Tuesday, September 15, 2020

How we use Agile Scrum for SIEM Detection Engineering and Threat Hunting

Thought I’d share a thread on how we use a form of #Agile Scrum to keep our #SIEM detection engineering and threat hunting organized. #blueteam https://en.wikipedia.org/wiki/Scrum_(software_development) We are responsible for tracking threat intel at our org and use it to build SIEM detections and threat hunt the environment. To track and organize our work and ensure progress we have adopted a form of Agile Scrum. We have stakeholders such as the SOC and CISO who have a stake in the success of the SIEM detections and threat hunting results. We have a scrum master, a member of our team that ensures we are successful, follow process, and leads us day to day. We have the development team that builds detections in the SIEM, and hunts. Thwy make the magic happen. We use github project management to track our story backlog and in-sprint progress. https://github.com/features/project-management/ Our story backlog is full of SIEM detection ideas , known Mitre Technique gaps we need to fill, threat hunt ideas, SOC dashboard ideas, etc. Each story in the backlog has a point value to gauge effort as well as a priority to ensure we get important stuff done first. The story backlog also contains other deliverables such as TableTop excercises, SOC training, management reporting, etc. We can create burn down charts and calculate velocity to gauge metrics on how well we are doing. We can predict future deployment dates for detections based on whats in the backlog and our average velocity. Every 2 weeks we start a new sprint with a planning meeting where we pull the items highest priority items off the backlog ans assign them out. At thua time we also engage the automation team in case any hunts or detections will require SIEM or SOAR customizations. In the planning meeting we consider story size, staff member capacity, stakeholder priorites, etc. Then daily we have a short call/huddle to identify roadblocks or new priorities. At the end of the 2 weeks we have a sprint review where we present new detections, dashboards, documentation to stakeholders like SOC. We use the Palantir Alert and Detection Strategy framework to provide a documented deliverable to SOC for each detection https://medium.com/palantir/alerting-and-detection-strategy-framework-52dc33722df2 After the sprint review the actual deployment to the SIEM occurs which could include adding, updating, or deleting SIEM detections or dashboards. After deployment we have a retrospective where we talk about what went well or didnt to ensure we never make the samw mistake twice. Using Agile creates awareness that #infosec is constantly changing and requires constant freding to ensure youre on top of the latest threats. As you can expect there is an expedited process for critical or emeegency detections. But most work we have found can be planned, built, and tested in the 2 week time frame. For each detection, following Palantir, we define the detection and its purpose, we build it, twst it by actually getting it to fire, and retro hunt each time to ensure we were not already breached. I hope you found this interesting and helpful. #infosec #blueteam


  1. I want to thank Dr Emu a very powerful spell caster who help me to bring my husband back to me, few month ago i have a serious problem with my husband, to the extend that he left the house, and he started dating another woman and he stayed with the woman, i tried all i can to bring him back, but all my effort was useless until the day my friend came to my house and i told her every thing that had happened between me and my husband, then she told me of a powerful spell caster who help her when she was in the same problem I then contact Dr Emu and told him every thing and he told me not to worry my self again that my husband will come back to me after he has cast a spell on him, i thought it was a joke, after he had finish casting the spell, he told me that he had just finish casting the spell, to my greatest surprise within 48 hours, my husband really came back begging me to forgive him, if you need his help you can contact him with via email: Emutemple@gmail.com or add him up on his whatsapp +2347012841542 is willing to help any body that need his help.

  2. I lost my job few months back and there was no way to get income for my family, things was so tough and I couldn't get anything for my children, not until a met a recommendation on a page writing how Mr Bernie Wilfred helped a lady in getting a huge amount of profit every 6 working days on trading with his management on the cryptocurrency Market, to be honest I never believe it but I took the risk to take a loan of $1000. and I contacted him unbelievable and I was so happy I earn $12,500 in 6 working days, the most joy is that I can now take care of my family I don't know how to appreciate your good work Mr. Bernie Doran God will continue to bless you for being a life saver I have no way to appreciate you than to tell people about your good services.
For a perfect investment and good strategies contact Mr Bernie Doran via WhatsApp :+1(424)285-0682 or Telegram : @Bernie_doran_fx or Email : Bernie.doranfx01@gmail.com