SOC Automation - Enterprise Blueprinting and Hunting Using Open-Source Tools

Explore advanced SOC techniques in this conference talk focusing on enterprise blueprinting, automation, and threat hunting using open-source tools. Gain insights into building comprehensive network visibility, reducing SOC fatigue through task automation, and conducting effective hunts for unknown threats. Learn to leverage native operating system tools and osquery for network blueprinting, implement automation strategies for critical tasks, and utilize properly collected and organized data for advanced threat detection. Discover methods for analyzing low prevalence executables, leveraging OsQuery for ARP data collection, and implementing Docker and Filebeat for efficient data management. Delve into statistical analysis techniques for threat hunting, including methodologies for identifying uncommon environmental OUIs and executable prevalence. Master the art of filtering data, conducting mass searches, and uncover real-world examples of threat detection through the examination of specific executables like PLink.

RSAConference 2019 San Francisco March 4-8 Moscone Center
Know Your Environment
"Blueprinting" Methods Reactive • Firehose
Tools and Procedures
Intro to OsQuery
Pros/Cons
Low Prevalence Executables
Leveraging OsQuery
Getting ARP data from OsQuery
Automation Overview
Where do you put your data?
Data Collection
Data Storage
Querying Data
Docker
Filebeat
Next Steps
Using Statistical Analysis for Threat Hunting
Analyzing Data
Hunting Methodologies
Mac Addresses - Uncommon Environmental OUIS
Prevalence of Executables
Filtering Data
Mass Searching
A Story of Two Executables (PLink)