Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Building Security Data Lake

Avatar for Richard Fan Richard Fan
December 13, 2023
Technology
0
16

Building Security Data Lake

vBrownBag podcast
Building Security Data Lake

https://youtu.be/6qQ7_asdI4I?si=CSsn0jz2vo00Y02Q

Avatar for Richard Fan

Richard Fan

December 13, 2023
Tweet

More Decks by Richard Fan

See All by Richard Fan
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Avatar for Richard Fan richardfan1126
0
45
Preserving privacy on data collaboration with AWS Clean Rooms
Avatar for Richard Fan richardfan1126
0
45
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Avatar for Richard Fan richardfan1126
0
140
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
Avatar for Richard Fan richardfan1126
0
55
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
Avatar for Richard Fan richardfan1126
0
66
Create your first AWS Nitro Enclaves application
Avatar for Richard Fan richardfan1126
0
56

Other Decks in Technology

See All in Technology
ログ管理の新たな可能性?CloudWatchの新機能をご紹介
Avatar for Ikumi Ono ikumi_ono
1
660
今年のデータ・ML系アップデートと気になるアプデのご紹介
Avatar for Nayuta S. nayuts
1
290
AWS Security Agentの紹介/introducing-aws-security-agent
Avatar for tomoki10 tomoki10
0
160
意外とあった SQL Server 関連アップデート + Database Savings Plans
Avatar for Takuya Shibata stknohg
PRO
0
310
Databricks向けJupyter Kernelでデータサイエンティストの開発環境をAI-Readyにする / Data+AI World Tour Tokyo After Party
Avatar for GENDA genda
1
100
生成AI時代におけるグローバル戦略思考
Avatar for Takaaki Yayoi taka_aki
0
130
会社紹介資料 / Sansan Company Profile
Avatar for Sansan, Inc. sansan33
PRO
11
390k
因果AIへの招待
Avatar for Shohei SHIMIZU sshimizu2006
0
960
コミューンのデータ分析AIエージェント「Community Sage」の紹介
Avatar for Yusuke Fukasawa fufufukakaka
0
480
AWS CLIの新しい認証情報設定方法aws loginコマンドの実態
Avatar for wkm2 wkm2
6
710
世界最速級 memcached 互換サーバー作った
Avatar for yasukata yasukata
0
340
多様なデジタルアイデンティティを攻撃からどうやって守るのか / 20251212
Avatar for Ayokura ayokura
0
430

Featured

See All Featured
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
6k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
49
3.2k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.9k
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
56
14k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
303
21k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
37
7.1k
Side Projects
Avatar for Sacha Greif sachag
455
43k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
210k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.9k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.3k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
34
2.5k

Transcript

  1. Building Security Data Lake Richard Fan March 29, 2023

  2. EXPRESSVPN Richard Fan Security Engineer from ExpressVPN A Builder and

    Tech advocate AWS Community Builder • https://dev.to/richardfan1126 • https://medium.com/@richardfan1126 • https://github.com/richardfan1126 Who am I?

  3. Security Data

  4. EXPRESSVPN What is security data? Security Data

  5. EXPRESSVPN Why do we need Security logs? • Detect threat

    • Incident response • Compliance • Vulnerability management Security Data

  6. EXPRESSVPN Security Data Storing (or Not storing) locally • No

    correlation • Difficult to track • Time consuming during incident response Send to SIEM • Centralized • Analytics / threat detection • Strong query capability Capturing security logs

  7. EXPRESSVPN The growing amount/complexity of security logs • Shift-left •

    Adoption of cloud • 2 common approaches ◦ Drop less-important events ◦ Scale-up SIEM and send all events to it Security Data

  8. EXPRESSVPN SIEM is not an ultimate solution • Too expensive

    • Short retention period • Difficult to integrate with other data processor Security Data

  9. Data Lake

  10. EXPRESSVPN Data Lake comes in Data Lake • Store data

    in large scale • Centralize data repository • Turn raw data into useful data • NOT a data archive • NOT a database (Security) Data Lake Security Data Lake • Threat detection • Event context • Real-time alert

  11. EXPRESSVPN How to start? • Identify all your data sources

    • Identify ingestion methods • Evaluate your situation ◦ Engineering ◦ Threat hunting ◦ SIEM options • Decide where SIEM fits in Data Lake

  12. EXPRESSVPN Connector split Source split Data Lake SIEM in Security

    data lake

  13. EXPRESSVPN Data lake to SIEM SIEM to Data lake Data

    Lake SIEM in Security data lake

  14. Threat hunting

  15. EXPRESSVPN Threat hunting life cycle in data lake Threat hunting

  16. EXPRESSVPN Detection as Code • Better documentation • Code repository

    / Code Review (GitOps) • Common language • Vendor agnostic Threat hunting

  17. EXPRESSVPN Detection as Code - Sigma Threat hunting

  18. EXPRESSVPN Detection as Code - Sigma Threat hunting Splunk Elasticsearch

  19. Our Story

  20. EXPRESSVPN How do we build security data lake? Technology •

    Ingestion • Storage ◦ S3 • Analytics • Detection-as-code ◦ Sigma Our story

  21. EXPRESSVPN How do we build security data lake? Company •

    SOC team • IT team • Security Engineering team • Cross-team collaboration • Security knowledge Our story

  22. EXPRESSVPN Takeaway • Evaluate your current state • Start small

    • Estimate cost • Embrace IaC / DaC • Don’t forget about people Our story

  23. Thank you