Last year, we introduced a new security activity at Splunk .conf2016 called “Boss of the SOC” (or BOTS). The concept of BOTS was born from our core beliefs that Splunk is an indispensable tool for all information security teams, and that learning can be both realistic and fun.
The first BOTS was a huge hit with over 150 participants! It ended up being one of the biggest events at .conf2016 that no one knew anything about. Since then, we've run more than 60 “BOTS” at locations all around the world, bringing a gamified Splunk security learning experience to over 2,000 individual participants.
You may have heard about or participated in a BOTS event at SplunkLive!, Security BSides, onsite as one of our customers or partners, or even a virtual BOTS in the cloud. However, we are not a group to rest on our laurels. Nay, instead of basking in the glory of a successful BOTS 1.0, we have spent the last year sweating in basements and writing code in airplanes to bring forth a brand new Boss of the SOC experience.
What Does That Mean?
- New data sets!
- New adversaries!
- New scenarios!
- Splunk Enterprise Security!
- New and improved scoring server!
It's going to be just downright awesome (if we do say so ourselves), but you might be asking yourself: "What is this 'Boss of the SOC'?" "Can I only play at .conf2017?" And maybe even, “How can I play?” or “Should I play?”.
Well, this blog post is here to answer these questions and more.
So What is “BOTS”?
Boss of the SOC is a blue-team jeopardy-style capture-the-flag-esque (CTF) activity where participants use Splunk—and other tools—to answer a variety of questions about security incidents that have occurred in a realistic but fictitious enterprise environment. It's designed to emulate how real security incidents look in Splunk and the type of questions analysts have to answer. We developed Boss of the SOC because we were tired of showing up at security conferences and finding the CTFs to be entirely red-team oriented. There are other Blue Team CTFs out there—especially the grandfather to them all SANS DFIR NetWars—but few (or none) of them attempt to recreate the life of a security analyst facing down an adversary at all stages of an attack.
In the Boss of the SOC CTF, we work very hard to ask questions that not only require contestants to know Splunk, but also know how to research Open Source Intelligence and think outside of the “Splunk” box.
For those of you asking if this is lame, you should know we have a list of "Commandments" to keep us honest. The very first one? "Thou shalt keep it real." Every incident and scenario is based on something that we as previous customers or security analysts have faced before in our career.
Cool! So What Happens in a BOTS Event?
A Boss of the SOC event lasts 4-5 hours. You play in groups of 1-4 people and compete against other participants (it is a CTF after all…). In the competition, your team role plays as the quirky Security Analyst "Alice Bluebird” who goes from organization to organization helping investigate security incidents using Splunk. Each team is presented with a list of questions of varying difficulty through an automated BOTS scoring server. Easy questions are worth fewer points; hard questions are worth more. All questions require you to use Splunk to search, but not all questions can be answered without checking other open source intelligence resources. Just like the real world.
Okay. Should I Play BOTS?
Probably! Seriously if you are reading this blog and you've gotten this far, you are almost certainly a great fit for BOTS. To hold your own in BOTS, we usually tell folks they need to know a little about Splunk and a little about security. However, all you really need is the desire to learn something new and the desire to have a lot of fun. It's true that the winner of a BOTS competition will usually be both very good at Splunk and very good at security, but everyone will have a great time and learn something new. Also—don't forget—BOTS is a team sport, so you bring your crew you won't be alone.
Need to brush up on your Splunk chops beforehand? No problem! Check out our "Hunting with Splunk: The Basics" blog series, which we created specifically to prepare teams for what they will face in BOTS.
So What's the Deal with BOTS at .conf2017?
Without a doubt, the best way to experience BOTS 2.0 will be at Splunk .conf 2017. This year, Boss of the SOC will be held on Monday, September 25th from 7pm to midnight.
Let's just say it is going to be epic.
What if I Won't Be at .conf2017?
It's not too late to sign up for .conf2017, but if you really can't make it, fear not. Just reach out to your Splunk account team to find out if a BOTS event is right for your organization. Another option is to keep an eye out for Boss of the SOC events at our Hands-On Workshops coming soon to a location near you!
And as always… Happy Hunting :-)