Presented at
DEF CON 14 (2006),
Aug. 5, 2006, 10 a.m.
(50 minutes).
Event and Log Analysis is becoming one of the main tools for security analysts to investigate and comprehend the state of their networks, hosts, and applications. Recent developments, such as regulatory compliance requirements and an increased focus on insider threat has increased the demand for analytical tools to help in the process. Event correlation is one of the tools that helps addressing the challenges. However, the vast amount of events still leaves the analysts with enourmeous amounts of data to manually analyze, creating space for new tools to fill the gap.
Visualization of data has proven to be the approach generating the best return on investment. This talk takes a step-by step approach to analyzing a log file, showing how AfterGlow (afterglow.sourceforge.net) can be used to analyze and understand a log file. The analysis will show how visualization can be used to detect portscans, policy violations, and misconfigurations. The talk will focus on using link graphs and treemaps to analyze the data sets.
The goal of the talk is to leave the audience with the knowledge and tools to do visual log analysis on their own data. The main tool used for the talk is AfterGlow (afterglow.sourceforge.net), which in his current version supports a diverse set of operations to ease the analysis of log data.
Presenters:
-
Raffael Marty
- GCIA
Raffael Marty, GCIA, CISSP is the amanger of ArcSight's Strategic Application Solution Team, where he is responsible for delivering industry solutions that address the security needs of Fortune 500 companies, ranging from regulatory compliance to insider threat. Raffael initiated ArcSight's Content Team, which holds responsibility over all the product's content, ranging from correlation rules, dashboards and visualizations to vulnerability mappings and categorization of security events. Before joining ArcSight, Raffael used to work as an IT security consultant for PriceWaterhouse Coopers and previously was a member of the Global Security Analysis Lab at IBM Research, where he participated in various intrusion detection related projects. His main project, Thor, was the first approach to testing intrusion detection systems by means of correlation tables. Raffael also serves on the MITRE OVAL (Open Vulnerability and Assessment Language) advisory board, is involved in the Common Vulnerability Scoring System (CVSS) standard and has been presenting at various occasions.
Links:
Similar Presentations: