Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building Security Data Lake
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Richard Fan
December 13, 2023
Technology
0
17
Building Security Data Lake
vBrownBag podcast
Building Security Data Lake
https://youtu.be/6qQ7_asdI4I?si=CSsn0jz2vo00Y02Q
Richard Fan
December 13, 2023
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
46
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
49
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
140
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
55
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
67
Create your first AWS Nitro Enclaves application
richardfan1126
0
59
Other Decks in Technology
See All in Technology
[CV勉強会@関東 World Model 読み会] Orbis: Overcoming Challenges of Long-Horizon Prediction in Driving World Models (Mousakhan+, NeurIPS 2025)
abemii
0
140
SREのプラクティスを用いた3領域同時 マネジメントへの挑戦 〜SRE・情シス・セキュリティを統合した チーム運営術〜
coconala_engineer
2
660
OpenShiftでllm-dを動かそう!
jpishikawa
0
110
予期せぬコストの急増を障害のように扱う――「コスト版ポストモーテム」の導入とその後の改善
muziyoshiz
1
1.9k
プロポーザルに込める段取り八分
shoheimitani
1
280
Oracle Cloud Observability and Management Platform - OCI 運用監視サービス概要 -
oracle4engineer
PRO
2
14k
広告の効果検証を題材にした因果推論の精度検証について
zozotech
PRO
0
180
登壇駆動学習のすすめ — CfPのネタの見つけ方と書くときに意識していること
bicstone
3
110
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
torounit
0
470
仕様書駆動AI開発の実践: Issue→Skill→PRテンプレで 再現性を作る
knishioka
2
660
AIエージェントを開発しよう!-AgentCore活用の勘所-
yukiogawa
0
170
Azure Durable Functions で作った NL2SQL Agent の精度向上に取り組んだ話/jat08
thara0402
0
190
Featured
See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
51
51k
Reflections from 52 weeks, 52 projects
jeffersonlam
356
21k
Design in an AI World
tapps
0
140
More Than Pixels: Becoming A User Experience Designer
marktimemedia
3
320
svc-hook: hooking system calls on ARM64 by binary rewriting
retrage
1
100
Done Done
chrislema
186
16k
RailsConf 2023
tenderlove
30
1.3k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
57
50k
Tell your own story through comics
letsgokoyo
1
810
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
2.1k
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.1k
Speed Design
sergeychernyshev
33
1.5k
Transcript
Building Security Data Lake Richard Fan March 29, 2023
EXPRESSVPN Richard Fan Security Engineer from ExpressVPN A Builder and
Tech advocate AWS Community Builder • https://dev.to/richardfan1126 • https://medium.com/@richardfan1126 • https://github.com/richardfan1126 Who am I?
Security Data
EXPRESSVPN What is security data? Security Data
EXPRESSVPN Why do we need Security logs? • Detect threat
• Incident response • Compliance • Vulnerability management Security Data
EXPRESSVPN Security Data Storing (or Not storing) locally • No
correlation • Difficult to track • Time consuming during incident response Send to SIEM • Centralized • Analytics / threat detection • Strong query capability Capturing security logs
EXPRESSVPN The growing amount/complexity of security logs • Shift-left •
Adoption of cloud • 2 common approaches ◦ Drop less-important events ◦ Scale-up SIEM and send all events to it Security Data
EXPRESSVPN SIEM is not an ultimate solution • Too expensive
• Short retention period • Difficult to integrate with other data processor Security Data
Data Lake
EXPRESSVPN Data Lake comes in Data Lake • Store data
in large scale • Centralize data repository • Turn raw data into useful data • NOT a data archive • NOT a database (Security) Data Lake Security Data Lake • Threat detection • Event context • Real-time alert
EXPRESSVPN How to start? • Identify all your data sources
• Identify ingestion methods • Evaluate your situation ◦ Engineering ◦ Threat hunting ◦ SIEM options • Decide where SIEM fits in Data Lake
EXPRESSVPN Connector split Source split Data Lake SIEM in Security
data lake
EXPRESSVPN Data lake to SIEM SIEM to Data lake Data
Lake SIEM in Security data lake
Threat hunting
EXPRESSVPN Threat hunting life cycle in data lake Threat hunting
EXPRESSVPN Detection as Code • Better documentation • Code repository
/ Code Review (GitOps) • Common language • Vendor agnostic Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting Splunk Elasticsearch
Our Story
EXPRESSVPN How do we build security data lake? Technology •
Ingestion • Storage ◦ S3 • Analytics • Detection-as-code ◦ Sigma Our story
EXPRESSVPN How do we build security data lake? Company •
SOC team • IT team • Security Engineering team • Cross-team collaboration • Security knowledge Our story
EXPRESSVPN Takeaway • Evaluate your current state • Start small
• Estimate cost • Embrace IaC / DaC • Don’t forget about people Our story
Thank you
SiteGround - Reliable hosting with speed, security, and support you can count on.
richardfan1126
abemii
coconala_engineer
jpishikawa
muziyoshiz
shoheimitani
oracle4engineer
zozotech
bicstone
torounit
knishioka
yukiogawa
thara0402
chrisshort
jeffersonlam
tapps
marktimemedia
retrage
chrislema
tenderlove
madoxten
letsgokoyo
garrettdimon
ivargrimstad
sergeychernyshev
