Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building Security Data Lake
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Richard Fan
December 13, 2023
Technology
0
17
Building Security Data Lake
vBrownBag podcast
Building Security Data Lake
https://youtu.be/6qQ7_asdI4I?si=CSsn0jz2vo00Y02Q
Richard Fan
December 13, 2023
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
46
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
49
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
140
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
55
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
67
Create your first AWS Nitro Enclaves application
richardfan1126
0
59
Other Decks in Technology
See All in Technology
外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night
soudai
PRO
12
5.5k
【Oracle Cloud ウェビナー】[Oracle AI Database + AWS] Oracle Database@AWSで広がるクラウドの新たな選択肢とAI時代のデータ戦略
oracle4engineer
PRO
2
150
Oracle Cloud Observability and Management Platform - OCI 運用監視サービス概要 -
oracle4engineer
PRO
2
14k
プロダクト成長を支える開発基盤とスケールに伴う課題
yuu26
4
1.3k
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
0gm
0
1.5k
ファインディの横断SREがTakumi byGMOと取り組む、セキュリティと開発スピードの両立
rvirus0817
1
1.4k
M&A 後の統合をどう進めるか ─ ナレッジワーク × Poetics が実践した組織とシステムの融合
kworkdev
PRO
1
450
AWS Network Firewall Proxyを触ってみた
nagisa53
1
230
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
10k
コスト削減から「セキュリティと利便性」を担うプラットフォームへ
sansantech
PRO
3
1.5k
What happened to RubyGems and what can we learn?
mikemcquaid
0
300
Bill One 開発エンジニア 紹介資料
sansan33
PRO
5
17k
Featured
See All Featured
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.3k
Large-scale JavaScript Application Architecture
addyosmani
515
110k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
340
VelocityConf: Rendering Performance Case Studies
addyosmani
333
24k
Visualization
eitanlees
150
17k
What does AI have to do with Human Rights?
axbom
PRO
0
2k
Building Applications with DynamoDB
mza
96
6.9k
KATA
mclloyd
PRO
34
15k
What Being in a Rock Band Can Teach Us About Real World SEO
427marketing
0
170
Art, The Web, and Tiny UX
lynnandtonic
304
21k
Leveraging Curiosity to Care for An Aging Population
cassininazir
1
160
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
1
440
Transcript
Building Security Data Lake Richard Fan March 29, 2023
EXPRESSVPN Richard Fan Security Engineer from ExpressVPN A Builder and
Tech advocate AWS Community Builder • https://dev.to/richardfan1126 • https://medium.com/@richardfan1126 • https://github.com/richardfan1126 Who am I?
Security Data
EXPRESSVPN What is security data? Security Data
EXPRESSVPN Why do we need Security logs? • Detect threat
• Incident response • Compliance • Vulnerability management Security Data
EXPRESSVPN Security Data Storing (or Not storing) locally • No
correlation • Difficult to track • Time consuming during incident response Send to SIEM • Centralized • Analytics / threat detection • Strong query capability Capturing security logs
EXPRESSVPN The growing amount/complexity of security logs • Shift-left •
Adoption of cloud • 2 common approaches ◦ Drop less-important events ◦ Scale-up SIEM and send all events to it Security Data
EXPRESSVPN SIEM is not an ultimate solution • Too expensive
• Short retention period • Difficult to integrate with other data processor Security Data
Data Lake
EXPRESSVPN Data Lake comes in Data Lake • Store data
in large scale • Centralize data repository • Turn raw data into useful data • NOT a data archive • NOT a database (Security) Data Lake Security Data Lake • Threat detection • Event context • Real-time alert
EXPRESSVPN How to start? • Identify all your data sources
• Identify ingestion methods • Evaluate your situation ◦ Engineering ◦ Threat hunting ◦ SIEM options • Decide where SIEM fits in Data Lake
EXPRESSVPN Connector split Source split Data Lake SIEM in Security
data lake
EXPRESSVPN Data lake to SIEM SIEM to Data lake Data
Lake SIEM in Security data lake
Threat hunting
EXPRESSVPN Threat hunting life cycle in data lake Threat hunting
EXPRESSVPN Detection as Code • Better documentation • Code repository
/ Code Review (GitOps) • Common language • Vendor agnostic Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting Splunk Elasticsearch
Our Story
EXPRESSVPN How do we build security data lake? Technology •
Ingestion • Storage ◦ S3 • Analytics • Detection-as-code ◦ Sigma Our story
EXPRESSVPN How do we build security data lake? Company •
SOC team • IT team • Security Engineering team • Cross-team collaboration • Security knowledge Our story
EXPRESSVPN Takeaway • Evaluate your current state • Start small
• Estimate cost • Embrace IaC / DaC • Don’t forget about people Our story
Thank you
SiteGround - Reliable hosting with speed, security, and support you can count on.
richardfan1126
soudai
oracle4engineer
yuu26
0gm
rvirus0817
kworkdev
nagisa53
fullkaiten
sansantech
mikemcquaid
sansan33
eileencodes
addyosmani
reverentgeek
eitanlees
axbom
mza
mclloyd
427marketing
lynnandtonic
cassininazir
inesmontani
