Hanging in the NOC these last couple of days has confirmed one thing. Creation of content to support an information security program is an ongoing process. It starts with the identification and deployment of out-of-the-box content useful for the audience, but a good security operations plan does not stop there.
The RSA NOC team was asked to monitor a classroom on Network Forensics and present the findings after the fact. Challenge accepted! The team early on invested in the identification of assets that make up the conference. The team was already enabled to do this work!
A set of rules were selected to create a report around and provide custom views into each classroom.
From there, the team was able to drill down into sessions with the focus on the classroom and time frame. Visualizations helped to see spikes and dips of traffic and quickly pivot into them. Investigation was done easily by pivioting through meta data. Custom queries were executed combining suspicious indicators.
This enabled the team to quickly get down to handfuls of suspicious alerts and behaviors out of the thousands of events.
The full sessions of these events were reconstructed and confirmed as malicious or not. If suspected as a malware, we were able to send to the malware analysis tool for additional confirmation and information about it.
The NOC team had a lot of fun with this challenge. I felt like we got to know some of the "threat actors" in the class and could create even more targeted content going forward. All in all, the classroom reports, investigation and presentation were all completed within an afternoon and the findings presented to the classroom. I think that's pretty cool.