Tuesday, September 15, 2020

How we use Agile Scrum for SIEM Detection Engineering and Threat Hunting

Thought I’d share a thread on how we use a form of #Agile Scrum to keep our #SIEM detection engineering and threat hunting organized. #blueteam https://en.wikipedia.org/wiki/Scrum_(software_development) We are responsible for tracking threat intel at our org and use it to build SIEM detections and threat hunt the environment. To track and organize our work and ensure progress we have adopted a form of Agile Scrum. We have stakeholders such as the SOC and CISO who have a stake in the success of the SIEM detections and threat hunting results. We have a scrum master, a member of our team that ensures we are successful, follow process, and leads us day to day. We have the development team that builds detections in the SIEM, and hunts. Thwy make the magic happen. We use github project management to track our story backlog and in-sprint progress. https://github.com/features/project-management/ Our story backlog is full of SIEM detection ideas , known Mitre Technique gaps we need to fill, threat hunt ideas, SOC dashboard ideas, etc. Each story in the backlog has a point value to gauge effort as well as a priority to ensure we get important stuff done first. The story backlog also contains other deliverables such as TableTop excercises, SOC training, management reporting, etc. We can create burn down charts and calculate velocity to gauge metrics on how well we are doing. We can predict future deployment dates for detections based on whats in the backlog and our average velocity. Every 2 weeks we start a new sprint with a planning meeting where we pull the items highest priority items off the backlog ans assign them out. At thua time we also engage the automation team in case any hunts or detections will require SIEM or SOAR customizations. In the planning meeting we consider story size, staff member capacity, stakeholder priorites, etc. Then daily we have a short call/huddle to identify roadblocks or new priorities. At the end of the 2 weeks we have a sprint review where we present new detections, dashboards, documentation to stakeholders like SOC. We use the Palantir Alert and Detection Strategy framework to provide a documented deliverable to SOC for each detection https://medium.com/palantir/alerting-and-detection-strategy-framework-52dc33722df2 After the sprint review the actual deployment to the SIEM occurs which could include adding, updating, or deleting SIEM detections or dashboards. After deployment we have a retrospective where we talk about what went well or didnt to ensure we never make the samw mistake twice. Using Agile creates awareness that #infosec is constantly changing and requires constant freding to ensure youre on top of the latest threats. As you can expect there is an expedited process for critical or emeegency detections. But most work we have found can be planned, built, and tested in the 2 week time frame. For each detection, following Palantir, we define the detection and its purpose, we build it, twst it by actually getting it to fire, and retro hunt each time to ensure we were not already breached. I hope you found this interesting and helpful. #infosec #blueteam