SOC Update (25-29 Nov 2019)

Progress / Completed Projects & Tasks

SIEMonster deployed and running in an interval VM

Integrated alerting mechanism to slack.

Plan / Work in progress

SOC-19 CloudConfirmty alert tune up.

https://29022131.atlassian.net/browse/SOC-19

Onboard tvlk-dev and tvlk-data AWS accounts to SAML

https://29022131.atlassian.net/browse/SOC-35

Create SNS Topic for Guard Duty Alerts

https://29022131.atlassian.net/browse/SOC-28

SIEMmonster POC Testing.

Continue integrating log sources and features.

Planning Akamai DSA migration.

Roadblocks / Problems

SIEMonster PoC

No connectivity between AWS and corporate internal resources. Working on getting that resolved for PoC purposes.

Notable Incidents

SOC-31 through 39
Several AWS service open permission services: SQS, S3 buckets, and MongoDB.
RCA: New Service deployment missconfiguration.
Status: All have been resolved
Impact: Internal: None External: None
Details at:
https://29022131.atlassian.net/browse/SOC-31 through 39

SOC-42
Unauthorised use of credentials from an external IP in TVLK Dev
RCA: Yearly Red Team internal SoC readiness assessment.
Status: Initial triaging, isolation and Investigation completed. Waiting on OffSec to share details and finish the post-mort em document and action items.
Impact: Internal: None External: None
Details at:
https://29022131.atlassian.net/browse/SOC-42
https://docs.google.com/document/d/1J5PHQePdYyfIR6gmw4hvzHWf0jEnv0HBaqBdOPbLpK4