Take five seconds to think: Which of the two scenarios is the worst as an incident responder? In the first one, you have to analyze terabytes of logs by grepping audits, Windows events, proxy, intrusion prevention systems and mail as you try to pivot, correlate and understand what the heck happened. In the second one, you don’t have any logs at all!
Hopefully, most of us will choose the first scenario – this should be so for two reasons. First, it could be our only shot to get the intruder, and second, it is our responsibility to secure the network. The only “but” in this scenario is the pain to parse, log\ and analyze that amount of information.
Monitoring Domain Controller, intrusion prevention systems (IPS), antivirus, e-mail and other security logs are important; even workstation security logs are critical when dealing with a security event. Those tracking records can provide critical information for digital forensics.
As such, these logs are best understood as the basic components for more proactive network defensive techniques like threat hunting.
On any given day, millions of log events could appear in your network. Your devices generate events from simple and inoffensive daemon or application errors, as well as from very important events that might be an intrusion. Obviously, you want to look at the logs on the latter but not necessarily on the former.
By now, you should be wondering how you are going to save or log all that information. Which are the important fields? Should you enrich this data? What about correlation? How do you create detection alerts and reports?
In “Elastic-ing All the Things – Saving anything at elastic stack and having fun with detections,” we will show how to use the ElasticStack to collect, enrich and analyze any of your logs in near real-time. We’ll cover all the necessary steps from organizing and mapping your data to implementing smart configurations at Elastic to maximizing the ROI of your logs and Python scripts to exploring your data-set. We’ll also touch on how to create dashboards to make your boss happy.
We are going to spend an afternoon simulating situations with some open-source offensive utilities (Why not?! They also generate logs!) and defensive tools that will show how attendees can create great stuff on the cheap, thereby improving your detection capabilities and metrics.
If it looks like too much defense for you, well, applications like nmap, openvas and most of your favorite tools also generate logs, so you can use those instead. And yes, we have a special scenario for you at our training. Not an expert in Python? Don’t worry! We provide all the code you need.
If you will be in Vegas or are planning to attend DEF CON, take an early flight and join us at BSidesLV for our training. For those who can’t come to Vegas this year but are lucky enough to live in Brazil, you can reach us by Twitter or through our website http://threathunter.com.br/ to get more info about future classes.
About the Authors:
Felipe “Pr0teus” Esposito has 10 years experience in T.I as well as a Master’s Degree in Computer Systems and Networking. His interests includes network covert channels, information visualization, log analysis, and incident response. He currently works for Rio de Janeiro’s state court as Network Security Admin. Felipe has spoken at a number of security and open-source conferences such as Latinoware, FISL (Porto Alegre), H2HC (São Paulo), MindTheSec (Rio de Janeiro & São Paulo), BHack, and BSides (São Paulo). You can connect with Felipe on LinkedIn here.
Rodrigo “Sp0oKeR” Montoro has 15 years of experience deploying open-source security software (firewalls, IDS, IPS, HIDS, log management) and hardening systems. Currently, he is Security Researcher/ SOC. Prior to joining Clavis, he worked as a senior security administrator at Sucuri and was a researcher at Spiderlabs, where he focused on IDS/IPS Signatures, Modsecurity rules, and new detection innovations. Rodrigo is the author of two patented technologies involving discovery of malicious digital documents and analyzing malicious HTTP traffic. He is also a coordinator and Snort evangelist for the Brazilian Snort Community. Rodrigo has spoken at a number of open source and security conferences including OWASP AppSec, Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE (Boston and Seattle), ZonCon (Amazon Internal Conference), BSides (Las Vegas and São Paulo), and Black Hat (Brazil). You can connect with Rodrigo on LinkedIn here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.