From Ping to Panic: How We Accidentally Built a SOC in Excel

At Initech Software, we pride ourselves on doing things the right way™. That is, the right way according to Jerry from Procurement, whose motto is “if it ain’t broke, don’t replace it until it causes a security incident.”

So when our Security Operations Center (SOC) dashboard went dark last week (thanks to someone unplugging the Raspberry Pi it ran on to charge their vape), we had a choice:

  1. Embrace chaos.

  2. Innovate with what we had: Excel 2013 and a Red Bull-induced vision of SIEM enlightenment.

Naturally, we chose both.

The Incident Response Plan (Step 1: Panic)

At precisely 2:43 AM, our Threat Detection Engineer (who moonlights as a DJ) received an alert that something was wrong. And by alert, I mean a text from Karen in HR that said “Hey, something weird is going on with my mouse?”

This triggered our incident response protocol:

  1. Google “mouse acting weird cybersecurity.”

  2. Run netstat -ano and pray.

  3. Blame interns.

Once we ruled out rodents and realized our SOC was non-functional, we pivoted.

Enter: The Spreadsheet SOC™

Why pay for SIEM licenses when you can just pivot tables, amirite?

Using a mix of Python, Excel macros, and whatever was left of our dignity, we built a fully functioning (read: mostly crashing) SOC dashboard in Excel.

Features include:

  • Color-coded threat scores (Red = bad, Yellow = also bad, Green = we forgot to log this one).

  • “Live” data feeds updated every 15 minutes with a cron job duct-taped to a CSV dump.

  • Macros that scream “RUNTIME ERROR” louder than your CISO at quarterly reviews.

It’s like Splunk, if Splunk were written by someone who just discovered VLOOKUP.

Detection Engineering: Brought to You by Copy/Paste

Our detection rules are a masterclass in efficiency. Example:

 
if "PowerShell" in log and "Base64" in log:
alert("Definitely Suspicious Maybe")

We call this heuristics. Others call it “grossly irresponsible.” Tomato, to-mah-to.

Threat Hunting: Or How I Learned to Love grep

With our new setup, hunting is easy. Simply download 12GB of logs, open them in Notepad, and scroll really fast.

You’ll know you’ve found something when your computer fan sounds like it’s preparing for liftoff.

Pro tip: Use Ctrl+F for “lol” — attackers love that string for some reason.

Lessons Learned

After a full week of running our Spreadsheet SOC™, here’s what we’ve learned:

  • SIEM stands for Some Intern Eventually Makes-sense-of-this.

  • The cloud is just someone else’s Excel file.

  • Threat hunting is 10% skill, 90% coffee and pretending to understand regex.

  • The real threat was the macros we enabled along the way.

Final Thoughts

Cybersecurity is about adaptability. And if there’s one thing we’ve proven at Initech Software, it’s that we can adapt, survive, and deliver enterprise-grade nonsense with unmatched enthusiasm.

So whether you’re a seasoned SOC analyst or someone who just wandered in looking for TPS report templates, we hope our journey inspires you to think outside the (sandboxed) box.

And remember — your threat surface can’t grow if you never patch anything.

 

#StayInitechSecure
#ExcelYourExpectations
#ThreatHuntingButMakeItFunny


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *