Life beyond the SIEM - Take control of your SOC with Jupyter

Presented at Blue Team Con 2022, Aug. 27, 2022, 5:40 p.m. (50 minutes)

The SIEM is the center-point for most SOC activity: providing tools for handling threat detection, incident investigation, threat hunting, and more. Even the best SIEM though, is only as capable as the features it includes. Analysts often have to develop processes and scripts to fit alongside it. What if it didn’t need to be this way? What if there was a tech stack that allowed you to take control?

Jupyter is the solution that allows analysts to investigate threats, conduct hunts, and manage processes in a flexible, agile manner. Use visualizations, analysis techniques, data sources and workflows that your SIEM doesn’t possess.

In this talk, we will look at the Jupyter ecosystem and how it can empower SOC analysts (from tier 1 to specialized hunters) in a wide range of tasks: from creating custom visualizations to automating triage and enrichment tasks.

We’ll cover some Jupyter basics then dive deeper on how to use standard Python libraries and techniques to customize your analysis flow. Then look at using MSTICPy (Python InfoSec library) and how its data, enrichment and visualization features can speed up your workflow with generate elegant, low-code notebooks.

We will also show how you can deploy notebooks in your organization in a consistent, secure and reliable manner using tools like Docker and Git.

Finally, we will demonstrate how to use Jupyter to automate investigation and hunting, to drive great efficiency and consistency benefits for the SOC.

Presenters:

• Ian Hellen - Principal Software Engineer, Microsoft
  Ian works as a software developer in the Microsoft Threat Intelligence Center (MSTIC). He spends most of his time building and maintaining MSTICPy - our CyberSec hunting Python tool library - and creating Jupyter notebooks for threat hunting and investigations. Prior to this, Ian worked on Azure Security Center (now Defender for Azure), security assessments for Microsoft services and multiple security reviews/pen tests of Windows (as far back as Vista!). In his spare time, Ian loves skiing, snorkeling & scuba, music and occasional messing around with Raspberry PIs and micropython devices.
• Pete Bryan - Senior Software Engineer, Microsoft
  Pete works as a software developer in the Microsoft Threat Intelligence Center (MSTIC). He spends most of his time building and maintaining MSTICPy - our CyberSec hunting Python tool library - and creating Jupyter notebooks for threat hunting and investigations. Pete has spent his career working in security operations, conducting threat intelligence and threat hunting roles, as well as designing and implementing SOC processes and technologies. In his spare time, Pete can most often be found riding his bike around the Seattle region.

Similar Presentations:

• ShmooCon XIV (2018) / This Is Not Your Grandfather's SIEM
• DerbyCon 2.0 Reunion (2012) / How to create a one man SOC
• NolaCon 2022 / Build your first SOC