The amount of security-relevant data for the organizations we protect is growing beyond the capabilities of traditional incident detection and response tools. Evaluating and operationalizing the “big data” technologies capable of storing and analyzing data at scale requires technical depth uncommon to IR teams and is non-trivial and time consuming. Teams need both the ability to deploy and store data in these technologies, and to use them to enable “playbooks” for detection and response.
This SIG will leverage the collective knowledge of teams who have deployed scaled IR capabilities to share reference architectures and best practices for detection and response at scale. It will also create containerized environments based on those architectures for teams that would like to get started.
As a community, FIRST is uniquely situated to provide non-denominational best practices, based on live deployments of these systems, to IR teams. The mission of this SIG is to provide a mechanism for sharing and implementing best practices for incident detection and response at scale.
Develop or reference a common taxonomy
Share / present reference architectures, best practices, use cases, and lessons learned
Develop repositories of common tooling around ingestion, validation, cleaning, filtering, enrichment, detection, and automated response
Create a VM/container environment with example data pipelines and event detection to enable quick prototyping and learning