Presented at
Black Hat Asia 2020 Virtual,
Oct. 1, 2020, 1:30 p.m.
(30 minutes)
<p>Detecting adversaries in your environment is a challenging task: Most organizations need at least several months to detect them... IF they detect them at all.</p><p>Many companies have started to investigate Windows Event Log to improve their detection. But analyzing Event Logs is a tedious task: so much information gathered in different log files and so much data to correlate. To improve your environment‘s security, Microsoft recommends the usage of so called „Microsoft Security Baselines“. Having such a security baseline in place, results in even more events that are being generated.</p><p>It also requires a certain amount of storage space to gather all these events in one place. Storage space which comes with additional cost. Not all organizations are fortunate enough to store Petabytes of Log files. Therefore, they need to filter which Event IDs are important enough to forward to their SIEM system.</p><p>But what Events are being generated if you apply a certain Microsoft Security Baseline? Which are important enough to forward to allocate valuable storage space? And what to do with all the data when you have collected everything in one location?</p><p>In this live-demonstration-filled talk, I will show you how to solve these problems – while matching Event Ids, Security Baselines and hunting queries to the MITRE ATT&CK framework.</p>
Presenters:
-
Miriam Wiesner
- Security Program Manager, Microsoft
Miriam Wiesner works as a Security Program Manager for Microsoft Defender ATP with a focus on Secure Infrastructure and Threat Protection. In her spare time, she enjoys writing articles for her private blog as well as developing tools to support the community and speaks on international conferences and events like Blackhat, ExpertsLive and many more. She's a life-long learner, always excited about new technologies and empowering others.
Links:
Similar Presentations: