keeping track of all the things
play

Keeping Track Of All The Things A use-case and content management - PowerPoint PPT Presentation

Mar 11, 2024 •236 likes •734 views

Keeping Track Of All The Things A use-case and content management story Matt Parks | Manager, Kaiser Permanente Ruperto Razon | Sr. Threat Analyst, Kaiser Permanente 8/12/2017 | ver 5.2.2 Our Purpose Share our lessons learned in

  1. Keeping Track Of All The Things A use-case and content management story Matt Parks | Manager, Kaiser Permanente Ruperto Razon | Sr. Threat Analyst, Kaiser Permanente 8/12/2017 | ver 5.2.2

  2. Our Purpose ▶ Share our lessons learned in consolidating artifacts of our migration from a previous SIEM to our current SIEM/logging solution ▶ Describe the process our team developed to manage our security use-case and content development efforts ▶ Provide you some answers to a few familiar questions

  3. What Questions? These Questions What does our security coverage look like, from a use-case perspective? Bob in accounting was infected by <insert-threat-of-the-day-here>, who else was infected? How are we tracking towards our high level security goals for the year? What does your development team do all day?

  4. Who are you guys? Matt Parks Manager, Security Analytics, Cyber Risk Defense Center ▶ Matthew.Parks@kp.org ▶ linkedin.com/in/matthewparks

  5. Who are you guys? Ruperto Razon Sr. Threat Analyst, Security Analytics, Cyber Risk Defense Center ▶ Ruperto.S.Razon@kp.org ▶ linkedin.com/in/PertoRazon ▶ @thatperto

  7. Cyber Risk Defense Center (CRDC)

  8. Advanced and Actionable Intelligence MODIFIED KILL Reconnaissance Exploitation Lateral Movement Reach Objective CHAIN TEAMS Threat Intelligence Infiltration Lateral Movement Data Exfiltration • Network DLP • Threat Feeds (paid, • Endpoint Security Devices • Malware Detonation TOOLS • Endpoint DLP Open Source, Internal) • OS Logging • Network Intrusion • Email DLP • Contextual Information • User modeling Detection and Prevention • PCAP data (Virus Total, whois, etc.) • PCAP data • Endpoint Security • Cloud Security • Farsight • SMTP Gateways technology • Industry Relationships • Layer 7 Detection and • Law Enforcement Prevention DATA Splunk Other Big Data Platforms LAYER ACTIONABLE INTELLIGENCE

  9. Let ’ s start from the middle…. Pre-Migration (Summer 2015) Migration Complete (Spring 2016) ▶ 2TB+ data/day ▶ 4TB+ data/day ▶ 128 Threat Use-Cases ▶ 43 Threat Use-Cases ▶ 60 Scheduled Reports ▶ 33 Scheduled Reports ▶ 652 “Knowledge Objects” ▶ 121 Knowledge Objects ▶ 15+ Documentation Repositories ▶ 4 Documentation Repositories

  10. Where We Are Today ▶ 8+TB data/day ▶ 60+ distinct sourcetypes ▶ 75+ Custom Threat Use-Cases ▶ 100+ Scheduled Reports/Dashboards/Form Searches

  11. Documentation…

  12. Artifacts of Note ▶ Naming conventions ▶ Asset Categories ▶ Search logic ▶ Recipients/Users ▶ Knowledge objects ▶ Original Requestor ▶ Scheduling of searches/reports ▶ Tribal Knowledge

  13. Scrum in 100 Words • Scrum is an agile process that allows us to focus on delivering the highest business value in the shortest time. • It allows us to rapidly and repeatedly inspect actual working software (every two weeks to one month). • The business sets the priorities. Teams self-organize to determine the best way to deliver the highest priority features. • Every two weeks to a month anyone can see real working software and decide to release it as is or continue to enhance it for another sprint.

  14. What does a Scrum look like?

  15. The Scrum Advantage

  16. Scrum Framework Process

  17. Example Story

  18. So what do we do with all this JIRA Data? Improve situational awareness Visualize our JIRA activity Improve our development process Answer questions

  19. Bob in accounting was infected by <insert-threat- of-the-day-here>, who else was infected?

  20. Anyone heard of Wannacry? ▶ 14 separate JIRA Stories • 3 new Correlation Searches • 6 Research Stories • 2 Tuning Requests • 3 Stories for Follow-up/Remediation

  21. What does our security coverage look like, from a use- case perspective?

  22. Deployed Use-Case Visibility

  23. Searches! Note: <insertyourdatahere> ▶ SA Visualization Dashboard • Enabled Correlation Search Breakdown by Team • |rest /services/alerts/correlationsearches splunk_server=local | rename eai:acl:app as application, title as csearch_name |join type=outer app csearch_name [rest /services/saved/searches| rename eai:acl:app as application, title as csearch_name, search as csearch|table app, csearch_name, csearch, disabled]|eval status=if(disabled==1,"Disabled","Enabled") | search status=Enabled | eval splitdes = split(rule_title, "-"), designation = mvindex(splitdes, 0) |table designation security_domain, rule_title, csearch_name, description, severity, csearch, disabled, status | stats count by designation | sort –count • Enabled Correlation Search Breakdown by Severity • |rest /services/alerts/correlationsearches splunk_server=local | search rule_title!="" | rename eai:acl:app as application, title as csearch_name |join type=outer app csearch_name [rest /services/saved/searches| rename eai:acl:app as application, title as csearch_name, search as csearch|table app, csearch_name, csearch, disabled]|eval status=if(disabled==1,"Disabled","Enabled") | search status=Enabled | eval splitdes = split(rule_title, "-"), designation = mvindex(splitdes, 0) |table designation security_domain, rule_title, csearch_name, description, severity, csearch, disabled, status | eval Severity=case(severity=="critical","1-critical", severity=="high","2-high", severity=="medium","3-medium", severity=="low","4-low", severity=="informational","5-informational") | stats count by Severity

  24. Searches! Note: <insertyourdatahere> ▶ SA Visualization Dashboard (cont.) • Use Case Count by Team / Severity • |rest /services/alerts/correlationsearches splunk_server=local | rename eai:acl:app as application, title as csearch_name |join type=outer app csearch_name [rest /services/saved/searches| rename eai:acl:app as application, title as csearch_name, search as csearch|table app, csearch_name, csearch, disabled]|eval status=if(disabled==1,"Disabled","Enabled") | search status=Enabled | eval splitdes = split(rule_title, "-"), designation = mvindex(splitdes, 0) | table designation rule_title description, severity, status | eval Severity=case(severity=="critical","1-critical", severity=="high","2-high", severity=="medium","3-medium", severity=="low","4-low", severity=="informational","5-informational") | chart count as "Rule Count" by designation, Severity • Changes in Triggered Notable Events - Past 30 Days - by Correlation Search • `notable` | search search eventtype!=notable_suppression* | bin _time span=24h |stats count by _time, search_name | streamstats window=2 global=f current=t first(count) as previous by search_name | eval delta=count-previous | eval time=_time | table search_name, time, delta, count • Enabled Use Case – Details • |rest /services/alerts/correlationsearches splunk_server=local | search rule_title!="" | rename eai:acl:app as application, title as csearch_name |join type=outer app csearch_name [rest /services/saved/searches| rename eai:acl:app as application, title as csearch_name, search as csearch|table app, csearch_name, csearch, disabled]|eval status=if(disabled==1,"Disabled","Enabled") | search status=Enabled | eval splitdes = split(rule_title, "-"), designation = mvindex(splitdes, 0) |table designation rule_name description, severity, status | sort designation, rule_name

Recommend

Keeping Track of Our Students Using StudentTracker to Track Enrollment, Transfers, and Graduation

Keeping Track of Our Students Using StudentTracker to Track Enrollment, Transfers, and Graduation

Keeping Track of Our Students Using StudentTracker to Track Enrollment, Transfers, and Graduation Activity at Your Campus and Beyond Office of Strategic Initiatives Hengxia Zhao &amp; David Troutman, Ph.D. Student Pathways Access

735 views • 32 slides
Git Setup Help using Terminal (CSE 154) Introduction: Git enables keeping track of different

Git Setup Help using Terminal (CSE 154) Introduction: Git enables keeping track of different

Git Setup Help using Terminal (CSE 154) Introduction: Git enables keeping track of different versions of files as we keep editing them. To make sure we understand git properly, here are some terms youll see being used quite often: 1.

246 views • 8 slides
Git Setup Help using GitKraken (CSE 154) Introduction: Git enables keeping track of different

Git Setup Help using GitKraken (CSE 154) Introduction: Git enables keeping track of different

Git Setup Help using GitKraken (CSE 154) Introduction: Git enables keeping track of different versions of files as we keep editing them. To make sure we understand git properly, here are some terms youll see being used quite often: 1.

342 views • 10 slides
Collection sponsoring : keeping track of tree adoptions Gerda van Uffelen, Hortus Botanicus Leiden

Collection sponsoring : keeping track of tree adoptions Gerda van Uffelen, Hortus Botanicus Leiden

Collection sponsoring : keeping track of tree adoptions Gerda van Uffelen, Hortus Botanicus Leiden Collection sponsoring : keeping track of tree adoptions Stichting Vrienden van de Leidse Hortus since 2005, &gt;2000 members Possible results?

201 views • 18 slides
Popeye Flight Tracking with SQLite Keeping track of flights FlightAware needs a fast way to

Popeye Flight Tracking with SQLite Keeping track of flights FlightAware needs a fast way to

Popeye Flight Tracking with SQLite Keeping track of flights FlightAware needs a fast way to keep track of flights actually in the air. FlightAware receives input from thousands of sources, and generates a consistent stream of flight

525 views • 24 slides
to get back on track It took a while but now I have taken back control. Im trying new things,

to get back on track It took a while but now I have taken back control. Im trying new things,

Making it easier to get back on track It took a while but now I have taken back control. Im trying new things, pushing my limits again. Alessia Leading intimate healthcare Coloplast Earnings Conference Call Q1 2019/20 February 6 th , 2020

465 views • 8 slides
Keeping Track of Stateful Infrastructure Patrick Meyer #serveradmin on Freenode

Keeping Track of Stateful Infrastructure Patrick Meyer #serveradmin on Freenode

Keeping Track of Stateful Infrastructure Patrick Meyer #serveradmin on Freenode contact@the-space.agency @HerrSpace Virtual Machine Virtual Provisioning Machines Backup Hypervisors Serveradmin Puppet DNS Routers Loadbalancers

809 views • 61 slides
Keeping things cool is a Keeping things cool is a huge industry! huge industry! Insulation

Keeping things cool is a Keeping things cool is a huge industry! huge industry! Insulation

Keeping things cool is a Keeping things cool is a huge industry! huge industry! Insulation is needed in everything from Insulation is needed in everything from the walls of your house, to the coffee the walls of your house, to the coffee

477 views • 12 slides
Keeping Stakeholders Engaged and I nformed and Projects On-Track April Mangan BE MEngSc CEng

Keeping Stakeholders Engaged and I nformed and Projects On-Track April Mangan BE MEngSc CEng

rpsgroup.com/ireland Keeping Stakeholders Engaged and I nformed and Projects On-Track April Mangan BE MEngSc CEng HDip(PR) RPS Project Communications Lead Southern Region Tel: (087) 202 5910 Email: april.mangan@rpsgroup.com Dan OBoyle

462 views • 21 slides
Dustin Dunsmuir Papers Keeping things in context: a comparative evaluation of focus plus

Dustin Dunsmuir Papers Keeping things in context: a comparative evaluation of focus plus

Dustin Dunsmuir Papers Keeping things in context: a comparative evaluation of focus plus context screens, overviews, and zooming. Patrick Baudisch, Nathaniel Good, Victoria Bellotti, and Pamela Schraedley. CHI 2002. Evaluation of

487 views • 25 slides
1 Macroevolution 2 3 4 5 6 7 8 9 10 11 12 13 Keeping track of concepts 14

1 Macroevolution 2 3 4 5 6 7 8 9 10 11 12 13 Keeping track of concepts 14

1 Macroevolution 2 3 4 5 6 7 8 9 10 11 12 13 Keeping track of concepts 14 15 16 17 18 19 20 21 22

548 views • 22 slides
Keeping the Team Engaged: Making Things Stick N. Adam Brown, MD, MBA, FACEP Senior Vice

Keeping the Team Engaged: Making Things Stick N. Adam Brown, MD, MBA, FACEP Senior Vice

Keeping the Team Engaged: Making Things Stick N. Adam Brown, MD, MBA, FACEP Senior Vice President, Envision Healthcare- MidAtlantic Raleigh, NC - February 13 th , 2018 2 3 4 5 The Red Queen Effect It takes all the running you can do, to

691 views • 55 slides
SLOW AND STALLED LITIGATION KEEPING THINGS MOVING Jon Danyliw, Miller Thomson LLP All

SLOW AND STALLED LITIGATION KEEPING THINGS MOVING Jon Danyliw, Miller Thomson LLP All

SLOW AND STALLED LITIGATION KEEPING THINGS MOVING Jon Danyliw, Miller Thomson LLP All litigators, whether acting for the Plaintiff or Defendant, have been faced with slow and stalled litigation. We are all familiar with the claim against our

189 views • 5 slides
keeping your project on track with clarity &amp; confidence An inside look at the buildertrend

keeping your project on track with clarity &amp; confidence An inside look at the buildertrend

keeping your project on track with clarity &amp; confidence An inside look at the buildertrend project management app WHY USE BUILDERTREND FOR PROJECT MANAGEMENT? Instead of managing different apps for different parts of the project,

276 views • 11 slides
Disk Space Management How to keep track of allocated vs free blocks What strategy to use for

Disk Space Management How to keep track of allocated vs free blocks What strategy to use for

CS510 Operating System Foundations Jonathan Walpole Disk Space Management How to keep track of allocated vs free blocks What strategy to use for allocating free blocks to a file Keeping Track of Free Blocks Approach #1: - Keep a bitmap - 1

1.04k views • 79 slides
ZEBRA SOLUTIONS HAVE SOLVED GREAT BUSINESS CHALLENGES $1B Publicly traded company Track,

ZEBRA SOLUTIONS HAVE SOLVED GREAT BUSINESS CHALLENGES $1B Publicly traded company Track,

ZEBRA SOLUTIONS HAVE SOLVED GREAT BUSINESS CHALLENGES $1B Publicly traded company Track, trace, locate things - in our DNA Three year journey on the Internet of Things Zebra Confidential ENABLING VISIBILITY THROUGH DIGITAL VOICE

552 views • 41 slides
16 th July 2014 UK food &amp; drink manufacturing What is keeping the industry awake at night?

16 th July 2014 UK food &amp; drink manufacturing What is keeping the industry awake at night?

Food and Drink Federation Professional Affiliate Seminar 16 th July 2014 UK food &amp; drink manufacturing What is keeping the industry awake at night? Steve Barnes - Commercial Director Agenda The things keeping the industry awake at

1.03k views • 63 slides
The Jo Job Keeping Pla lan A TRAINING FOR RESIDENTIAL PROVIDERS Job Keeping Plan Training

The Jo Job Keeping Pla lan A TRAINING FOR RESIDENTIAL PROVIDERS Job Keeping Plan Training

Competitive Integrated Employment (CIE) Outcome: Job Keeping The Jo Job Keeping Pla lan A TRAINING FOR RESIDENTIAL PROVIDERS Job Keeping Plan Training Module Learning Objectives Recognize the value of employment and how ongoing

212 views • 20 slides
LIGHTHOUSE ADVISORS Keeping Your Capital Safe August 2020 1 www.lighthouse-advisors.com

LIGHTHOUSE ADVISORS Keeping Your Capital Safe August 2020 1 www.lighthouse-advisors.com

LIGHTHOUSE ADVISORS Keeping Your Capital Safe August 2020 1 www.lighthouse-advisors.com Contents Who We Are How We Are Different Investment Strategy Portfolio Management Track Record Alignment of Interest Worked

219 views • 20 slides
Track &amp; Field Parent Meeting BT Track &amp; Field Mission Bartram Trail Track &amp; Field

Track &amp; Field Parent Meeting BT Track &amp; Field Mission Bartram Trail Track &amp; Field

Track &amp; Field Parent Meeting BT Track &amp; Field Mission Bartram Trail Track &amp; Field will create an athlete centered environment that serves as a center for track &amp; field excellence and supports the foundation of life-long

280 views • 12 slides
Most Things Youd Like to Know about Fundraising Part 5: It Takes More Than One Person: How To

Most Things Youd Like to Know about Fundraising Part 5: It Takes More Than One Person: How To

Most Things Youd Like to Know about Fundraising Part 5: It Takes More Than One Person: How To Engage Board/Volunteers In Fund Raising and How to Effectively Track Donors Power Up Your Pantry, University of Missouri New Chapter Coaching, LLC,

438 views • 42 slides
Session B.3 Spectrum Efficient Technologies Track Chair: Mr. Tom Young Track Chair Track

Session B.3 Spectrum Efficient Technologies Track Chair: Mr. Tom Young Track Chair Track

Session B.3 Spectrum Efficient Technologies Track Chair: Mr. Tom Young Track Chair Track Members: Track Members Dr. Marilynn Wylie Mr. Glenn Green This project is funded by the Test Resource Management Center (TRMC) Test and

212 views • 20 slides
Project Overview Keeping it in Kin Kin Project - keeping Kin Kins soils in place and by

Project Overview Keeping it in Kin Kin Project - keeping Kin Kins soils in place and by

Project Overview Keeping it in Kin Kin Project - keeping Kin Kins soils in place and by doing so improving agricultural productivity, waterway health and water quality within the Noosa Catchment. 2 Phase 1 Setting the

342 views • 23 slides
Leading During a Council Crisis R. Kim Wilde ICMA Conference Presenter Keeping Your Executive

Leading During a Council Crisis R. Kim Wilde ICMA Conference Presenter Keeping Your Executive

Leading During a Council Crisis R. Kim Wilde ICMA Conference Presenter Keeping Your Executive Team On Track in Times of Council Crisis R. Kim Wilde Background Over thirty years local government experience Thirteen years in Snoqualmie,

727 views • 23 slides

More recommend