The amount of security-relevant data for the organizations we protect is growing beyond the capabilities of traditional incident detection and response tools. Evaluating and operationalizing the “big data” technologies capable of storing and analyzing data at scale requires technical depth uncommon to IR teams and is non-trivial and time consuming. Teams need both the ability to deploy and store data in these technologies, and to use them to enable “playbooks” for detection and response.
This SIG will leverage the collective knowledge of teams who have deployed scaled IR capabilities to share reference architectures and best practices for detection and response at scale. It will also create containerized environments based on those architectures for teams that would like to get started.
As a community, FIRST is uniquely situated to provide non-denominational best practices, based on live deployments of these systems, to IR teams. The mission of this SIG is to provide a mechanism for sharing and implementing best practices for incident detection and response at scale.
The latter two efforts are only expected to begin in the first year. They will continually be updated as new technologies develop.