Teams practice IT security incident investigation

From left to right: Neamen Negash, Angel Fletcher, Matt Coons, Kevin Cheek, and a Splunk representative. (Joel Iverson, ITS Communications)

U-M staff members, and a number of other IT security pros from Domino’s, and Washtenaw Community College, honed their IT security investigation skills at a March 27 Boss of the SOC (Security Operations Center) event held at U-M and sponsored by the U-M Information Assurance office and Splunk.

Working in teams of four to five, participants assumed the persona of a security analyst at a company experiencing multiple types of IT security incidents, including “insider threat,” APT (advanced persistent threat), ransomware, and web application attacks via SQL injection. Each team’s mission for the day was to work to figure out what the malicious actors were doing and how they were doing it—using realistic event data in Splunk.

“The work was in-depth and challenging,” said Neamen Negash, data security analyst (Information Assurance).

“It was a great opportunity to learn from each other and from Splunk,” said Matt Coons, Information Assurance incident responder and threat analyst. “I learned a lot about how to use the data we store in Splunk to help investigate IT security incidents.”

Dave McLaughlin, a database administrator with Information and Technology Services (ITS), gained a new appreciation for how valuable log data could be when investigating security events. “It was eye-opening to see how the data we collect from databases might be used by security analysts,” he said.

A team of Dominos IT security staff took first place for the day, with a team of ITS staff members coming in a close second. Members of the ITS team were Kevin Cheek, university incident response lead (Information Assurance); Matt Coons, incident responder and threat analyst (Information Assurance); Angel Fletcher, application operations system administrator (Infrastructure); and Neamen Negash, data security analyst (Information Assurance).

“It was a lot of fun,” said Coons. “Team scores were displayed throughout the day, and there was upbeat music playing. It was so engrossing I didn’t even look at email.”

“I kept watching our score on the graphs,” said Cheek. “I really enjoyed the competition and appreciated the extensive work Splunk did to make the experience so realistic and worthwhile.”