Lean Threat Intelligence: Detecting Intrusions and Combating Infiltrators with Open Source Software

Presented at NolaCon 2017, May 19, 2017, 3 p.m. (Unknown duration).

With a vast increase in the amount of data and information coming in every second, it is important to have measures set in place to detect suspicious activity. By combining IDS events with network connection logs and enriching with threat intelligence data, you can detect attackers early, follow lateral movement, and investigate what actions an adversary performed while inside your system. In this talk, we will demonstrate how to combine and collect these logs from different sources using Graylog, an open source log management tool, in unison with Snort, an open source IDS tool. We will further elaborate on different techniques that can be used to analyze your acquired log data. This unification of all logs, together with (H)IDS alerts and threat intelligence enrichment, let's us build an extremely flexible SIEM-like solution. Thus, we have combined the best of both worlds. The alerting and routing functionalities of Graylog lets it blend into existing architectures and allows flexibility for further processing security related data in other systems.

Presenters:

  • Lennart Koopmann
    Lennart is the founder of Graylog and started the project in 2010. He has a strong software development background and recently started exploring the world of network security. Twitter: @_lennart

Links:

Similar Presentations: