SOC Update (1 Jun - 5 Jun 2020)
Progress / Completed Projects & Tasks
- Threat Detection Engineering
- Email Security Project
- Discussed project objectives and aligned with Corporate IT to initiate PoC.
- SOC Interim DLP Strategy updates
- Reached out AWS Tech resources about best practices/tips about SCP S3 bucket block policies. 2 options. Account level block with exclusion or SCP with exclusions ( Testing completed on account level S3 restriction).
Plan / Work in progress
- SIEMonster Sec Prod Roll-out on AWS
- Windows Servers. (Sysmon, Wazuh, winlogbeat) roll out to all 80+ servers.
- Continue working on integrating other relevant log sources.
- Kaspersky AV logs and Ad-Audit Plus logs.
- AWS Guarduty alert and log integration from central logs tvlk-audit account.
- Email Security Project
- Threat Detection Engineering
- Prioritise and publish Top 10 Windows Detection Rules following T2-DARS Framework.
- OpenSource EDR tools + DLP related capabilities
- Preparing final architecture design for a large scale deployment of velociraptor in AWS tlvk-prod (all user end-points +7k.)
- Continue working with deliverable in the SOC Interim DLP Strategy and tasks.
- End-point AV Kaspersky policy audit and deployment coverage review.
- Finalise AV Policy Config Document with the recommendations.
- Akamai WAF API json content fix on www and m.
- Onboard tvlk-dev and tvlk-data AWS accounts to SSO(on-going)
- On-going migration of migrate beiartf from tvlk-dev to tvlk-build account.
- Continue plan and actions to enforce SSO on the rest of accounts.
Roadblocks / Problems
- AWS Centralized logs Project tlvk-audit currently in hold.
- Infra-cloud under cost reduction project, will re-prioritise our projects.
Notable Incidents
None