DATTATRI BHOSLE

Project Description:

The Splunk ES SIEM/ Azure Sentinel (Security Information and Event Management) Platform is a Designing / Deploying /integrated set of products for collecting, analyzing, and managing enterprise event information. They include software and appliances for Event Collection .
The major components used in this project are Forwarder , Indexer, Search Head , Carbon Black/ Microsoft Defender EDR Tools & Azure Cloud Security.

Responsibilities:

• We on-boarded 4000+ devices (Windows, Databases,Router, Switches, Firewall, VPN, bluecoat proxies) to Azure Sentinel/ Splunk for monitoring.
• Collection of data for 6+ applications from the business and they used in correlation Rules for monitoring and alerting and reporting.
• Analyzing email logs to confirm malicious emails were not delivered or are quarantined and malicious attachments dropped.
• Monitoring and analyzing network traffic, Intrusion Detection Systems (IDS), security events and logs to identify abnormal and suspicious activity.
• Integration of IDS/IPS to Arcsight and analyze the logs to filter out False positives and add True Positives in to IDS/IPS rule set
• Working with SOC Engineers and other SMEs to operate Intrusion Detection and Prevention (IDS/IPS) such as SNORT and Sourcefire to analyze, detect worms and vulnerability exploit attempts.
• Staying up to date with current vulnerabilities, attacks and countermeasures. Using McAfee DLP to protect intellectual property and ensuring compliance by safeguarding sensitive data.
• Responding to computer security incidents by collecting, analyzing, preserving digital evidence and ensuring that incidents are recorded and tracked in accordance with organizational SOC requirements.
• Request or run vulnerability scan and review the assessment report. Follow runbook for incident escalation.
• Investigate all security alerts received by making use of all tools and log files possible to determine if the alert is a false positive, a security event, an actual attack, and/or a security incident.
• Monitor security events and logs such as proxy logs, IPS/IDS events, Firewall, Active Directory (user verification), Vulnerability scans, Anti-Malware events, Endpoints Security, Web Application Firewall, NetFlow, Packet Capture, Computer log files, to maintain situational awareness.
• Monitoring and analysis of security events to determine intrusion and malicious events using Fireeyes
• Perform investigations and evaluations of network traffics, read and interpret logs, sniffer packets, and PCAP analysis using different tools .
• Perform investigations and evaluations of network traffics, read, and interpret logs, sniffer packets, and PCAP analysis with RSA Security analytics and Splunk ES.
• Perform shift handoff at the end of every shift to provide situational awareness to the incoming shift
• Involved in Cloud Security Infrastructure and design for clients in-house Azure Applications.
• Perform cloud cloud security risk assessment for cloud applications.
• Configured Azure Key vault and Key management Policies.
• Performed security assessment on newly proposed Azure AD Structure.

Project Details :

Client: First Citizens Bank

Role - Security Consultant

Project Description:

The Arcsight SIEM (Security Information and Event Management) Platform is an integrated set of products for collecting, analyzing, and managing enterprise event information.
The major components used in this project are Connectors , Logger Version, and ESMs & Command Center.

Responsibilities:

• Installation of Connectors and Integration of multi-platform devices with Arcsight ESM.
• Arcsight asset modelling implementation, it is used to populate asset properties in Correlation rules and reports
• Develop content for Arcsight like correlation rules, dashboards, reports and filters, Active lists and Session list.
• Collection of data for 8+ applications from the business and they used in correlation Rules for monitoring and alerting and reporting.
• Worked in 24x7 operational support
• Perform Security SIEM Operational task - Analysis, Filters, Active channels, Reports, Suggestion of fine tuning on existing rules
• Manage SIEM user accounts (create, delete, modify, etc.)
• Add /Remove log sources
• Troubleshoot issues with log sources or systems with vendor, and report system defects as needed
• Monitoring and identify any suspicious security events using the Arcsight ESM console and raise a ticket in the SOC portal
• Collection of data for 8+ applications from the business and they used in correlation Rules for monitoring and alerting and reporting
• We on-boarded 9000+ devices (Windows, Linux, IIS, DNS, DHCP, NPS, Main frame, Router, Switches, Firewall, VPN, bluecoat proxies) to Arcsight ESM for monitoring.
• Monitor security events and logs such as proxy logs, IPS/IDS events, Firewall, Active Directory (user verification), Vulnerability scans, Anti-Malware events, Endpoints Security, Web Application Firewall, NetFlow, Packet Capture, Computer log files, to maintain situational awareness
• Configuring log generation and collection from a wide variety of products distributed across categories of servers, network devices, security devices, databases and apps
• Creating alerts and reports as per business requirements and Threat modelling with specific security control requirements
• Categorize the messages generated by security and networking devices into the multi-dimensional Arcsight normalization schema
• Integration of IDS/IPS to Arcsight and analyze the logs to filter out False positives and add True Positives in to IDS/IPS rule set
• Installation of Connectors and Integration of multi-platform devices with Arcsight
• Configuring log generation and collection from a wide variety of products distributed across categories of servers, network devices, security devices, databases and apps
• Investigate and identify events, qualify potential security breaches, raise security incident alerts and perform technical & management escalation
• Identification of the false positive/ True positive events and take action accordingly as per KOPs
• We use to receive Spam email from the DB users and we use to co-ordinate with messaging team to block mail ids.
• We use to receive the Virus alert for outbound and inbound and use to co-ordinate with Antivirus team
• Recommended security strategies based on real time threats

• Identify and ingest indicators of compromise (IOCs), e.g malicious IPs/URLs, e.t.c, into network tools/applications .
• Perform investigations and evaluations of network traffics, read and interpret logs, sniffer packets, and PCAP analysis with RSA Security analytics and Wireshark .
• Escalate any security incident (the confidentiality, integrity or availability of any information or information asset that is negatively impacted) to the Incident Response (IR), Incident Management team (IMT), Forensic Management Analysis team (FMAT) as needed .
• Monitor security events and logs such as proxy logs, IPS/IDS events, Firewall, Active Directory (user verification), Vulnerability scans, Anti-Malware events, Endpoints Security, Web Application Firewall, NetFlow, Packet Capture, Computer log files, to maintain situational awareness .
• Analyze security event data from the network (IDS, SIEM)
• Perform static malware analysis on isolated virtual servers
• Recognize potential, successful, and unsuccessful intrusion attempts and compromises thorough reviews and analyses of relevant event detail and summary information
• Ensure the integrity and protection of networks, systems, and applications by technical enforcement of organizational security policies, through monitoring of vulnerability scanning devices
• Research new and evolving threats and vulnerabilities with potential to impact the monitored environment
• Search firewall, email, web or DNS logs to identify and mitigate intrusion attempts
• Investigate malicious phishing emails, domains and IPs using Open-Source tools and recommend proper blocking based on analysis.
• IDS monitoring and analysis through SIEM
• Ensure searches for Indicators of Compromise (IOCs) are completed when reported, through EDR tools .
• Analyze network traffic for potential threats
• Complete log analysis as needed, prioritizing and differentiating between potential intrusion attempts and false negatives Create and track investigations to resolution Compose security alert notifications

• Deployed,Implemented,Configured and managed Cisco FWSM and ASA Firewall,Cisco IDS/IPS Security on High critical Production Environment.
• Handling TAC Cases for all over APAC/EMEA Region for various Network Security issues Experience with SIEM ,IDS/IPS.
• Coordinated with third-party security information and event management (SIEM) providers to maintain protections and predict threats.
• Deployed,Implemented,Configured and Implemented Imperva SecureSphere WAF,WebInspect,Appscan,OWASP for web-based application vulnerability analysis and code review.
• Deployed,Implemented Wireshark,HPING,Nessus,NMAP,Device Engine Firewall Analyzer and SolarWinds for security vulnerability event monitoring,packet and traffic analysis.
• Outlined and maintained security patching schedule to efficiently address ongoing system issues.