Detection-as-Code: Scaling SOC Operations - Aaron Wilkinson

Abstract: In the ever-evolving world of cyber security, threat actors continue to develop new methodologies that challenge Blue Teams across the industry to stay ahead. Traditional approaches often involve a costly security stack and manual processes that may not scale efficiently with the evolving threat landscape. This presentation introduces Detection-as-Code (DaC); a scalable methodology that can enhance SOC detection capabilities. By leveraging popular, accessible tools such as GitHub and Tines for extended automation, organizations can implement robust detection mechanisms without breaking the bank. The talk will begin by exploring the fundamentals of Detection-as-Code, explaining its significance in the modern SOC environment. We will discuss how DaC facilitates the transition from traditional, reactive security postures to proactive, automated threat detection and response processes. Attendees will gain an understanding of how DaC can be integrated within their existing security strategies to enhance agility and responsiveness to new threats. We will then delve into the practical implementation of a DaC setup using GitHub as a central repository for storing and managing detection rules. GitHub's version control capabilities ensure that updates and modifications to detection scripts are tracked meticulously, promoting collaboration and transparency within security teams. Finally, we’ll demonstrate how GitHub Actions and Tines can be configured to not only serve as an efficient CI/CD pipeline for deploying and updating detection rules automatically, but enable additional workflows that can be leveraged in any other SOC Automation processes. This segment will include a walkthrough of setting up GitHub Actions to automate workflows for testing and deploying new or modified detection rules into our chosen SIEM (Splunk ES), ensuring that the SOC's detection capabilities evolve continuously with minimal manual intervention. Key takeaways from this session will include: • Understanding the concept and benefits of Detection-as-Code to enhance SOC operations. • Step-by-step guidance on setting up a Detection-as-Code environment using GitHub, GitHub Actions, Tines, and Splunk ES. • Practical insights into using version control for security rules to facilitate team collaboration and rule accuracy. • Strategies for automating the deployment of detection rules, reducing manual overhead and accelerating response times. This presentation is tailored for security professionals looking to implement scalable, cost-effective detection solutions within their organizations. Attendees will leave equipped with the knowledge and tools needed to transform their SOC operations using the principles of Detection-as-Code, enabling them to stay one step ahead of cyber adversaries in a cost-efficient, scalable manner. Speaker Bio: Aaron Wilkinson; Lead Incident Response Analyst @ Orbia Aaron Wilkinson is a Lead Incident Response Analyst working at Orbia, a company dedicated to advancing life around the world. Aaron is GCFA, GNFA, GCIH & GREM Certified, a member of the GIAC Advisory Board, and holds a wealth of experience in Cyber Threat Operations, DFIR, Threat Hunting and Detection Engineering across multiple industries. Aaron spends his spare time creating OSINT Scripts and Tools, Web App Penetration Testing, as well as taking part in charity OSINT CTF's to assist in finding Missing People across the globe. #bsides #securitybsides #infosec #bsidesbelfast #belfast #bsidesbelfast24