Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building Security Data Lake
Search
Richard Fan
December 13, 2023
Technology
0
17
Building Security Data Lake
vBrownBag podcast
Building Security Data Lake
https://youtu.be/6qQ7_asdI4I?si=CSsn0jz2vo00Y02Q
Richard Fan
December 13, 2023
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
45
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
47
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
140
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
55
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
67
Create your first AWS Nitro Enclaves application
richardfan1126
0
57
Other Decks in Technology
See All in Technology
国井さんにPurview の話を聞く会
sophiakunii
1
300
Cloud WAN MCP Serverから考える新しいネットワーク運用 / 20251228 Masaki Okuda
shift_evolve
PRO
0
130
Bill One 開発エンジニア 紹介資料
sansan33
PRO
4
17k
Node vs Deno vs Bun 〜推しランタイムを見つけよう〜
kamekyame
1
170
ハッカソンから社内プロダクトへ AIエージェント ko☆shi 開発で学んだ4つの重要要素
leveragestech
0
540
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
10k
コールドスタンバイ構成でCDは可能か
hiramax
0
130
自己管理型チームと個人のセルフマネジメント 〜モチベーション編〜
kakehashi
PRO
5
1.6k
Oracle Database@Azure:サービス概要のご紹介
oracle4engineer
PRO
3
260
AWS re:Inventre:cap ~AmazonNova 2 Omniのワークショップを体験してきた~
nrinetcom
PRO
0
130
チームで安全にClaude Codeを利用するためのプラクティス / team-claude-code-practices
tomoki10
5
1.9k
複雑さを受け入れるか、拒むか? - 事業成長とともに育ったモノリスを前に私が考えたこと #RSGT2026
murabayashi
0
980
Featured
See All Featured
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
inesmontani
PRO
0
120
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
360
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
72
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
190
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
38
2.7k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
33
Done Done
chrislema
186
16k
Building a Scalable Design System with Sketch
lauravandoore
463
34k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
25
1.7k
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
akademiya2063
PRO
0
37
Marketing Yourself as an Engineer | Alaka | Gurzu
gurzu
0
110
Transcript
Building Security Data Lake Richard Fan March 29, 2023
EXPRESSVPN Richard Fan Security Engineer from ExpressVPN A Builder and
Tech advocate AWS Community Builder • https://dev.to/richardfan1126 • https://medium.com/@richardfan1126 • https://github.com/richardfan1126 Who am I?
Security Data
EXPRESSVPN What is security data? Security Data
EXPRESSVPN Why do we need Security logs? • Detect threat
• Incident response • Compliance • Vulnerability management Security Data
EXPRESSVPN Security Data Storing (or Not storing) locally • No
correlation • Difficult to track • Time consuming during incident response Send to SIEM • Centralized • Analytics / threat detection • Strong query capability Capturing security logs
EXPRESSVPN The growing amount/complexity of security logs • Shift-left •
Adoption of cloud • 2 common approaches ◦ Drop less-important events ◦ Scale-up SIEM and send all events to it Security Data
EXPRESSVPN SIEM is not an ultimate solution • Too expensive
• Short retention period • Difficult to integrate with other data processor Security Data
Data Lake
EXPRESSVPN Data Lake comes in Data Lake • Store data
in large scale • Centralize data repository • Turn raw data into useful data • NOT a data archive • NOT a database (Security) Data Lake Security Data Lake • Threat detection • Event context • Real-time alert
EXPRESSVPN How to start? • Identify all your data sources
• Identify ingestion methods • Evaluate your situation ◦ Engineering ◦ Threat hunting ◦ SIEM options • Decide where SIEM fits in Data Lake
EXPRESSVPN Connector split Source split Data Lake SIEM in Security
data lake
EXPRESSVPN Data lake to SIEM SIEM to Data lake Data
Lake SIEM in Security data lake
Threat hunting
EXPRESSVPN Threat hunting life cycle in data lake Threat hunting
EXPRESSVPN Detection as Code • Better documentation • Code repository
/ Code Review (GitOps) • Common language • Vendor agnostic Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting Splunk Elasticsearch
Our Story
EXPRESSVPN How do we build security data lake? Technology •
Ingestion • Storage ◦ S3 • Analytics • Detection-as-code ◦ Sigma Our story
EXPRESSVPN How do we build security data lake? Company •
SOC team • IT team • Security Engineering team • Cross-team collaboration • Security knowledge Our story
EXPRESSVPN Takeaway • Evaluate your current state • Start small
• Estimate cost • Embrace IaC / DaC • Don’t forget about people Our story
Thank you
richardfan1126
sophiakunii
shift_evolve
sansan33
kamekyame
leveragestech
fullkaiten
hiramax
kakehashi
oracle4engineer
nrinetcom
tomoki10
murabayashi
inesmontani
marktimemedia
codingconduct
baasie
eileencodes
auna
chrislema
lauravandoore
pedronauck
honnibal
akademiya2063
gurzu
