom enrich alert information with data from internal and external sources ? ○ WHOIS info ○ Known Hosting IP ○ Reverse DNS Info ○ Customer Reputation & History
  • 23. SACON 2020 ● And have action buttons in the alert itself to respond in real time ? ○ Block IP or source ○ Raise a ticket ○ Forward to concerned team ○ Remediate endpoint
  • 24. SACON 2020 Blitz - Overview ● Open Source incident response automation framework aimed at accelerating incident triage, tracking and response capabilities ● Ingests device agnostic alert data structured in JSON format ● Enriches alerts and makes them actionable using embedded custom response buttons ● Easily integrated with Metron using Nifi. ● Code and deployment instructions can be found at : https://github.com/makemytrip/blitz
  • 25. SACON 2020 Blitz - Architecture Enrichments Configuration Output Templates Core Driver & Helper Modules Alert Output Modules
  • 27. SACON 2020 Blitz - Components ● Core Driver (Logic Engine) - processing alert data, calling enrichments and building output ● Enrichment Engine - Container for enrichment modules that fetch information from other sources/APIs. ● Device Configuration - Configure enrichments, actions, tokens for all integrated devices ● Output Templates - Building and adjusting your alert UI ● Output Integrations - choosing SOC alert integration : email, JIRA, Http, JSON/File
  • 29. SACON 2020 Routing alert data to Blitz - Parsing / Deduplicating
  • 30. SACON 2020 Blitz - In Action
  • 31. SACON 2020 Blitz - In Action
  • 32. SACON 2020 Visualizations on Data Lake Using Redash
  • 33. SACON 2020 Privileged Activity & Sensitive Asset Monitoring Redash - Data Lake (PAM/SAM Reports)
  • 34. SACON 2020 Redash - Data Lake (WAF Events)
  • 35. SACON 2020 Helium Charts Redash - Data Lake (AWS Events)
  • 36. SACON 2020 Helium Charts Redash - Data Lake (IPS Events)
  • 37. SACON 2020 Helium Charts Redash - Data Lake (End User Events)
  • 38. SACON 2020 Serverless Security Data Lake Indexing Topology
  • 39. SACON 2020 Anatomy of a Hunt - ML aided Security Data Lake Feature Extraction Model Persistence/Up dates Model Training Anomaly Detection & Analysis