SOC Update (13 Jul -17 Jul 2020)
Progress / Completed Projects & Tasks
- Clean-up of tvlk-dev AWS accounts (Completed)
- Notice crafted and sent to all major enforcement completed on 07/17
- Email Security Project
- Held follow up meeting with Mimecast to align for PoC. MNDA, submitted to legal review and contract.
- SIEMonster Sec Prod Roll-out on AWS
- Ad-Audit Plus logs pushed to ELK.
- Windows AD Hardening
- Hiring efforts
- Conducted final interview with Siva. Followed up with other candidates.
Plan / Work in progress
- SIEMonster Sec Prod Roll-out on AWS
- Corp-IT Linux Servers. (lib-goaudit, Wazuh, winlogbeat).
- Continue working on integrating other relevant log sources.
- AWS GuardDuty alert and log integration from central logs tvlk-audit account.
- Container Security
- Windows AD Hardening
- Re-Prioritising hardening guide work related.
- Threat Detection Engineering
- Prioritise and publish Top 10 Windows Detection Rules following T2-DARS Framework.
- OpenSource EDR tools + DLP related capabilities
- On-going initial server deployment of velociraptor in AWS tlvk-prod (all user end-points +7k.)
- Continue working with deliverable in the SOC Interim DLP Strategy and tasks.
- PST AirAsia fraud case
- Continue working stakeholders in the investigation.
- Akamai WAF enhancement
- Migrate usr and trp to api end-point
- New on-boards gvo, tvlk-pay.
Roadblocks / Problems
- AWS Centralized logs Project tlvk-audit currently in hold.
- Infra-cloud under cost reduction project, will re-prioritise our projects.
Notable Incidents
PST AirAsia fraud case
Status: Contained. On going investigation. Accounts have been disabled. No updated from AirAsia. No other leads.
- PST to retrieve/ask AirAsia b2b portal logs (
https://booking2.airasia.com/loginagent.aspx.)
via email /call with source fraud lead: “tiket ajib” store and/or passengers to get further insights. ETA 07/21