196 lines
7.9 KiB
Org Mode
196 lines
7.9 KiB
Org Mode
:PROPERTIES:
|
|
:ID: 3daa143e-5a5c-47bc-8cb7-2756f0f00c33
|
|
:END:
|
|
#+Title: FY24Q3-iroh-team
|
|
#+Author: Yann Esposito
|
|
#+Date: [2024-01-10]
|
|
|
|
- tags ::
|
|
- source ::
|
|
|
|
* Intro
|
|
|
|
Document trying to keep track of current state.
|
|
|
|
Big Topic <=> People
|
|
|
|
* XDR Program Q3FY24 Engineering Plans
|
|
|
|
- PM Prios https://airtable.com/appZKQe0zXhVMepC8/shr5iesEcBD2MN7EI/tblUdgSlzjcABBtzj
|
|
|
|
|-----------------------------+------------------+-----------------------------------------|
|
|
| Topic | People | Size |
|
|
|-----------------------------+------------------+-----------------------------------------|
|
|
| PM Prios | | |
|
|
|-----------------------------+------------------+-----------------------------------------|
|
|
| SCA Integration | Matt | XS conf change |
|
|
| PIAM Universal Brownfield | Wanderson | L |
|
|
| JAMF Integration | Matt | XS ask for merge? |
|
|
| MITRE | GE + Olivier | XL |
|
|
| Design (on prem iroh proxy) | Matt | S |
|
|
| new modules (x7) | Shafiq | L (Ransomware) |
|
|
| Notifications | Kirill | settings (webex) (XL) |
|
|
| new auth (x7) | Shafiq | L (Checkpoint) |
|
|
| Integration Admins | Matt | (SOAR, Palo Alto, CheckPoint) |
|
|
| Meraki (1-click) | Yann/Jyoti | XS (maintenance, help, client creation) |
|
|
| Default Modules for SMA | Matt | S (conf) |
|
|
| IOPS | Matt | help @Garima |
|
|
| AO webhook dependency | Matt/Yann? | help @Lisa |
|
|
| IROH Multi Tenancy APIs | Yann | M (design) |
|
|
| [[https://github.com/advthreat/iroh/issues/8579][#8579]] | Shafiq | S |
|
|
|-----------------------------+------------------+-----------------------------------------|
|
|
| SUSTAINING | | |
|
|
|-----------------------------+------------------+-----------------------------------------|
|
|
| Push logs to datadog | ? | |
|
|
| ES Performance | Mario + Ambrose | |
|
|
| ES Perf ops | Jerome + Patrick | |
|
|
| PG Perf ops | Jerome + Patrick | |
|
|
| Alerting + Monitoring ops | Jerome + Patrick | |
|
|
| Kafka | Jerome | auth kafka |
|
|
| Module type doc patch | ? | |
|
|
| Impersonation | Yann | |
|
|
|-----------------------------+------------------+-----------------------------------------|
|
|
|
|
- Multi tenancy: https://ciscosecurity.aha.io/epics/XDR-E-85
|
|
|
|
* Notes
|
|
|
|
- Open DBs for IOPS
|
|
|
|
** Q2 Rollovers?
|
|
*** [...] Incident Summary related work
|
|
- spikes in incident summary generation failures
|
|
- summarize incident at bundle import
|
|
- fix missing attack pattern in incident summary
|
|
- add status_disposition to search filter on incident summaries and incidents
|
|
*** [...] Rescoring (Incident / Incident Summary )
|
|
** Maribelle Questions Capacity Planning Q3
|
|
|
|
Commits:
|
|
|
|
Incident Enhancement
|
|
DevNet Compliance:
|
|
|
|
TODO: follow-up https://ciscosecurity.aha.io/features/XDR-89 ; ping Guy
|
|
|
|
** Sustaining items
|
|
|
|
Hi Jyoti here is a list of sustainable items: **edited with design items**
|
|
|
|
- Design: IROH proxy working with on-prem devices
|
|
- https://github.com/advthreat/iroh/issues/8700 Push our log to datadog
|
|
- ES Performance issues
|
|
- https://github.com/advthreat/iroh/issues/8501 NGFW spikes
|
|
|
|
- Ops
|
|
- ES perf
|
|
- Postgres perf (indexes)
|
|
- https://github.com/advthreat/iroh-ops/issues/23 Alerting Improvement & documentation
|
|
- https://github.com/advthreat/iroh-ops/issues/104 Authenticated Kafka
|
|
|
|
- https://github.com/advthreat/iroh/issues/8280 ModuleType Admin API: Add a dedicated route to patch documentation
|
|
- https://github.com/advthreat/iroh/issues/7324 Impersonation (TAC)
|
|
|
|
** Unexpected tasks
|
|
|
|
*** Mario
|
|
|
|
- https://github.com/advthreat/iroh/issues/8795
|
|
|
|
*** Performance Issue
|
|
|
|
- SE Pused too many incidents
|
|
|
|
** Align Priorities Q3 meetings Notes
|
|
|
|
@Namrata: look all priorities, on the table.
|
|
Update to everybody around Oort.
|
|
Being planned for Q3, chalenges from PM.
|
|
|
|
*** Top Priorities
|
|
|
|
1. Breach Suite outcomes
|
|
- AI related initiative, SOC assistant
|
|
- MITRE Visualisation
|
|
- Ooort Implementation
|
|
2. Support other suites
|
|
3. XDR
|
|
|
|
*** List the priorities from Airtable
|
|
|
|
@Lisa what is rolling over from Q2
|
|
|
|
- Geo pushed out of Q3
|
|
- SCA Integration - configuration
|
|
- @Jyoti: pb with existing one?
|
|
- @Paul: I think only changing the configuration
|
|
- @Jyoti: integrations from SCA
|
|
- PIAM Universal Flow - Brownfield
|
|
- @Jyoti require us to support also PIAM token (later with Travis)
|
|
- JAMF:
|
|
- @Garima: config changes from IROH team
|
|
- @Matt: already has the change, need to check if this could be merged
|
|
- Oort Integration
|
|
- @Namrata: the ask is and timeframe. User context from Insight in Incident
|
|
and in investigation and response action by using API from Oort.
|
|
User context be part of incident scoring.
|
|
- @Jyoti: things we need to do. Like with devices we need to do something
|
|
similar for the users. Only then we can consider those users-assets for scoring.
|
|
Mia was involved in that along with GE I think.
|
|
We need to know how that will change the algorithm.
|
|
On the UI side, I don't know if there are designs for showing the user value.
|
|
- @Rob: I don't think something involve IROH team.
|
|
- @Matt: not sure we need to work on a specific module authorization.
|
|
- @Jyoti: not going throught the IROH Proxy.
|
|
- @Paul: I confirm
|
|
- @Namrata: no work for IROH
|
|
|
|
*** Next Day: List the priorities from Airtable
|
|
@Namrata: asked to bump up MITRE and SOC assistant
|
|
|
|
- ...
|
|
- SOAR: @Namrata not occur probably
|
|
- Infra XDR: we can skip
|
|
- Incident: we can skip
|
|
- 12. INT Guided response, auto-target, on prem device (some work from Matt)
|
|
- 13. no iroh impact
|
|
- 14. no iroh impact
|
|
- 15. Vulnerability Management: @Paul blocked, only discovery, platform
|
|
involvemetn unknown
|
|
- 16. no iroh impact @rob
|
|
- 17. no iroh impact @rob
|
|
- 18. no @Prerna
|
|
- 19. @rob turning of umbrella, so maybe iroh work, but minor, no iroh impact
|
|
(quality check)
|
|
- 20. MITRE @Prerna; @Yann GE & Olivier
|
|
@Namrata: add value, it can be beta quality, show this for RSA, but maybe
|
|
not delivered. Ship something in Q3.
|
|
- 21. Impersonation (XDR Efficacy) @Prerna, also impersonating from TAC
|
|
@Namrata: better understanding
|
|
- 22. @Prerna; big effort. @Namrata: Why? Email + Webex notifications. @Namrata;
|
|
perhaps split the tasks.
|
|
- 23. @rob: no iroh requirement for delivery
|
|
- 24. @rob: xdr analytics, no iroh impact
|
|
- 25. no iroh impact
|
|
- 26. no iroh impact @Garima
|
|
- 27. Threat Intel enhanacement no iroh impact
|
|
- 28. Admin work for Matt
|
|
- 29. @rob design only, minor iroh impact. potentially some capacity, but not commit.
|
|
- 30.
|
|
- 31. Multi-tenancy @Prerna design only for Yann
|
|
- 36. IM/AUT incident : no iroh impact
|
|
- 37: SCA no iroh impact
|
|
- 38: RBAC @Prerna not Q4
|
|
- 39: RBAC @Prerna not Q4
|
|
- 40. no iroh impact @rob
|
|
- 41: @rob no iroh impact
|
|
- 42+: no impact
|
|
|
|
*** Discussion
|
|
|
|
@Lisa: discussion about adding a new
|
|
@garima: IOPS ask for iroh team.
|
|
@Lisa: question, when we will know when your team
|
|
|
|
@GE: rollover?
|
|
@Namrata: we shouldn't fill our bucket at 100%. Fill it at 80%.
|