Background

Sutrefia $($Sunken Treasure Financials Australia$),$ are a mid$-$to$-$large scale financial services company with a strong online presence, offering a range of services such as banking, investments, and insurance. This industry is a prime target for cyber threats due to the sensitive financial data it handles, necessitating a robust cybersecurity framework. The presence of a dedicated cyber team indicates the organisation's commitment to protecting its assets and customer information against a wide array of digital threats.

Security Policies

Sutrefia have spent considerable time and effort developing information security policies. These policies are largely informed by the Australian Government Information Security Manual $($the ISM$).$ The policies include:

Access Control & MFA $$ All systems should require MFA to access them, including internal systems.

Public Access & Data Protection $$ The systems including local and cloud servers and storage must be designed and controlled to limit access to data and avoid data spills.

Security & Group Configuration $$ Systems and applications are designed and configured to reduce their attack surface and upon the principal of leas privilege. Endpoint Security & Unauthorized Software $$ Managing vulnerabilities and controlling executable code, limiting access to authorised applications only. Administration of PCs and devices to be restricted to IT and Security Operations staff.

User Account Management and Review $$ regular audit and review of user accounts and access privileges to reduce the risk of old accounts

Change Management $$ IT or SecOps approval to be obtained for any device or network change. Including the addition of new devices, changes to software or configurations. Changes to be documented and tracked.

Information Classification & Handling $$ requires specific policies to be built around the types of information being handled and their permitted storage, transmission, distribution, and destruction rules.

Email and Data Privacy $$ Restrictions and monitoring of email communications to avoid data exfiltration and spills.

System Hardening $-$ Operating system and device hardening to reduce the attack surface by disabling OS features and installing device and network level IDS and IPS tools.Scenario

Following an incident, management have decided to evaluate Splunk as their Security Information and Event Management $($SIEM$)$ tool. The tool will be installed to monitor and aggregate log data from Desktop$/$Laptop PCs$,$ devices, servers, and other IDS and IPS.

The intention is to use Splunk to monitor a wide range of data sources to identify conditions that might indicate a security incident is taking place.

You are working in the Security Operations team and your manager has provided you with a login to Splunk and loaded a default data set called BOTSv$3.$ This data set is made by Splunk for the purposes of demonstrating the tool$$s ability to identify and manage security incidents.

Your task is to examine Splunk, use the BOTSv$3$ data set and produce some useful reports and visualisations that can help management determine if any of the organisational security policies are being breached.

You are to develop a visualisation of the BOTSv$3$ data that can draw attention to events that breach one or more of these security policies.

No DFIR required.

You are NOT required to be an incident responder or be able to process digital forensic evidence. There are MANY walk$-$throughs of BOTSv$3$ online. These walkthroughs are done by security experts and enthusiasts alike and often showcase advanced digital forensic and incident response $($DFIR$)$ skills.

It is entirely appropriate for you to consult these walkthroughs for you to understand what has occurred. This will help you understand what happened within the BOTSv$3$ incident and search for the types of data $($with the help of the walkthroughs$)$ that can help management make decisions on whether organisational security policies are being followed.

Your job is to demonstrate Splunk not as a DFIR tool but as a tool to help management make key decisions and monitor policy compliance.

Task

Your main task is to develop an $$at a glance$$ dashboard that can be used to identify indicators of organisational security policy breaches.

You should develop a dashboard using multiple panels for AT LEAST ONE of the organisations security policies, that show information, statistics, graphs, visualisations, or any combination of these that can help a non$-$technical manager see that $$something is wrong$.$You need to justify your decisions and cite your sources.

You are to put forward a Splunk dashboard that helps management monitor security policy compliance. You will be assessed on the management aspects of your dashboard.

You will need to put forward a compelling argument that explains to senior management in the security operations centre why your dashboard will be useful it may include:

$$ A brief explanation of the key indicators that you are basing your policybreach