SOC Update (3 - 7 August 2020)
Progress / Completed Projects & Tasks
- Jira IR Ticket Flow updated
- Customised Jira ticket flow for Incident Response related tickets.
- Akamai WAF enhancement
- Notification sent to stake holders to update Akamai end-points IP site-shield list across all our end-points. ETA August 22nd.
- Control Public S3 Buckets Access
- Initial changes pushed. ( Partial effectiveness) Found caveats and need to be addressed.
- Windows AD Hardening
- Performed Audit of services and software on all Windows AD
Plan / Work in progress
- SIEMonster Sec Prod Roll-out on AWS
- Corp-IT Linux Servers. (lib-goaudit, Wazuh, winlogbeat).
- Continue working on integrating other relevant log sources.
- AWS GuardDuty alert and log integration from central logs tvlk-audit account.
- Container Security
- Windows AD Hardening
- Clean-up of high-privilege accounts. 2-tier admin accounts / dedicated admin accounts.
- Threat Detection Engineering
- Prioritise and publish Top 10 Windows Detection Rules following T2-DARS Framework.
- OpenSource EDR tools + DLP related capabilities
- On-going initial server deployment of velociraptor in AWS tlvk-prod (all user end-points +7k.)
- Continue working with deliverable in the SOC Interim DLP Strategy and tasks.
- S3 Public bucket deny policy caveats .
- Akamai WAF enhancement
- Migrate trp to api end-point.
- Update Akamai end-points across all our 23 end-points. ETA August 22nd.
- New on-boards gvo, tvlk-pay.
Roadblocks / Problems
- AWS Centralized logs Project tlvk-audit
- Sergei team would like to see the mandates of security priorities be cascaded down from the top.
Notable Incidents
SOC-177 Cloud Conformity Alert: Tor Anonymizing Proxy network is communicating with EC2 instance i-02de31f18c4a6c2ec
Status: Resolved. Network scanning activity from TOR identified. No signs of compromise found.
https://29022131.atlassian.net/browse/SOC-177