Posts Tagged ‘ConvergeSECURITY’
[AWSReInforce2025] Enhancing security operations with Next Gen SIEM and ConvergeSECURITY (SEC325)
Lecturer
Stanley Parrot serves as Detection Engineer at Deloitte, crafting threat detection content that operationalizes AWS native telemetry within ConvergeSECURITY. His expertise spans SIEM modernization, behavioral analytics, and incident response automation across enterprise environments.
Abstract
The presentation introduces ConvergeSECURITY as Deloitte’s managed security platform built on AWS, demonstrating how next-generation SIEM capabilities accelerate detection, reduce costs, and enable SOC transformation. Through data architecture patterns and detection engineering workflows, it establishes a blueprint for cloud-native security operations.
SOC Modernization Imperative
Traditional SIEMs struggle with cloud-scale data volumes and velocity. Legacy appliances require:
- Fixed retention windows
- Manual parser development
- High storage costs
ConvergeSECURITY leverages AWS services to eliminate these constraints, processing petabytes of security telemetry with sub-second query performance.
Cloud-Native Data Lake Architecture
The platform implements a layered data strategy:
Raw Zone → S3 (all logs, indefinite retention)
Curated Zone → Athena (OCSF-normalized, 90-day hot)
Analytics Zone → OpenSearch (aggregated insights)
Sources include:
– CloudTrail management and data events
– VPC Flow Logs at 100% sampling
– GuardDuty findings
– Custom application logs via Firehose
Detection Engineering Framework
Deloitte maintains 3000+ detection rules covering:
threat: privilege_escalation
source: cloudtrail
condition: eventName = "AssumeRole" AND userIdentity.type = "IAMUser"
context: mfa_enabled = false
severity: high
Rules execute continuously via EventBridge, enriching events with identity context, asset inventory, and threat intelligence before alerting.
Automated Response Playbooks
Integration with AWS services enables closed-loop remediation:
def handler(event, context):
if event['severity'] == 'CRITICAL':
security_hub.create_automation(
action='ISOLATE_INSTANCE',
resource=event['instance_id']
)
Playbooks quarantine compromised resources, rotate credentials, and generate compliance artifacts automatically.
Migration Journey and Business Outcomes
Organizations transition through phases:
- Assessment: Data source inventory, retention requirements
- Pilot: Ingest 10% of logs, validate detection efficacy
- Cutover: Parallel run with legacy SIEM, gradual decommissioning
- Optimization: ML-based false positive suppression
Customers achieve:
– 60% reduction in MTTD
– 40% lower TCO versus on-premises SIEM
– 100% audit-ready evidence retention
ConvergeSECURITY Value Proposition
The partnership combines Deloitte’s detection content with AWS scalability:
Deloitte → Detection Engineering + SOC Operations
AWS → Security Lake + OpenSearch Service + GuardDuty
This managed service offloads parser maintenance, storage optimization, and rule tuning while preserving customer control over data.
Conclusion: Security Operations as Strategic Capability
ConvergeSECURITY demonstrates that cloud-native SIEM eliminates traditional constraints, enabling security teams to focus on threat hunting rather than infrastructure management. The combination of unlimited retention, real-time analytics, and automated response creates a force multiplier for SOC effectiveness.