SOC Update (22 Jun - 36 Jun 2020)
Progress / Completed Projects & Tasks
- Email Security Project
- SOC Interim DLP Strategy updates
- Presented the finding and proposed workflow for S3 buckets.with AWS infra .
- Account level block with exclusion is the short-term approach. Proposed workflow:
- Long term, we will pursue separate account only for s3 bucket that require public access and block across the board.
- Onboard tvlk-dev AWS accounts to SSO(on-going)
Plan / Work in progress
- SIEMonster Sec Prod Roll-out on AWS
- Corp-IT Linux Servers. (lib-goaudit, Wazuh, winlogbeat).
- Continue working on integrating other relevant log sources.
- Kaspersky AV logs and Ad-Audit Plus logs.
- AWS GuardDuty alert and log integration from central logs tvlk-audit account.
- Container Security
- Researching best practices, tools and processes.
- Windows AD Hardening
- Re-prioritizing hardening guide work related.
- Threat Detection Engineering
- Prioritise and publish Top 10 Windows Detection Rules following T2-DARS Framework.
- OpenSource EDR tools + DLP related capabilities
- On-going initial server deployment of velociraptor in AWS tlvk-prod (all user end-points +7k.)
- Continue working with deliverable in the SOC Interim DLP Strategy and tasks.
- End-point AV Kaspersky policy audit.
- Finalise AV Policy Config Document with the recommendations.
- Onboard tvlk-dev AWS accounts to SSO(on-going)
- Disabling and deleting all non-SSO on tvlk-left account (preparing communications and dead-line)
Roadblocks / Problems
- AWS Centralized logs Project tlvk-audit currently in hold.
- Infra-cloud under cost reduction project, will re-prioritise our projects.
Notable Incidents
SOC-165 Botnet Type behaviour from one source IP 10.10.22.6 towards 147.32.221.X subnet over port 445
Status: Contained. Old windows 7 unpatched system, with no antivirus. Performing further analysis on velociraptor dump (memory and files).
Details at : https://29022131.atlassian.net/browse/SOC-166