On 2023-11-23
by Gareth Davies
Cybersecurity

Splunk Boss of the SOC: A cybersecurity analyst’s perspective

cybersecurity expert in a SOC (Security Operation Center)

BOTS events attract analysts globally and allow some good-spirited competition among cybersecurity experts. Gareth Davies, a cybersecurity analyst in Airbus Protect will share with us his perspective on these competitions.

Summary

In October, two teams of cybersecurity analysts, including myself, competed in Splunk “Boss of the SOC” competition where our teams came 1st and 13th.
A few weeks later, our transnational SOC teams competed in an invitational “Bulletproof” contest in which we once again claimed 1st place, followed closely with our second team coming 5th place.

So why is BOTS such an important demonstration of skill?

Each BOTS event varies and consists of different scenarios that involve Splunk tools such as Splunk Enterprise, Enterprise Security, and SOAR.

The importance of BOTS to analysts

Although BOTS is a competition and the mentality is to win, the competition provides analysts the opportunity to learn. 

Traditional cybersecurity is tough. In an ever changing threat landscape you must constantly monitor threat actors alongside TTPs (Tactics, Techniques, and Procedures) changing often. 

BOTS competitions provide an environment in which security analysts can gain experience in finding specific malicious activities that happen during traditional cyber attacks seen in the wild.

These competitions further expose analysts to new tools and logs from malicious activity that they may not have had access to previously. Within Splunk BOTS’ event logs can come from a range of different tools such as Zeek, Suricata, Okta, etc. 

The competition therefore gives analysts an understanding of where they are in terms of knowledge and skill level within TH and highlights areas to develop. This is extremely valuable experience to gain which aids analysts with detection and developing their TH capabilities.

What can be learnt from BOTS?

The competition as a whole can be considered as a step in the continuous learning process and adaptation of an analyst. When CTF is mentioned many assume that the CTF will be a red team activity as currently there are not many blue team CTF events. Having Splunk create the Splunk BOTS events allows us as teams to compete and demonstrate our blue team knowledge as well as our skills using the tools provided by Splunk. However, these competitions can also provide analysts a benchmark when competing against the best teams- it forces analysts to push themselves, highlighting their current skill level and where they can push to improve. Questions are designed to press teams and this is a vital learning point for analysts to ensure they understand what is required to detect an activity if it ever arises.

Having exposure to ranges of different logs from many different tools in the competition has allowed me to learn a lot more from a threat hunting and detection perspective. This competition provides the experience to understand the logs and know where to look if similar activity occurs in the future.

The importance of analysts in a strong security strategy 

Organisations are now being forced into the digital world and this environment is one we will see more often. What is vital to organisations is being prepared for these changes. With the unprecedented number of threat actors across the globe, cyber attacks are happening daily, at all hours. Due to this, SOCs are extremely important for many organisations as this can allow for continuous protective monitoring, centralised visibility, and the ability for SOCs to be in contact and to work with organisation’s IT teams for incident response. The BOTS events allow analysts to follow a process of continuous improvement and adaptation required in the dynamic and changing threat landscape we face today. Blue team events, like this one, demonstrate not only the skills of our teams but the strength of our transnational SOCs in protecting your organisation. 

SOC services by Airbus Protect

  • Share

More on Cybersecurity

understanding digital risk management Cybersecurity

Digital Risk Management: A Business-Aligned Approach

Organisations today face a complex and evolving array of risks that require effective management. Some are inherently digital, while others are traditional risks amplified by technology. From cyberattacks to technical disruptions, these threats pose significant challenges for businesses, holding the power to impact operations, finances, reputation, and ultimately bottom line.  To safeguard their future, organisations [...] Read more
Airbus Protect explains Vulnerability Management Cybersecurity

Airbus Protect explains: Vulnerability Management

What is vulnerability management? Vulnerability analyst Pierre Louis Gensou explains. Vulnerability management and vulnerability intelligence are crucial elements of IT security. As a vulnerability analyst, my role is to identify security flaws, assess their impact on the components we monitor, and inform customers of the associated risks. What is a vulnerability? When we say "vulnerability", [...] Read more
Regulation (EU, Euratom) 2023/2841: What does it mean for EUIBA? Cybersecurity

Regulation (EU, Euratom) 2023/2841: What does it mean for EUIBAs?

What is Regulation 2023/2841?   The EU cybersecurity Regulation, which came into force at the start of this year, aims to establish a comprehensive and standardised approach to cybersecurity across European Union Institutions, Bodies and Agencies (EUIBA). This ensures that all entities are well-protected against evolving cyber threats and capable of executing a coordinated incident […]

Read more