SOC Update (10 - 14 August 2020)
Progress / Completed Projects & Tasks
- Control Public S3 Buckets Access
- Held meeting with cloud-infra. Discussed found caveats and course of action.
- Windows AD Hardening
- Held meeting with Daniel from Windows AD, went over findings and actions to take for high privilege account clean-ups .
Plan / Work in progress
- SIEMonster Sec Prod Roll-out on AWS
- Corp-IT Linux Servers. (lib-goaudit, Wazuh, winlogbeat).
- Continue working on integrating other relevant log sources.
- AWS GuardDuty alert and log integration from central logs tvlk-audit account.
- Container Security
- Windows AD Hardening
- Clean-up of high-privilege accounts. 2-tier admin accounts / dedicated admin accounts.
- Threat Detection Engineering
- Prioritise and publish Top 10 Windows Detection Rules following T2-DARS Framework.
- OpenSource EDR tools + DLP related capabilities
- On-going initial server deployment of velociraptor in AWS tlvk-prod (all user end-points +7k.)
- Continue working with deliverable in the SOC Interim DLP Strategy and tasks.
- Control Public S3 bucket deny policy caveats .
- Akamai WAF enhancement
- Migrate trp to api end-point.
- Update Akamai end-points across all our 23 end-points. ETA August 24th.
Roadblocks / Problems
- AWS Centralized logs Project tlvk-audit
- Held meeting with Cloud Infra on this stale project for this Quarter. Team will reprioritise but team would like to see the mandates of security priorities be cascaded down from the top.
Notable Incidents
SOC-180 20200812 Intrusion - Data Dump / 2020 Q2 Red-team attack.
Status: Waiting for post-mortem / Waiting for white paper.
https://29022131.atlassian.net/browse/SOC-180