Abstract:
We would like to present how we built our Security Operations Center in Python on top of ElasticSearch and what are the learnings from running it for more than 3 years now. This tool can alert us during the night if there is any indication of compromise in our system and creates JIRA ticket for non-urgent alerts, so we don’t forget to get back to it the next day. Although it is not open-source, we will cover its architecture and most of the detection rules and third party integrations which can be useful for anyone running their own SOC.
We will talk about how we keep fine-tuning our automatic incident detection mechanisms by fighting false positives in order to improve the effectiveness of our SOC. We will demonstrate how smart detection rules can help you detect vulnerabilities in your web application like XSS and open redirect exploitation. But we will also show how such a tool can help in detecting infra-level compromise as well thanks to open source utilities like auditd, apparmor, snort or Reddalert.
Additionally, we will cover how we work together within and beyond the security team (e.g. code reviews in a devops environment) and how we try to incorporate learnings from previous incidents in order to improve our detection rules and incident response plan. Finally, we will highlight some good and bad decisions we made along the way so you can avoid making the bad ones yourself.
Bio:
György Demarcsek – Security Engineer at Prezi
He joined the Security Team at Prezi nearly a year ago, coming from CERN’s Technical Student program with an infra engineering background. He enjoys working in the intersection of software engineering and IT security. These days he helps improve and maintain the security infrastructure of Prezi and handle potential incidents.
Robert Kiss – Tech Lead of the Security Team at Prezi
He joined the team as a Security Engineer more than 3 years ago where one of his first projects was to build an internal Security Operations Center. Previously, he worked as a penetration tester for years but then decided to switch to the “”defensive side””. Now he tries to build tools and processes which help the team in protecting Prezi from the not-so-whitehat hackers.
Video/recordings: