On 2023-11-23
by Gareth Davies
Cybersecurity

Splunk Boss of the SOC: A cybersecurity analyst’s perspective

cybersecurity expert in a SOC (Security Operation Center)

BOTS events attract analysts globally and allow some good-spirited competition among cybersecurity experts. Gareth Davies, a cybersecurity analyst in Airbus Protect will share with us his perspective on these competitions.

Summary

In October, two teams of cybersecurity analysts, including myself, competed in Splunk “Boss of the SOC” competition where our teams came 1st and 13th.
A few weeks later, our transnational SOC teams competed in an invitational “Bulletproof” contest in which we once again claimed 1st place, followed closely with our second team coming 5th place.

So why is BOTS such an important demonstration of skill?

Each BOTS event varies and consists of different scenarios that involve Splunk tools such as Splunk Enterprise, Enterprise Security, and SOAR.

The importance of BOTS to analysts

Although BOTS is a competition and the mentality is to win, the competition provides analysts the opportunity to learn. 

Traditional cybersecurity is tough. In an ever changing threat landscape you must constantly monitor threat actors alongside TTPs (Tactics, Techniques, and Procedures) changing often. 

BOTS competitions provide an environment in which security analysts can gain experience in finding specific malicious activities that happen during traditional cyber attacks seen in the wild.

These competitions further expose analysts to new tools and logs from malicious activity that they may not have had access to previously. Within Splunk BOTS’ event logs can come from a range of different tools such as Zeek, Suricata, Okta, etc. 

The competition therefore gives analysts an understanding of where they are in terms of knowledge and skill level within TH and highlights areas to develop. This is extremely valuable experience to gain which aids analysts with detection and developing their TH capabilities.

What can be learnt from BOTS?

The competition as a whole can be considered as a step in the continuous learning process and adaptation of an analyst. When CTF is mentioned many assume that the CTF will be a red team activity as currently there are not many blue team CTF events. Having Splunk create the Splunk BOTS events allows us as teams to compete and demonstrate our blue team knowledge as well as our skills using the tools provided by Splunk. However, these competitions can also provide analysts a benchmark when competing against the best teams- it forces analysts to push themselves, highlighting their current skill level and where they can push to improve. Questions are designed to press teams and this is a vital learning point for analysts to ensure they understand what is required to detect an activity if it ever arises.

Having exposure to ranges of different logs from many different tools in the competition has allowed me to learn a lot more from a threat hunting and detection perspective. This competition provides the experience to understand the logs and know where to look if similar activity occurs in the future.

The importance of analysts in a strong security strategy 

Organisations are now being forced into the digital world and this environment is one we will see more often. What is vital to organisations is being prepared for these changes. With the unprecedented number of threat actors across the globe, cyber attacks are happening daily, at all hours. Due to this, SOCs are extremely important for many organisations as this can allow for continuous protective monitoring, centralised visibility, and the ability for SOCs to be in contact and to work with organisation’s IT teams for incident response. The BOTS events allow analysts to follow a process of continuous improvement and adaptation required in the dynamic and changing threat landscape we face today. Blue team events, like this one, demonstrate not only the skills of our teams but the strength of our transnational SOCs in protecting your organisation. 

SOC services by Airbus Protect

  • Share

More on Cybersecurity

AI in the OT realm in the future Cybersecurity

Future Tech, Future Threat, Future Ready? Artificial Intelligence & OT

As we’re planning our attendance at the UK’s flagship cyber security event Cyber UK 2024, the strapline of “Future Tech, Future Threat, Future Ready” has given us the opportunity to think about the future trends in OT Security and what they could mean for the industry. You can’t have not noticed the proliferation of Artificial [...] Read more
Supply chain attacks and how to fight them Cybersecurity

Airbus Protect explains: Supply Chain attacks and how to fight them

Supply Chain attacks are an underestimated risk for companies, where cyber threat actors can hack into a software vendor’s network, posing a significant danger to many companies. Who may be affected by these attacks? Every company of every branch who is in a business relationship to a third-party vendor who offers services or software to […]

Read more