Detection as Code - Effective Approach to manage & optimize SOC Development

sbc-vn 3,458 views 28 slides Oct 04, 2024

Slide 1 of 28

About This Presentation

Size: 1.8 MB

Language: en

Added: Oct 04, 2024

Slides: 28 pages

Slide Content

Effective Approach to manage & optimize SOC Development

Detection as Code

Security Bootcamp 2024

Whoami
Name: Nguyen Huu Vu Long

Email: [email protected]

Exp: 05 years
#SIEM, #RuleDetection, #Monitoring,
#SOAR, #CI/CD, #SOC-Architecture

1.Big Problems in Rule Detection Development
2.Detection as Code (DaC)
3.Use DaC to Maximizing SOC Efﬁciency
4.Measure Attack Detection Capability
5.Keynote Takeaways

Agenda

Big Problems in Rule Detection Development
Detection as Code

●Zone: Finance, Logistic, Workstations

●Environment: Dev, Testing, Production

●Total ~ 3000:5000 rules need to
deploying

Total of RuleSets:
= 3.000 rules * 3 * 3 = 27.000 rules

Issues:
●Can be time-consuming review?
●Can be misconﬁgured when deploy
manually?

Big Problem: Rules Management

●What is that?

●Why did create that Alerts?

●How I know that Alert is True Positive?

●Operation depends on experienced

Need a location to store documents and deﬁne rule detection format

Big Problem: Document/Storage

●Hard to keep track of what is changed, who, when,
where?
●Don’t have log audit rules for report rule
development
●Security Analyst modify rule lead to miss threat
detection

Need a tool save Changelog and quality control

Big Problem: changes, approve

When have a deployment process, need to have methodology measure.

●SOC Team: more 5-10 members
●Research, develop Rules Detection continuous based on “interests”

Issues:
●Many Rules is duplicated for detecting a cyber threat
●Which rules are need to prioritize for development?
●How to calculate detection coverage with cyber threats?

Big Problem: Measure rule detection capability

Need a approach, process, a tool
to improve SIEM Development

Detection as Code (DaC)

5W: what? why? when? how? who?
Detection as Code

Key-Points:
●Deﬁne security rulesets, conﬁgure them as code
●Automated testing, deployment and updates
●Review & Approve

Detection as Code (DaC) Deﬁnition
(https://www.googlecloudcommunity.com/gc/Community-Blog/Getting-Started-with-Detection-as-Code-and-Chronicle-Security/ba-p/702154)

Refer format of Sigma rule detection:
●Open-source
●Human-readable
●Large community contribute
●Contain detail informations about testcase
Format of Rule Detection
https://sigmahq.io/docs/guide/about.html

Detection as Code: Workﬂow
backlog review
rework
documents test
update
approve
update
deploy
Tune rule

●Jira: Ticket management (pay fee)
●Gitlab: Document, CI/CD
●Terraform: Manage conﬁguration as code, deployment
●Graylog: SIEM
●VECTR: measure threat detection

Detection as Code: Techstack

Workﬂow in Technology
backlog In progress commit review approve deploy
yes
feedback
Quality control
mapping
Vectr
Graylog
TerraformGitlab

●Review latest commit of rules once a month

●Change rule status:
○Experimental: 30 days
○Test: 30 days - 90 days
○Stable: > 90 days

Maintenance and Improvement
stableexperimental test

30 days
90 days

Demo
Detection as Code

Target:
Detection when new user added to root/sudoers
group

Reference:
●T1053.003
●Follow format Sigma rule
●Detail information about use-case

Todo list:
●Monitor event create new ﬁle in
/etc/sudoer.d/.*
●Ignore administrator’s ﬁles

Use Case: Persistence
(https://github.com/SigmaHQ/sigma/blob/master/rules/
linux/file_event/file_event_lnx_persistence_sudoers_files.yml)

Build test-case on Testing environment:
●Testing rule with real attack scenarios
●Ensure that log source has collected
●PoC easy to verify

Use Case: Testing

●alert a change to Blue Team
●save change history in message
instant
Use Case: Notiﬁcation

Terraform support:

●Detect change conﬁguration

●Validate conﬁguration

●Deploying automatic

●Rollback if not change by use pipeline

Use Case: Deployment

How to Measure the Attack Detection Capability?
Rule Detection Coverage

●Platform Open-source
●Map detection rules to the MITRE ATT&CK
by TTPs
●Visibility coverage by phase, category

Measure Rule Detection Capability
https://docs.vectr.io/

Mapping Rulesets with Mitre Att&ck using VECTR Platform:
●Technique: threat_technique
●Name: threat_name
●Description: threat_description
●Phase: threat_tactic
●Priority: threat_score
●Outcome Notes: PoC testing

Use Case: Document/Storage

VECTR: Heat map of threat detection

●Much support in SOC management, development, maintenance

●Easy to expand knowledge for SOC Team

●be self-host your power

Keynote Takeaways

Detection as Code - Effective Approach to manage & optimize SOC Development

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Detection as Code - Effective Approach to manage &amp; optimize SOC Development

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx

Detection as Code - Effective Approach to manage & optimize SOC Development