Presented at
Black Hat USA 2020 Virtual,
Aug. 6, 2020, 1:30 p.m.
(40 minutes)
<p>Today, defenders in a typical security operation center rely on their SIEM to do forensics on past logs, and to define real-time detections. This assumes that the SIEM was configured ahead of time to collect the subset of logs that are useful. But how does one decide what is useful? Further, some data comes at such high-volume that storing it in raw form is prohibitively expensive. Such data must be prefiltered and summarized before storage for query.</p><p>We present tools and a method of comparing various options of filtering and pre-processing real-time feeds of data before storage. This can be done in isolated environments without SIEM coverage, such as labs/honeypots for researching Malware or Proof of Concept (POC) for exploits.</p><p>The learnings of the method can be applied to understanding novel threats and creating true-real-time detections that work directly on the stream of events (no storage involved).</p>
Presenters:
-
Jose Morris
- Senior Software Engineer, Microsoft Corporation
Jose Morris is part of the engineering team supporting the C+E SOC. He has 15+ years of experience in developing software products such as Windows Update and Intune. Jose is an advocate for participating in the open source world and contributed to projects like Tx (LINQ to Logs and Traces).
Links:
Similar Presentations: