Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building Security Data Lake
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Richard Fan
December 13, 2023
Technology
0
19
Building Security Data Lake
vBrownBag podcast
Building Security Data Lake
https://youtu.be/6qQ7_asdI4I?si=CSsn0jz2vo00Y02Q
Richard Fan
December 13, 2023
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
49
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
51
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
150
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
56
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
68
Create your first AWS Nitro Enclaves application
richardfan1126
0
61
Other Decks in Technology
See All in Technology
メタデータ同期に潜んでいた問題 〜 Cache Stampede 時の Cycle Wait を⾒つけた話
lycorptech_jp
PRO
0
150
新職業『オーケストレーター』誕生 — エージェント10体を同時に回すAgentOps
gunta
3
830
チームメンバー迷わないIaC設計
hayama17
5
3.7k
「ストレッチゾーンに挑戦し続ける」ことって難しくないですか? メンバーの持続的成長を支えるEMの環境設計
sansantech
PRO
1
270
研究開発部メンバーの働き⽅ / Sansan R&D Profile
sansan33
PRO
4
22k
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
44k
A Gentle Introduction to Transformers
keio_smilab
PRO
1
100
マネージャー版 "提案のレベル" を上げる
konifar
16
12k
Datadog Cloud Cost Management で実現するFinOps
taiponrock
PRO
0
130
どこで打鍵するのが良い? IaCの実行基盤選定について
nrinetcom
PRO
2
160
「使いにくい」も「運用疲れ」も卒業する UIデザイナーとエンジニアが創る持続可能な内製開発
nrinetcom
PRO
1
770
自動テストが巻き起こした開発プロセス・チームの変化 / Impact of Automated Testing on Development Cycles and Team Dynamics
codmoninc
1
1k
Featured
See All Featured
SERP Conf. Vienna - Web Accessibility: Optimizing for Inclusivity and SEO
sarafernandez
1
1.3k
GitHub's CSS Performance
jonrohan
1032
470k
The Language of Interfaces
destraynor
162
26k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
How to Think Like a Performance Engineer
csswizardry
28
2.5k
Crafting Experiences
bethany
1
75
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8k
How to Grow Your eCommerce with AI & Automation
katarinadahlin
PRO
1
130
Code Review Best Practice
trishagee
74
20k
Prompt Engineering for Job Search
mfonobong
0
180
Accessibility Awareness
sabderemane
0
72
Docker and Python
trallard
47
3.8k
Transcript
Building Security Data Lake Richard Fan March 29, 2023
EXPRESSVPN Richard Fan Security Engineer from ExpressVPN A Builder and
Tech advocate AWS Community Builder • https://dev.to/richardfan1126 • https://medium.com/@richardfan1126 • https://github.com/richardfan1126 Who am I?
Security Data
EXPRESSVPN What is security data? Security Data
EXPRESSVPN Why do we need Security logs? • Detect threat
• Incident response • Compliance • Vulnerability management Security Data
EXPRESSVPN Security Data Storing (or Not storing) locally • No
correlation • Difficult to track • Time consuming during incident response Send to SIEM • Centralized • Analytics / threat detection • Strong query capability Capturing security logs
EXPRESSVPN The growing amount/complexity of security logs • Shift-left •
Adoption of cloud • 2 common approaches ◦ Drop less-important events ◦ Scale-up SIEM and send all events to it Security Data
EXPRESSVPN SIEM is not an ultimate solution • Too expensive
• Short retention period • Difficult to integrate with other data processor Security Data
Data Lake
EXPRESSVPN Data Lake comes in Data Lake • Store data
in large scale • Centralize data repository • Turn raw data into useful data • NOT a data archive • NOT a database (Security) Data Lake Security Data Lake • Threat detection • Event context • Real-time alert
EXPRESSVPN How to start? • Identify all your data sources
• Identify ingestion methods • Evaluate your situation ◦ Engineering ◦ Threat hunting ◦ SIEM options • Decide where SIEM fits in Data Lake
EXPRESSVPN Connector split Source split Data Lake SIEM in Security
data lake
EXPRESSVPN Data lake to SIEM SIEM to Data lake Data
Lake SIEM in Security data lake
Threat hunting
EXPRESSVPN Threat hunting life cycle in data lake Threat hunting
EXPRESSVPN Detection as Code • Better documentation • Code repository
/ Code Review (GitOps) • Common language • Vendor agnostic Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting Splunk Elasticsearch
Our Story
EXPRESSVPN How do we build security data lake? Technology •
Ingestion • Storage ◦ S3 • Analytics • Detection-as-code ◦ Sigma Our story
EXPRESSVPN How do we build security data lake? Company •
SOC team • IT team • Security Engineering team • Cross-team collaboration • Security knowledge Our story
EXPRESSVPN Takeaway • Evaluate your current state • Start small
• Estimate cost • Embrace IaC / DaC • Don’t forget about people Our story
Thank you
richardfan1126
lycorptech_jp
gunta
hayama17
sansantech
sansan33
safie_recruit
keio_smilab
konifar
taiponrock
nrinetcom
codmoninc
sarafernandez
jonrohan
destraynor
marcelosomers
csswizardry
bethany
eileencodes
katarinadahlin
trishagee
mfonobong
sabderemane
trallard
