Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building Security Data Lake
Search
Richard Fan
December 13, 2023
Technology
0
16
Building Security Data Lake
vBrownBag podcast
Building Security Data Lake
https://youtu.be/6qQ7_asdI4I?si=CSsn0jz2vo00Y02Q
Richard Fan
December 13, 2023
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
33
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
39
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
110
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
50
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
53
Create your first AWS Nitro Enclaves application
richardfan1126
0
47
Other Decks in Technology
See All in Technology
How Community Opened Global Doors
hiroramos4
PRO
1
110
AIの最新技術&テーマをつまんで紹介&フリートークするシリーズ #1 量子機械学習の入門
tkhresk
0
130
Model Mondays S2E02: Model Context Protocol
nitya
0
220
プロダクトエンジニアリング組織への歩み、その現在地 / Our journey to becoming a product engineering organization
hiro_torii
0
130
Snowflake Summit 2025全体振り返り / Snowflake Summit 2025 Overall Review
mtpooh
2
390
Definition of Done
kawaguti
PRO
6
480
生成AIで小説を書くためにプロンプトの制約や原則について学ぶ / prompt-engineering-for-ai-fiction
nwiizo
3
920
IIWレポートからみるID業界で話題のMCP
fujie
0
780
Node-REDのFunctionノードでMCPサーバーの実装を試してみた / Node-RED × MCP 勉強会 vol.1
you
PRO
0
110
生成AIでwebアプリケーションを作ってみた
tajimon
2
140
Кто отправит outbox? Валентин Удальцов, автор канала Пых
lamodatech
0
330
MySQL5.6から8.4へ 戦いの記録
kyoshidaxx
1
200
Featured
See All Featured
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
Optimizing for Happiness
mojombo
379
70k
BBQ
matthewcrist
89
9.7k
Docker and Python
trallard
44
3.4k
Adopting Sorbet at Scale
ufuk
77
9.4k
Thoughts on Productivity
jonyablonski
69
4.7k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
124
52k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
161
15k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
22k
4 Signs Your Business is Dying
shpigford
184
22k
Making the Leap to Tech Lead
cromwellryan
134
9.3k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Transcript
Building Security Data Lake Richard Fan March 29, 2023
EXPRESSVPN Richard Fan Security Engineer from ExpressVPN A Builder and
Tech advocate AWS Community Builder • https://dev.to/richardfan1126 • https://medium.com/@richardfan1126 • https://github.com/richardfan1126 Who am I?
Security Data
EXPRESSVPN What is security data? Security Data
EXPRESSVPN Why do we need Security logs? • Detect threat
• Incident response • Compliance • Vulnerability management Security Data
EXPRESSVPN Security Data Storing (or Not storing) locally • No
correlation • Difficult to track • Time consuming during incident response Send to SIEM • Centralized • Analytics / threat detection • Strong query capability Capturing security logs
EXPRESSVPN The growing amount/complexity of security logs • Shift-left •
Adoption of cloud • 2 common approaches ◦ Drop less-important events ◦ Scale-up SIEM and send all events to it Security Data
EXPRESSVPN SIEM is not an ultimate solution • Too expensive
• Short retention period • Difficult to integrate with other data processor Security Data
Data Lake
EXPRESSVPN Data Lake comes in Data Lake • Store data
in large scale • Centralize data repository • Turn raw data into useful data • NOT a data archive • NOT a database (Security) Data Lake Security Data Lake • Threat detection • Event context • Real-time alert
EXPRESSVPN How to start? • Identify all your data sources
• Identify ingestion methods • Evaluate your situation ◦ Engineering ◦ Threat hunting ◦ SIEM options • Decide where SIEM fits in Data Lake
EXPRESSVPN Connector split Source split Data Lake SIEM in Security
data lake
EXPRESSVPN Data lake to SIEM SIEM to Data lake Data
Lake SIEM in Security data lake
Threat hunting
EXPRESSVPN Threat hunting life cycle in data lake Threat hunting
EXPRESSVPN Detection as Code • Better documentation • Code repository
/ Code Review (GitOps) • Common language • Vendor agnostic Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting Splunk Elasticsearch
Our Story
EXPRESSVPN How do we build security data lake? Technology •
Ingestion • Storage ◦ S3 • Analytics • Detection-as-code ◦ Sigma Our story
EXPRESSVPN How do we build security data lake? Company •
SOC team • IT team • Security Engineering team • Cross-team collaboration • Security knowledge Our story
EXPRESSVPN Takeaway • Evaluate your current state • Start small
• Estimate cost • Embrace IaC / DaC • Don’t forget about people Our story
Thank you
richardfan1126
hiroramos4
tkhresk
nitya
.jpg){kind=avatar}
hiro_torii
mtpooh
kawaguti
nwiizo
fujie
you
tajimon
lamodatech
kyoshidaxx
eileencodes
mojombo
matthewcrist
trallard
ufuk
jonyablonski
aki_iinuma
sstephenson
caitiem20
shpigford
cromwellryan
garrettdimon
