Overview
(Re)building Threat Detection and Incident Response at LinkedIn discusses the transformation of LinkedIn's security operations, specifically the Threat Detection and Incident Response team (SEEK) and their initiative named Moonbase. The article highlights significant improvements in incident investigation times, threat detection coverage, and overall operational efficiency.
What You'll Learn
1
How to reduce incident investigation times by 50%
2
Why democratization in security operations can enhance threat detection
3
How to implement a software-defined SOC framework
4
When to prioritize automation in incident response processes
Prerequisites & Requirements
- Understanding of security operations and incident response
- Familiarity with CI/CD pipelines and cloud services(optional)
Key Questions Answered
How did LinkedIn reduce its time to detect and contain security incidents?
LinkedIn's SEEK team implemented the Moonbase initiative, which transformed their security operations by leveraging automation and a software-defined SOC. This allowed them to reduce detection and containment times from weeks or days to hours, significantly enhancing their incident response capabilities.
What were the guiding principles for rebuilding the threat detection program?
The guiding principles included preserving human capital, democratization of responsibilities, building for the future while addressing present needs, and ensuring security, scalability, and reliability of infrastructure. These principles helped maintain focus and set reasonable expectations throughout the program.
What improvements were achieved through the Moonbase initiative?
The Moonbase initiative led to a 50% reduction in incident investigation times, a 900% increase in threat detection coverage, and a significant decrease in the time to detect and contain incidents, achieving response times from weeks or days to hours.
What role does automation play in LinkedIn's incident response?
Automation is crucial in LinkedIn's incident response, as it reduces manual toil and improves efficiency. Automated playbooks and workflows allow for quick triage and response to alerts, enabling the team to focus on more complex threats while maintaining operational effectiveness.
Key Statistics & Figures
Incident investigation time reduction
50%
Achieved through the Moonbase initiative.
Threat detection coverage expansion
900%
Significantly increased as a result of the new security operations platform.
Time to detect and contain security incidents
From weeks or days to hours
This improvement was a direct outcome of implementing the Moonbase program.
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Data Streaming
Kafka
Used for transporting data through pipelines in LinkedIn's security operations.
Data Processing
Samza
Works alongside Kafka to process large volumes of data.
CI/CD
Azure Devops
Used to manage the CI/CD pipeline for security detections and automated responses.
Key Actionable Insights
1Implement a software-defined SOC to streamline security operations and reduce manual data handling.Transitioning to a software-defined SOC can significantly enhance the efficiency of security analysts, allowing them to focus on critical analysis rather than manual data processing.
2Emphasize the democratization of security responsibilities to improve threat detection outcomes.By distributing security tasks across teams, organizations can leverage diverse insights and reduce bottlenecks, ultimately leading to faster incident response times.
3Adopt automation in incident response processes to minimize operational toil.Automation can alleviate the burden on security teams, allowing them to concentrate on high-priority threats while ensuring that routine tasks are handled efficiently.
4Focus on building a resilient infrastructure that can handle failures gracefully.Planning for potential failures and ensuring system reliability is crucial in maintaining effective threat detection and response capabilities during critical incidents.
Common Pitfalls
1
Failing to automate routine tasks can lead to analyst burnout and inefficiency.
Without automation, security teams may become overwhelmed by repetitive tasks, which can detract from their ability to respond to real threats effectively.
2
Centralizing all security responsibilities within a single team can restrict progress.
This approach can create bottlenecks and slow down incident response times, as it limits the involvement of other teams who may have valuable insights.
Related Concepts
Incident Response Strategies
Automation In Security Operations
Software-defined Soc Frameworks