SlideShare a Scribd company logo

The Journey from Zero to SOC: How Citadel built its Security Operations from the Ground Up on Elastic

Elasticsearch, profile picture
Elasticsearch

The document outlines Sean Lengyel's experience in building a Security Operations Center (SOC) for Citadel, highlighting the challenges faced with previous solutions lacking native SIEM capabilities and the costs associated with log ingestion. It emphasizes the advantages of using Elastic for its affordability, security features, and scalability, which have allowed the SOC to effectively monitor a wide range of logs from various sources. The presentation culminates in a positive assessment of the current state of the SOC, demonstrating its growth and operational success.

Technology
1 of 22
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
The Journey from Zero to SOCAugust 2020 Sean Lengyel Head of Cyber Security
About ME - 12 years experience in IT & Cyber Security - 10 years in the Australian Department of Defence - Royal Australian Air Force Veteran - Built Citadel’s SOC from the ground up
About Us 3 text Text © Citadel Group | Journey from Zero to SOC | Health Solutions Keeping People & Information SafeEnterprise Solutions Technology Services Professional Services
About Us – Security Operations 4© Citadel Group | Journey from Zero to SOC | Where does the Citadel SOC fit in?
About Us – Mission 5© Citadel Group | Journey from Zero to SOC | Protect Customer Data
M FA TrustedDevice About Us – Zero Trust 6© Citadel Group | Journey from Zero to SOC | MFATrustedDevice M FA Trusted Device M FAAny Device MFA Trusted Device MFA Trusted Device Credential Manager Launcher Tenable.io ASD Essential Eight InTune MDM Citadel SOE Windows 10 MFAAny Device Elastic Endgame Elastic Beats Web Proxy Agents MSCT/CIS Hardening ASD Essential Eight MFA Any Device MFA Any Device Any Device Locked down GooglePlay Store Device Hardening InTune MDM Locked down Apple App Store Device Hardening InTune MDM Apple IOS Android MFA Trusted Device Customer Environments
Where did Our logging Journey start?
Where did our logging journey start?
Some of the problems we faced… 9© Citadel Group | Journey from Zero to SOC | • Existing solution didn’t offer native SIEM capabilities • SIEM capabilities were an expensive add-on • Very expensive to ingest the all the logs we needed • The licencing model meant that it would have made it very costly to ingest the following logs: - Windows Sysmon Events (Security & Observability) - Windows Perfmon Events (Observability) - Azure SQL Database Audit Events (Security) - Azure NSG Firewall Events (Security) - Endpoint Protection Agent Logs (Security) - Azure Diagnostics (Observability)
The positives… 10© Citadel Group | Journey from Zero to SOC | I was very lucky to be working with some very security conscious Developers, Cloud Engineers & Application Specialists
Why Elastic?
Why Elastic? 12© Citadel Group | Journey from Zero to SOC | Cost: Perfect for a growing organisation Security Features: Great out of the box features that a SOC needs Observability: Allows us to met our service operations needs Scalability: The SOC can easily grow as the company grows Machine Learning: Detecting outliers without needing complicated rules Customisation: Building alerts tailored to our environments
Fast forward to Today
Where are we now? 14© Citadel Group | Journey from Zero to SOC |
Where are we now? 15© Citadel Group | Journey from Zero to SOC | ü Windows 10 Endpoint Logs ü Azure AD Audit & Sign-in Logs ü Azure Resources Audit Logs ü SaaS Cloud Application Logs ü Windows Customer Server Logs ü Linux Customer Server Logs ü SQL Database Audit Logs ü On-prem & Cloud-based Firewall Logs ü Web Application Firewall Logs ü Office365 ATP Logs ü MS Defender ATP Logs ü Elastic Endgame Logs
SIEM Signals 16© Citadel Group | Journey from Zero to SOC |
SIEM Signals 17© Citadel Group | Journey from Zero to SOC |
Custom SIEM Signal 18© Citadel Group | Journey from Zero to SOC |
Elastic Endgame 19© Citadel Group | Journey from Zero to SOC |
Elastic Endgame – Custom Rule 20© Citadel Group | Journey from Zero to SOC |
Final Thoughts 21© Citadel Group | Journey from Zero to SOC | We are in a good place now
Thank you! sean.lengyel@citadelgroup.com.au

More Related Content

PDF
Innovating at speed and scale with implicit security
Elasticsearch
 
PDF
Elastic Security: Your one-stop OODA loop shop
Elasticsearch
 
PDF
Operationalize with alerting, custom dashboards, and timelines
Elasticsearch
 
PDF
Full time PII data protection: How Randstad uses Elastic Security to keep cli...
Elasticsearch
 
PDF
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
DevOps.com
 
PDF
What is the Future of SIEM?
Elasticsearch
 
PDF
Keynote: Elastic Security evolution and vision
Elasticsearch
 
PDF
Empowering agencies using Elastic as a Service inside Government
Elasticsearch
 
Innovating at speed and scale with implicit security
Elasticsearch
 
Elastic Security: Your one-stop OODA loop shop
Elasticsearch
 
Operationalize with alerting, custom dashboards, and timelines
Elasticsearch
 
Full time PII data protection: How Randstad uses Elastic Security to keep cli...
Elasticsearch
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
DevOps.com
 
What is the Future of SIEM?
Elasticsearch
 
Keynote: Elastic Security evolution and vision
Elasticsearch
 
Empowering agencies using Elastic as a Service inside Government
Elasticsearch
 

What's hot (20)

PDF
Building Elastic into security operations
Elasticsearch
 
PDF
October 2020 meetup
Daliya Spasova
 
PDF
Cisco Connect 2018 Singapore - Next generation hyperconverged infrastructure
NetworkCollaborators
 
PDF
Cisco Connect 2018 Singapore - Cisco Incident Response Services
NetworkCollaborators
 
PDF
Conferencia principal: Evolución y visión de Elastic Security
Elasticsearch
 
PDF
Keynote: Elastic Security evolution and vision
Elasticsearch
 
PPTX
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
PDF
Cisco Connect 2018 Singapore - Cybersecurity strategy
NetworkCollaborators
 
PDF
Cisco Connect 2018 Singapore - Secure data center building a secure zero trus...
NetworkCollaborators
 
PDF
Palestra de abertura: Evolução e visão do Elastic Security
Elasticsearch
 
PDF
Cisco Connect 2018 Singapore - Transforming Enterprises in a Multi-Cloud World
NetworkCollaborators
 
PDF
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Elasticsearch
 
PDF
Cisco Connect 2018 Singapore - Do more than keep the lights on
NetworkCollaborators
 
PDF
Cisco Connect 2018 Singapore - Data center transformation a customer perspec...
NetworkCollaborators
 
PDF
Cisco Connect 2018 Singapore - delivering intent for data center networking
NetworkCollaborators
 
PDF
Cisco Connect 2018 Singapore - Cisco CMX
NetworkCollaborators
 
PDF
Managing Compliance in Container Environments
Twistlock
 
PDF
Elastic Security: Proteção Empresarial construída sobre o Elastic Stack
Elasticsearch
 
PDF
Keynote: Looping through data, insight, and action
Elasticsearch
 
PPTX
Secure Data Sharing in OpenShift Environments
DevOps.com
 
Building Elastic into security operations
Elasticsearch
 
October 2020 meetup
Daliya Spasova
 
Cisco Connect 2018 Singapore - Next generation hyperconverged infrastructure
NetworkCollaborators
 
Cisco Connect 2018 Singapore - Cisco Incident Response Services
NetworkCollaborators
 
Conferencia principal: Evolución y visión de Elastic Security
Elasticsearch
 
Keynote: Elastic Security evolution and vision
Elasticsearch
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Cisco Connect 2018 Singapore - Cybersecurity strategy
NetworkCollaborators
 
Cisco Connect 2018 Singapore - Secure data center building a secure zero trus...
NetworkCollaborators
 
Palestra de abertura: Evolução e visão do Elastic Security
Elasticsearch
 
Cisco Connect 2018 Singapore - Transforming Enterprises in a Multi-Cloud World
NetworkCollaborators
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Elasticsearch
 
Cisco Connect 2018 Singapore - Do more than keep the lights on
NetworkCollaborators
 
Cisco Connect 2018 Singapore - Data center transformation a customer perspec...
NetworkCollaborators
 
Cisco Connect 2018 Singapore - delivering intent for data center networking
NetworkCollaborators
 
Cisco Connect 2018 Singapore - Cisco CMX
NetworkCollaborators
 
Managing Compliance in Container Environments
Twistlock
 
Elastic Security: Proteção Empresarial construída sobre o Elastic Stack
Elasticsearch
 
Keynote: Looping through data, insight, and action
Elasticsearch
 
Secure Data Sharing in OpenShift Environments
DevOps.com
 
Ad

Similar to The Journey from Zero to SOC: How Citadel built its Security Operations from the Ground Up on Elastic (20)

PDF
Cloud Security by CK
Narinrit Prem-apiwathanokul
 
PDF
智慧市政大未來 主題一
Mavis CHU
 
PPTX
AMER Introduction to ThousandEyes Webinar
ThousandEyes
 
PPTX
IoT World Forum Press Conference - 10.14.2014
Bessie Wang
 
PPTX
Alfresco Virtual DevCon 2020 - Security First!
Jason Jolley
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PPTX
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
ThousandEyes
 
PDF
MT81 Keys to Successful Enterprise IoT Initiatives
Dell EMC World
 
PDF
IoT Security: Problems, Challenges and Solutions
Liwei Ren任力偉
 
PPTX
SwitchIT-02.2018-Company-overview.pptx
WILFRIEDKOUASSIKAN
 
PDF
Tomorrow Starts Here - Security Everywhere
Cisco Canada
 
PDF
I Syed, Sr. Consultant - Enterprise Information Security Governance, Risk, Co...
IftikharUddin Syed CRISC, EHCE, ITIL, M.S. IT Security
 
PDF
2021 01-27 reducing risk of ransomware webinar
AlgoSec
 
PPTX
Emc World Keynote Mirchandani
Orange Business Services Business development IT
 
PDF
MILCOM 2013 Keynote Presentation: Larry Payne
AFCEA International
 
PPTX
Cloud technology for hospitality
PT Datacomm Diangraha
 
PDF
SAMSUNG SDS.pdf
ShashankKumar241736
 
PDF
Digital Transformation in a World of Connected Devices
MuleSoft
 
PPTX
Fortinet Corporate Overview Deck 11.pptx
flawrence2
 
Cloud Security by CK
Narinrit Prem-apiwathanokul
 
智慧市政大未來 主題一
Mavis CHU
 
AMER Introduction to ThousandEyes Webinar
ThousandEyes
 
IoT World Forum Press Conference - 10.14.2014
Bessie Wang
 
Alfresco Virtual DevCon 2020 - Security First!
Jason Jolley
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
ThousandEyes
 
MT81 Keys to Successful Enterprise IoT Initiatives
Dell EMC World
 
IoT Security: Problems, Challenges and Solutions
Liwei Ren任力偉
 
SwitchIT-02.2018-Company-overview.pptx
WILFRIEDKOUASSIKAN
 
Tomorrow Starts Here - Security Everywhere
Cisco Canada
 
I Syed, Sr. Consultant - Enterprise Information Security Governance, Risk, Co...
IftikharUddin Syed CRISC, EHCE, ITIL, M.S. IT Security
 
2021 01-27 reducing risk of ransomware webinar
AlgoSec
 
Emc World Keynote Mirchandani
Orange Business Services Business development IT
 
MILCOM 2013 Keynote Presentation: Larry Payne
AFCEA International
 
Cloud technology for hospitality
PT Datacomm Diangraha
 
SAMSUNG SDS.pdf
ShashankKumar241736
 
Digital Transformation in a World of Connected Devices
MuleSoft
 
Fortinet Corporate Overview Deck 11.pptx
flawrence2
 
Ad

More from Elasticsearch (20)

PDF
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
PDF
From MSP to MSSP using Elastic
Elasticsearch
 
PDF
Cómo crear excelentes experiencias de búsqueda en sitios web
Elasticsearch
 
PDF
Te damos la bienvenida a una nueva forma de realizar búsquedas
Elasticsearch
 
PDF
Comment transformer vos données en informations exploitables
Elasticsearch
 
PDF
Plongez au cœur de la recherche dans tous ses états.
Elasticsearch
 
PDF
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Elasticsearch
 
PDF
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
PDF
Welcome to a new state of find
Elasticsearch
 
PDF
Building great website search experiences
Elasticsearch
 
PDF
Keynote: Harnessing the power of Elasticsearch for simplified search
Elasticsearch
 
PDF
Cómo transformar los datos en análisis con los que tomar decisiones
Elasticsearch
 
PDF
Explore relève les défis Big Data avec Elastic Cloud
Elasticsearch
 
PDF
Comment transformer vos données en informations exploitables
Elasticsearch
 
PDF
Transforming data into actionable insights
Elasticsearch
 
PDF
Opening Keynote: Why Elastic?
Elasticsearch
 
PDF
Empowering agencies using Elastic as a Service inside Government
Elasticsearch
 
PDF
The opportunities and challenges of data for public good
Elasticsearch
 
PDF
Enterprise search and unstructured data with CGI and Elastic
Elasticsearch
 
PDF
What's new at Elastic: Update on major initiatives and releases
Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
From MSP to MSSP using Elastic
Elasticsearch
 
Cómo crear excelentes experiencias de búsqueda en sitios web
Elasticsearch
 
Te damos la bienvenida a una nueva forma de realizar búsquedas
Elasticsearch
 
Comment transformer vos données en informations exploitables
Elasticsearch
 
Plongez au cœur de la recherche dans tous ses états.
Elasticsearch
 
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
Welcome to a new state of find
Elasticsearch
 
Building great website search experiences
Elasticsearch
 
Keynote: Harnessing the power of Elasticsearch for simplified search
Elasticsearch
 
Cómo transformar los datos en análisis con los que tomar decisiones
Elasticsearch
 
Explore relève les défis Big Data avec Elastic Cloud
Elasticsearch
 
Comment transformer vos données en informations exploitables
Elasticsearch
 
Transforming data into actionable insights
Elasticsearch
 
Opening Keynote: Why Elastic?
Elasticsearch
 
Empowering agencies using Elastic as a Service inside Government
Elasticsearch
 
The opportunities and challenges of data for public good
Elasticsearch
 
Enterprise search and unstructured data with CGI and Elastic
Elasticsearch
 
What's new at Elastic: Update on major initiatives and releases
Elasticsearch
 

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Approach and Philosophy of On baking technology
30anthuong17
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Teaching material agriculture food technology
LiaRayya
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 

The Journey from Zero to SOC: How Citadel built its Security Operations from the Ground Up on Elastic

  • 1. The Journey from Zero to SOCAugust 2020 Sean Lengyel Head of Cyber Security
  • 2. About ME - 12 years experience in IT & Cyber Security - 10 years in the Australian Department of Defence - Royal Australian Air Force Veteran - Built Citadel’s SOC from the ground up
  • 3. About Us 3 text Text © Citadel Group | Journey from Zero to SOC | Health Solutions Keeping People & Information SafeEnterprise Solutions Technology Services Professional Services
  • 4. About Us – Security Operations 4© Citadel Group | Journey from Zero to SOC | Where does the Citadel SOC fit in?
  • 5. About Us – Mission 5© Citadel Group | Journey from Zero to SOC | Protect Customer Data
  • 6. M FA TrustedDevice About Us – Zero Trust 6© Citadel Group | Journey from Zero to SOC | MFATrustedDevice M FA Trusted Device M FAAny Device MFA Trusted Device MFA Trusted Device Credential Manager Launcher Tenable.io ASD Essential Eight InTune MDM Citadel SOE Windows 10 MFAAny Device Elastic Endgame Elastic Beats Web Proxy Agents MSCT/CIS Hardening ASD Essential Eight MFA Any Device MFA Any Device Any Device Locked down GooglePlay Store Device Hardening InTune MDM Locked down Apple App Store Device Hardening InTune MDM Apple IOS Android MFA Trusted Device Customer Environments
  • 7. Where did Our logging Journey start?
  • 8. Where did our logging journey start?
  • 9. Some of the problems we faced… 9© Citadel Group | Journey from Zero to SOC | • Existing solution didn’t offer native SIEM capabilities • SIEM capabilities were an expensive add-on • Very expensive to ingest the all the logs we needed • The licencing model meant that it would have made it very costly to ingest the following logs: - Windows Sysmon Events (Security & Observability) - Windows Perfmon Events (Observability) - Azure SQL Database Audit Events (Security) - Azure NSG Firewall Events (Security) - Endpoint Protection Agent Logs (Security) - Azure Diagnostics (Observability)
  • 10. The positives… 10© Citadel Group | Journey from Zero to SOC | I was very lucky to be working with some very security conscious Developers, Cloud Engineers & Application Specialists
  • 12. Why Elastic? 12© Citadel Group | Journey from Zero to SOC | Cost: Perfect for a growing organisation Security Features: Great out of the box features that a SOC needs Observability: Allows us to met our service operations needs Scalability: The SOC can easily grow as the company grows Machine Learning: Detecting outliers without needing complicated rules Customisation: Building alerts tailored to our environments
  • 14. Where are we now? 14© Citadel Group | Journey from Zero to SOC |
  • 15. Where are we now? 15© Citadel Group | Journey from Zero to SOC | ü Windows 10 Endpoint Logs ü Azure AD Audit & Sign-in Logs ü Azure Resources Audit Logs ü SaaS Cloud Application Logs ü Windows Customer Server Logs ü Linux Customer Server Logs ü SQL Database Audit Logs ü On-prem & Cloud-based Firewall Logs ü Web Application Firewall Logs ü Office365 ATP Logs ü MS Defender ATP Logs ü Elastic Endgame Logs
  • 16. SIEM Signals 16© Citadel Group | Journey from Zero to SOC |
  • 17. SIEM Signals 17© Citadel Group | Journey from Zero to SOC |
  • 18. Custom SIEM Signal 18© Citadel Group | Journey from Zero to SOC |
  • 19. Elastic Endgame 19© Citadel Group | Journey from Zero to SOC |
  • 20. Elastic Endgame – Custom Rule 20© Citadel Group | Journey from Zero to SOC |
  • 21. Final Thoughts 21© Citadel Group | Journey from Zero to SOC | We are in a good place now