Posts Tagged ‘DetectionEngineering’
[AWSReInforce2025] Enhancing security operations with Next Gen SIEM and ConvergeSECURITY (SEC325)
Lecturer
Stanley Parrot serves as Detection Engineer at Deloitte, crafting threat detection content that operationalizes AWS native telemetry within ConvergeSECURITY. His expertise spans SIEM modernization, behavioral analytics, and incident response automation across enterprise environments.
Abstract
The presentation introduces ConvergeSECURITY as Deloitte’s managed security platform built on AWS, demonstrating how next-generation SIEM capabilities accelerate detection, reduce costs, and enable SOC transformation. Through data architecture patterns and detection engineering workflows, it establishes a blueprint for cloud-native security operations.
SOC Modernization Imperative
Traditional SIEMs struggle with cloud-scale data volumes and velocity. Legacy appliances require:
- Fixed retention windows
- Manual parser development
- High storage costs
ConvergeSECURITY leverages AWS services to eliminate these constraints, processing petabytes of security telemetry with sub-second query performance.
Cloud-Native Data Lake Architecture
The platform implements a layered data strategy:
Raw Zone → S3 (all logs, indefinite retention)
Curated Zone → Athena (OCSF-normalized, 90-day hot)
Analytics Zone → OpenSearch (aggregated insights)
Sources include:
– CloudTrail management and data events
– VPC Flow Logs at 100% sampling
– GuardDuty findings
– Custom application logs via Firehose
Detection Engineering Framework
Deloitte maintains 3000+ detection rules covering:
threat: privilege_escalation
source: cloudtrail
condition: eventName = "AssumeRole" AND userIdentity.type = "IAMUser"
context: mfa_enabled = false
severity: high
Rules execute continuously via EventBridge, enriching events with identity context, asset inventory, and threat intelligence before alerting.
Automated Response Playbooks
Integration with AWS services enables closed-loop remediation:
def handler(event, context):
if event['severity'] == 'CRITICAL':
security_hub.create_automation(
action='ISOLATE_INSTANCE',
resource=event['instance_id']
)
Playbooks quarantine compromised resources, rotate credentials, and generate compliance artifacts automatically.
Migration Journey and Business Outcomes
Organizations transition through phases:
- Assessment: Data source inventory, retention requirements
- Pilot: Ingest 10% of logs, validate detection efficacy
- Cutover: Parallel run with legacy SIEM, gradual decommissioning
- Optimization: ML-based false positive suppression
Customers achieve:
– 60% reduction in MTTD
– 40% lower TCO versus on-premises SIEM
– 100% audit-ready evidence retention
ConvergeSECURITY Value Proposition
The partnership combines Deloitte’s detection content with AWS scalability:
Deloitte → Detection Engineering + SOC Operations
AWS → Security Lake + OpenSearch Service + GuardDuty
This managed service offloads parser maintenance, storage optimization, and rule tuning while preserving customer control over data.
Conclusion: Security Operations as Strategic Capability
ConvergeSECURITY demonstrates that cloud-native SIEM eliminates traditional constraints, enabling security teams to focus on threat hunting rather than infrastructure management. The combination of unlimited retention, real-time analytics, and automated response creates a force multiplier for SOC effectiveness.
Links:
[DefCon32] MaLDAPtive: Obfuscation and De-Obfuscation
Directory services, foundational to enterprise security, harbor overlooked evasion potentials. Daniel Bohannon and Sabajete Elezaj unveil MaLDAPtive, a framework born from exhaustive LDAP research. Daniel, a principal threat researcher at Permiso Security, and Sabajete, a senior cyber security engineer at Solaris SE, dissect obfuscation techniques across LDAP elements, empowering both attackers and defenders.
Their journey traces Active Directory’s evolution since 2000, intertwined with LDAP’s protocol roots from the 1980s. Tools like BloodHound amplified LDAP’s offensive utility, yet detection lags, often signature-bound in costly solutions.
MaLDAPtive, a 2,000-hour endeavor, features a custom tokenizer and parser, enabling unprecedented obfuscation and de-obfuscation. They categorize techniques: distinguished name manipulations via encodings, attribute tricks with wildcards, and filter obfuscations leveraging operators.
Historical Context and LDAP Components
Daniel recounts LDAP’s standardization in 1993, with Active Directory adopting it in 2000. Queries comprise bases, scopes, filters—ripe for evasion.
Distinguished names (DNs) encode via UTF-8, hex, or escapes, bloating logs. Attributes exploit aliases like “cn” for “name,” while filters layer parentheses and negations.
Their parser tokenizes queries, revealing incompatibilities undocumented elsewhere.
Advanced Obfuscation Techniques
Sabajete details filter intricacies: extensible matches with OIDs, reversing attributes for efficiency. They uncover zero-padding in OIDs, undocumented wildcards in values.
Tool-generated examples expose anomalies, like hex encoding bans in certain filters. MaLDAPtive automates these, generating evasive queries while preserving semantics.
Defensively, de-obfuscation normalizes queries, aiding detection. They critique static signatures, advocating behavioral analytics.
Detection and Framework Release
MaLDAPtive’s detection module identifies anomalies via token analysis, flagging excessive nesting or encodings.
Demonstrations showcase obfuscated queries evading simplistic tools, yet normalized by their framework.
Releasing openly, they equip communities to fortify defenses, transforming LDAP from lightweight to robustly secured.
Their work bridges offensive ingenuity with defensive resilience, urging deeper protocol scrutiny.