Much has already been said about the recently reported SolarWinds compromise. In this post, we are not attempting to further investigate the attack, but rather, to provide a SecDevOps perspective on a few of the underlying software and development processes that are reported to have been involved in the initial compromise at SolarWinds. These processes are not unique to SolarWinds, and in fact, are often considered best practices in software development.
If you couldn't tell by now, we love Graylog. We may have mentioned them a time or two :)
TL;DR - we needed to ingest multiple sources of Cylance logs into Graylog, and this is how we did it.
I tweeted this the other day, and had a lot of folks reach out asking for more details/a diagram of this setup.
Part of our job at Recon relies on fine tuning our threat signatures that make up the bulk of our pipeline rules in our Graylog environment.
When I joined the OpenSOC team at the beginning of this year, everything resided on 3 Intel Skull Canyon NUC's, a couple other systems for scenarios or applications with hardware requirements, a Ubiquiti WAP, a Synology NAS, and various other things.
Over time and for various reasons, I've amassed quite the catalog of cloud-hosted servers. This has caused much anxiety in the form of rapidly expanding attack surface which I've met painstakingly with manually managed firewall rules and nginx ACLs... Not anymore!