SIEMonster Sec Prod Roll-out on AWS

Configured and published final sysmon config to be rolled out.

https://github.com/erictvlk/tlvk-sysmon

Akamai WAF IP Reputation Module

Followed and publish notice to all stake-holder to review findings in the last 90 days.
Held initial Client Reputation Session.

SIEMonster Sec Prod Roll-out on AWS

Continue working on remote log collector set-up and on-boarding agents.

End-point AV Kaspersky policy audit and deployment number review.
Linux Hardening Golden AMI tools

Helping Ravi finalising Ubuntu Hardening Standard Doc and hardening scripts accordingly %60 completed.

https://drive.google.com/open?id=1AD72pIf7RidXH3oPjzqmXjxs3vQ2rWS2

Exploring tools to provide actionable scriptable hardening.

Oval + Vulns + Ansible.

Project page

https://29022131.atlassian.net/wiki/spaces/S/pages/1167196905/Project+ISS+Hardening+Pof+Amazon+Linux

Onboard tvlk-dev and tvlk-data AWS accounts to SAML (on-going)

https://29022131.atlassian.net/browse/SOC-35
Little progress in tvlk-dev.

Delegates resistance from taking ownership.
To generate report of last 30 days user accounts usage. Will single up owners and managers to comply.

Incident Playbooks , SoP in the works.

Site-to-Site VPN tunnel

Roadblocks / Problems
None

Notable Incidents

SOC-134 eci-train-public-repo AWS Key Leak
Incident RCA: https://drive.google.com/open?id=1Yo5hH6BW8kutajQ07NSKh12Z8VmdFkFP
Status: Contained and closed. Repo exposed was removed from public. Exposure time was minimal. No evidence of abuse of the keys exposed were found.
https://29022131.atlassian.net/browse/SOC-134

SOC-137 Possible Database dump posted in Twitter
Incident RCA: WIP
Status: Contained. Jira configuration has been changed disallow external registration and all accounts have been revised. No suspicious users found besides the Offensive Sec users and bug hunter which have been removed.
https://29022131.atlassian.net/browse/SOC-137

SOC Update (30 March-3 Apr 2020)