SOC Update (4 May - 8 May 2020)
Progress / Completed Projects & Tasks
- SIEMonster Sec Prod Roll-out
- TheHive and Cortex Documentation internals.
- UTM Hardening applied part 1. VN, MY, TH, PH and India UTMs. Logs being collected.
- Tlvk-dev clean up + SSO enforcement.
- Reviewed active user accounts for the past 15 days and last 30 days+
- Out of 546 users, 388 of them has not logged into the dev account from last 15 days and 114 users has not logged in to tvlk-dev this year.
- Discussed plan of action and prepared and sent notice to tlvk-dev PICs.
- SOC DLP Strategy Doc in Confluence
Plan / Work in progress
- SIEMonster Sec Prod Roll-out on AWS
- Windows Servers. (Sysmon, Wazuh, winlogbeat) roll out to all 80+ servers.
- Continue working on integrating other relevant log sources.
- Kaspersky AV logs and Ad-Audit Plus logs.
- AWS Guarduty logs and Cloud Conformity alert integration from central logs tvlk-audit account.
- Continue testing OpenSource EDR tools + DLP related capabilities (Velociraptor vs OS-Query)
- Explore fit of solutions in questions for DLP capabilities + our UTMs and email DLP capabilities, AV Kas and Kaseya, GCP features.
- End-point AV Kaspersky policy audit and deployment coverage review.
- Finalise AV Policy Config Document with the recommendations.
- Linux Hardening Golden AMI tools
- Helping Ravi reviewing and finalising the hardening scripts. ( Ansible + Bash and Oval)
- Onboard tvlk-dev and tvlk-data AWS accounts to SSO(on-going)
- Waiting on PIC active clean ups of non-active accounts for the past 15 days and beyond. Deadline 15th May.
- We plan to action to enforce SSO and disable non-active accounts.
- Phralad Ram stepped out to try and help with the enforcement.
- Need to align with Johanes and HR to fix the off-boarding procedure going forward for this and other aws account.
- Akamai WAF Rule-set upgrade (major release)
- Akamai WAF IP Reputation Module CR in hold.
- We will re-align with the FE team first to find out if they have resources to re-engage with us on this.
Roadblocks / Problems
- AWS Centralized logs Project tlvk-audit currently in hold
- Infra -cloud under cost reduction project.
- DataDome
- Experiencing resistance to enable it back in a timely fashion. ( Backlog)
Notable Incidents
SOC-150 Corporate Users found in Tokopedia Leak
Status: Remediated. User have been notified / forced to reset password . Total 40 active only
Tokopedia Leak Impact assessment
Status: User team helping with reviewing/ assessing accounts x-check.
Latest update:
1.1 Mil emails, and 1.2 Mil phone numbers exists in Traveloka. Out of 15 Mil = ~7.33% of user account email/ phone similarity.
- We are currently checking risk score of these PIDs.
- The plan is to forced log out and reset password PIDs with high-risk score, and sending awareness communication change password to the rest.