Splunk Boss of the SOC: A cybersecurity analyst’s perspective

In October, two teams of cybersecurity analysts, including myself, competed in Splunk “Boss of the SOC” competition where our teams came 1st and 13th.
A few weeks later, our transnational SOC teams competed in an invitational “Bulletproof” contest in which we once again claimed 1st place, followed closely with our second team coming 5th place.

So why is BOTS such an important demonstration of skill?

Each BOTS event varies and consists of different scenarios that involve Splunk tools such as Splunk Enterprise, Enterprise Security, and SOAR.

The importance of BOTS to analysts

Although BOTS is a competition and the mentality is to win, the competition provides analysts the opportunity to learn. 

Traditional cybersecurity is tough. In an ever changing threat landscape you must constantly monitor threat actors alongside TTPs (Tactics, Techniques, and Procedures) changing often. 

BOTS competitions provide an environment in which security analysts can gain experience in finding specific malicious activities that happen during traditional cyber attacks seen in the wild.

These competitions further expose analysts to new tools and logs from malicious activity that they may not have had access to previously. Within Splunk BOTS’ event logs can come from a range of different tools such as Zeek, Suricata, Okta, etc. 

The competition therefore gives analysts an understanding of where they are in terms of knowledge and skill level within TH and highlights areas to develop. This is extremely valuable experience to gain which aids analysts with detection and developing their TH capabilities.

What can be learnt from BOTS?

The competition as a whole can be considered as a step in the continuous learning process and adaptation of an analyst. When CTF is mentioned many assume that the CTF will be a red team activity as currently there are not many blue team CTF events. Having Splunk create the Splunk BOTS events allows us as teams to compete and demonstrate our blue team knowledge as well as our skills using the tools provided by Splunk. However, these competitions can also provide analysts a benchmark when competing against the best teams- it forces analysts to push themselves, highlighting their current skill level and where they can push to improve. Questions are designed to press teams and this is a vital learning point for analysts to ensure they understand what is required to detect an activity if it ever arises.

Having exposure to ranges of different logs from many different tools in the competition has allowed me to learn a lot more from a threat hunting and detection perspective. This competition provides the experience to understand the logs and know where to look if similar activity occurs in the future.

The importance of analysts in a strong security strategy 

Organisations are now being forced into the digital world and this environment is one we will see more often. What is vital to organisations is being prepared for these changes. With the unprecedented number of threat actors across the globe, cyber attacks are happening daily, at all hours. Due to this, SOCs are extremely important for many organisations as this can allow for continuous protective monitoring, centralised visibility, and the ability for SOCs to be in contact and to work with organisation’s IT teams for incident response. The BOTS events allow analysts to follow a process of continuous improvement and adaptation required in the dynamic and changing threat landscape we face today. Blue team events, like this one, demonstrate not only the skills of our teams but the strength of our transnational SOCs in protecting your organisation.