Recent Posts
Archives

Posts Tagged ‘DetectionEngineering’

PostHeaderIcon [AWSReInforce2025] Enhancing security operations with Next Gen SIEM and ConvergeSECURITY (SEC325)

Lecturer

Stanley Parrot serves as Detection Engineer at Deloitte, crafting threat detection content that operationalizes AWS native telemetry within ConvergeSECURITY. His expertise spans SIEM modernization, behavioral analytics, and incident response automation across enterprise environments.

Abstract

The presentation introduces ConvergeSECURITY as Deloitte’s managed security platform built on AWS, demonstrating how next-generation SIEM capabilities accelerate detection, reduce costs, and enable SOC transformation. Through data architecture patterns and detection engineering workflows, it establishes a blueprint for cloud-native security operations.

SOC Modernization Imperative

Traditional SIEMs struggle with cloud-scale data volumes and velocity. Legacy appliances require:

  • Fixed retention windows
  • Manual parser development
  • High storage costs

ConvergeSECURITY leverages AWS services to eliminate these constraints, processing petabytes of security telemetry with sub-second query performance.

Cloud-Native Data Lake Architecture

The platform implements a layered data strategy:

Raw Zone → S3 (all logs, indefinite retention)
Curated Zone → Athena (OCSF-normalized, 90-day hot)
Analytics Zone → OpenSearch (aggregated insights)

Sources include:
– CloudTrail management and data events
– VPC Flow Logs at 100% sampling
– GuardDuty findings
– Custom application logs via Firehose

Detection Engineering Framework

Deloitte maintains 3000+ detection rules covering:

threat: privilege_escalation
source: cloudtrail
condition: eventName = "AssumeRole" AND userIdentity.type = "IAMUser"
context: mfa_enabled = false
severity: high

Rules execute continuously via EventBridge, enriching events with identity context, asset inventory, and threat intelligence before alerting.

Automated Response Playbooks

Integration with AWS services enables closed-loop remediation:

def handler(event, context):
    if event['severity'] == 'CRITICAL':
        security_hub.create_automation(
            action='ISOLATE_INSTANCE',
            resource=event['instance_id']
        )

Playbooks quarantine compromised resources, rotate credentials, and generate compliance artifacts automatically.

Migration Journey and Business Outcomes

Organizations transition through phases:

  1. Assessment: Data source inventory, retention requirements
  2. Pilot: Ingest 10% of logs, validate detection efficacy
  3. Cutover: Parallel run with legacy SIEM, gradual decommissioning
  4. Optimization: ML-based false positive suppression

Customers achieve:
– 60% reduction in MTTD
– 40% lower TCO versus on-premises SIEM
– 100% audit-ready evidence retention

ConvergeSECURITY Value Proposition

The partnership combines Deloitte’s detection content with AWS scalability:

Deloitte → Detection Engineering + SOC Operations
AWS → Security Lake + OpenSearch Service + GuardDuty

This managed service offloads parser maintenance, storage optimization, and rule tuning while preserving customer control over data.

Conclusion: Security Operations as Strategic Capability

ConvergeSECURITY demonstrates that cloud-native SIEM eliminates traditional constraints, enabling security teams to focus on threat hunting rather than infrastructure management. The combination of unlimited retention, real-time analytics, and automated response creates a force multiplier for SOC effectiveness.

Links:

PostHeaderIcon [DefCon32] MaLDAPtive: Obfuscation and De-Obfuscation

Directory services, foundational to enterprise security, harbor overlooked evasion potentials. Daniel Bohannon and Sabajete Elezaj unveil MaLDAPtive, a framework born from exhaustive LDAP research. Daniel, a principal threat researcher at Permiso Security, and Sabajete, a senior cyber security engineer at Solaris SE, dissect obfuscation techniques across LDAP elements, empowering both attackers and defenders.

Their journey traces Active Directory’s evolution since 2000, intertwined with LDAP’s protocol roots from the 1980s. Tools like BloodHound amplified LDAP’s offensive utility, yet detection lags, often signature-bound in costly solutions.

MaLDAPtive, a 2,000-hour endeavor, features a custom tokenizer and parser, enabling unprecedented obfuscation and de-obfuscation. They categorize techniques: distinguished name manipulations via encodings, attribute tricks with wildcards, and filter obfuscations leveraging operators.

Historical Context and LDAP Components

Daniel recounts LDAP’s standardization in 1993, with Active Directory adopting it in 2000. Queries comprise bases, scopes, filters—ripe for evasion.

Distinguished names (DNs) encode via UTF-8, hex, or escapes, bloating logs. Attributes exploit aliases like “cn” for “name,” while filters layer parentheses and negations.

Their parser tokenizes queries, revealing incompatibilities undocumented elsewhere.

Advanced Obfuscation Techniques

Sabajete details filter intricacies: extensible matches with OIDs, reversing attributes for efficiency. They uncover zero-padding in OIDs, undocumented wildcards in values.

Tool-generated examples expose anomalies, like hex encoding bans in certain filters. MaLDAPtive automates these, generating evasive queries while preserving semantics.

Defensively, de-obfuscation normalizes queries, aiding detection. They critique static signatures, advocating behavioral analytics.

Detection and Framework Release

MaLDAPtive’s detection module identifies anomalies via token analysis, flagging excessive nesting or encodings.

Demonstrations showcase obfuscated queries evading simplistic tools, yet normalized by their framework.

Releasing openly, they equip communities to fortify defenses, transforming LDAP from lightweight to robustly secured.

Their work bridges offensive ingenuity with defensive resilience, urging deeper protocol scrutiny.

Links: