SOC Update (24 - 28 August 2020)
Progress / Completed Projects & Tasks
- Control Public S3 Buckets Access
- SOC-180 20200812 Intrusion - Data Dump / 2020 Q2 Red-team attack.
- Completed targeted post-mortems
- Windows AD Hardening
- Clean-up of high-privilege accounts. 2-tier admin accounts / dedicated admin accounts.
Plan / Work in progress
- Akamai WAF enhancement
- Migrate trp to api end-point ( on-going QA started )
- Migrate frp to api end-point ( on-going QA started )
- SOC-180 20200812 Intrusion - Data Dump / 2020 Q2 Red-team attack.
- Post-mortems review and Purple-team activities to be initiated with the respective teams.
- OpenSource EDR tools + DLP related capabilities
- Continue working with deliverable in the SOC Interim DLP Strategy and tasks.
- Restrict Public S3 bucket to all stg accounts as planned. ETA 09/01
- On-going initial server deployment of velociraptor in AWS tlvk-prod (all user end-points +7k.)
- SIEMonster Sec Prod Roll-out on AWS
- Corp-IT Linux Servers. (lib-goaudit, Wazuh, winlogbeat).
- Continue working on integrating other relevant log sources.
- Kaspersky AV logs.
- Pulse Secure User VPN access.
- AWS GuardDuty alert and log integration from central logs tvlk-audit account.
- Container Security
- Threat Detection Engineering
- Prioritise and publish Top 10 Windows Detection Rules following T2-DARS Framework.
Roadblocks / Problems
- AWS Centralized Logs Project tvlk-audit
- Cloud infra Team will reprioritise but team would like to have assurance of the cost involved and security priorities be cascaded down from the top.
Notable Incidents
N/A