SOC Update (06 Jul -10 Jul 2020)

Progress / Completed Projects & Tasks

Public S3 Buckets Access

Final communication post shared and agreed with Cloud Infra.
Published confluence procedure to follow
https://29022131.atlassian.net/wiki/spaces/S/pages/1431209201/AWS+S3+Public+Bucket+Public+Access+Request+Process

Email Security Project

Held follow up meeting with Mimecast to align for PoC

Hiring efforts

Conducted a couple of interviews.
Prepared Job Request forms and questions for greenhouse.

Plan / Work in progress

SIEMonster Sec Prod Roll-out on AWS

Corp-IT Linux Servers. (lib-goaudit, Wazuh, winlogbeat).
Continue working on integrating other relevant log sources.

Kaspersky AV logs and Ad-Audit Plus logs.

AWS GuardDuty alert and log integration from central logs tvlk-audit account.

CR in place https://github.com/traveloka/tvlk-audit-terraform-aws/issues/11

Container Security

Continue researching best practices, tools and processes.

Windows AD Hardening

Re-Prioritising hardening guide work related.

Threat Detection Engineering

Prioritise and publish Top 10 Windows Detection Rules following T2-DARS Framework.

OpenSource EDR tools + DLP related capabilities

On-going initial server deployment of velociraptor in AWS tlvk-prod (all user end-points +7k.)
Continue working with deliverable in the SOC Interim DLP Strategy and tasks.

End-point AV Kaspersky policy audit.

Finalise AV Policy Config Document with the recommendations.

PST AirAsia fraud case

Continue working stakeholders in the investigation.

Roadblocks / Problems

AWS Centralized logs Project tlvk-audit currently in hold.

Infra-cloud under cost reduction project, will re-prioritise our projects.

Notable Incidents
PST AirAsia fraud case
Status: Contained. On going investigation.