Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building Security Data Lake
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Richard Fan
December 13, 2023
Technology
0
19
Building Security Data Lake
vBrownBag podcast
Building Security Data Lake
https://youtu.be/6qQ7_asdI4I?si=CSsn0jz2vo00Y02Q
Richard Fan
December 13, 2023
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
51
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
52
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
150
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
57
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
70
Create your first AWS Nitro Enclaves application
richardfan1126
0
62
Other Decks in Technology
See All in Technology
【Oracle Cloud ウェビナー】データ主権はクラウドで守れるのか?NTTデータ様のOracle Alloyで実現するソブリン対応クラウドの最適解
oracle4engineer
PRO
3
110
GitHub Actions侵害 — 相次ぐ事例を振り返り、次なる脅威に備える
flatt_security
7
4.6k
イベントで大活躍する電子ペーパー名札を作る(その2) 〜 M5PaperとM5PaperS3 〜 / IoTLT @ JLCPCB オープンハードカンファレンス
you
PRO
0
210
Phase12_総括_自走化
overflowinc
0
1.7k
FASTでAIエージェントを作りまくろう!
yukiogawa
4
120
LLMに何を任せ、何を任せないか
cap120
10
5.9k
Oracle Cloud Infrastructure(OCI):Onboarding Session(はじめてのOCI/Oracle Supportご利⽤ガイド)
oracle4engineer
PRO
2
16k
開発チームとQAエンジニアの新しい協業モデル -年末調整開発チームで実践する【QAリード施策】-
qa
0
360
GitHub Advanced Security × Defender for Cloudで開発とSecOpsのサイロを超える: コードとクラウドをつなぐ、開発プラットフォームのセキュリティ
yuriemori
1
100
スケーリングを封じられたEC2を救いたい
senseofunity129
0
110
Laravelで学ぶOAuthとOpenID Connectの基礎と実装
kyoshidaxx
4
1.9k
JEDAI認定プログラム JEDAI Order 2026 受賞者一覧 / JEDAI Order 2026 Winners
databricksjapan
0
380
Featured
See All Featured
It's Worth the Effort
3n
188
29k
VelocityConf: Rendering Performance Case Studies
addyosmani
333
24k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.3k
How to train your dragon (web standard)
notwaldorf
97
6.6k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
1.8k
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
0
250
AI: The stuff that nobody shows you
jnunemaker
PRO
3
490
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
0
470
GraphQLの誤解/rethinking-graphql
sonatard
75
12k
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
livdayseo
0
91
XXLCSS - How to scale CSS and keep your sanity
sugarenia
249
1.3M
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.4k
Transcript
Building Security Data Lake Richard Fan March 29, 2023
EXPRESSVPN Richard Fan Security Engineer from ExpressVPN A Builder and
Tech advocate AWS Community Builder • https://dev.to/richardfan1126 • https://medium.com/@richardfan1126 • https://github.com/richardfan1126 Who am I?
Security Data
EXPRESSVPN What is security data? Security Data
EXPRESSVPN Why do we need Security logs? • Detect threat
• Incident response • Compliance • Vulnerability management Security Data
EXPRESSVPN Security Data Storing (or Not storing) locally • No
correlation • Difficult to track • Time consuming during incident response Send to SIEM • Centralized • Analytics / threat detection • Strong query capability Capturing security logs
EXPRESSVPN The growing amount/complexity of security logs • Shift-left •
Adoption of cloud • 2 common approaches ◦ Drop less-important events ◦ Scale-up SIEM and send all events to it Security Data
EXPRESSVPN SIEM is not an ultimate solution • Too expensive
• Short retention period • Difficult to integrate with other data processor Security Data
Data Lake
EXPRESSVPN Data Lake comes in Data Lake • Store data
in large scale • Centralize data repository • Turn raw data into useful data • NOT a data archive • NOT a database (Security) Data Lake Security Data Lake • Threat detection • Event context • Real-time alert
EXPRESSVPN How to start? • Identify all your data sources
• Identify ingestion methods • Evaluate your situation ◦ Engineering ◦ Threat hunting ◦ SIEM options • Decide where SIEM fits in Data Lake
EXPRESSVPN Connector split Source split Data Lake SIEM in Security
data lake
EXPRESSVPN Data lake to SIEM SIEM to Data lake Data
Lake SIEM in Security data lake
Threat hunting
EXPRESSVPN Threat hunting life cycle in data lake Threat hunting
EXPRESSVPN Detection as Code • Better documentation • Code repository
/ Code Review (GitOps) • Common language • Vendor agnostic Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting
EXPRESSVPN Detection as Code - Sigma Threat hunting Splunk Elasticsearch
Our Story
EXPRESSVPN How do we build security data lake? Technology •
Ingestion • Storage ◦ S3 • Analytics • Detection-as-code ◦ Sigma Our story
EXPRESSVPN How do we build security data lake? Company •
SOC team • IT team • Security Engineering team • Cross-team collaboration • Security knowledge Our story
EXPRESSVPN Takeaway • Evaluate your current state • Start small
• Estimate cost • Embrace IaC / DaC • Don’t forget about people Our story
Thank you
richardfan1126
oracle4engineer
flatt_security
you
overflowinc
yukiogawa
cap120
qa
yuriemori
senseofunity129
kyoshidaxx
databricksjapan
3n
addyosmani
tammyeverts
notwaldorf
ks91
jnunemaker
honzajavorek
sonatard
livdayseo
sugarenia
eileencodes
