SOC Update (26 Oct - 6 Nov 2020)

Progress / Completed Projects & Tasks

Log centralisation and alert integration to tvlk-sec-prod

CloudTrail logs (all accounts) delivered and indexed to ElasticSearch SIEMonster.

OpenSource EDR & DLP related capabilities

Velociraptor EDR Initial push via Kaseya to pilot end-user Windows end-points. SG and ID.
DLP Endpoint Protector PoC internal SoC end-points deployed to Mac and Windows end-points. On-going testing.

Developed Uses cases to test product. https://29022131.atlassian.net/wiki/spaces/S/pages/1529914659/DLP+Solution+Evaluation+Criteria

WebSecurity Akamai

Attending briefings, preparations and monitoring closely Akamai during Epic sale 11/11 (Excalibur Project)

Personal development

Attended and Completed First Time People Managers Program.

Plan / Work in progress

Akamai WAF

Service and Certificate renewal.
Custom temp fix to be deployed https://29022131.atlassian.net/browse/SOC-185
STG Deploy new API site: content-api.acd.traveloka.com.
New payment site on-boarding assessment. gateway-payment.traveloka.com

https://29022131.atlassian.net/servicedesk/customer/portal/17/IS-349

OpenSource EDR & DLP related capabilities

PoC Evaluate Endpoint protector.

Running through uses cases. https://29022131.atlassian.net/wiki/spaces/S/pages/1529914659/DLP+Solution+Evaluation+Criteria

Deployment of velociraptor in AWS tlvk-sec-prod (all Windows user end-points +5k.)

Push EDR velociraptor clients to End-point via Kaseya.

Continue working with deliverable in the SOC Interim DLP Strategy and tasks.

FDE via Bitlocker for all Windows end-point in progress.
Timelines: https://29022131.atlassian.net/wiki/spaces/S/pages/1499431262/User+Endpoints+Full+Disk+Encryption

Threat Detection Engineering

Prioritise and publish Top 10 Windows Detection Rules following T2-DARS Framework.

SIEMonster Sec Prod Roll-out on AWS

Continue working on integrating other relevant log sources.

Kaspersky AV logs.

AWS log centralisation and alert integration to tvlk-sec-prod

Working on Cloudtrail to Athena partition for long-term 6+months.
VPC Flows: ETA: TBD.

AWS Security

Auditing and cleaning wide-open ingress Security Groups. (On-going)

GCP Hardening and Visibility

Reviewing GCP current set-up, identify gaps, document and propose recommendations.
Continue working with tlvk-data team on the actions items identified on red-teams assessment and post-mortems as needed.

SOC-180 20200812 Intrusion - Data Dump / 2020 Q2 Red-team attack.

Continue managing progress with respective teams and the clean-up and hardening initiatives as needed.

GCP/AWS for talk-data team : https://docs.google.com/document/d/1sis22h-d2QRzgnFCNqYBvjMarQ8DJfQCYl5v7j-g6Zw/edit#
Salesforce: https://docs.google.com/document/d/1vkzfh8oqBm7FT6Rfv-5CiholduPbaDnutpbrTxfsBsE/edit#
Domo: https://docs.google.com/document/d/1H_E7aC2QVd_H5ecBtbto_ZJj5tc3drjEINlXrwDW9Xg/edit#

Roadblocks / Problems
None

Notable Incidents

SOC-245 20201102 SendGrid Account Take-Over
Status: Contained and recovered. Finalising Post-Mortem and timelines.
https://29022131.atlassian.net/browse/SOC-245