Lean Threat Intelligence: Detecting Intrusions and Combating Infiltrators with Open Source Software

Presented at NolaCon 2017, May 19, 2017, 3 p.m. (Unknown duration)

With a vast increase in the amount of data and information coming in every second, it is important to have measures set in place to detect suspicious activity. By combining IDS events with network connection logs and enriching with threat intelligence data, you can detect attackers early, follow lateral movement, and investigate what actions an adversary performed while inside your system. In this talk, we will demonstrate how to combine and collect these logs from different sources using Graylog, an open source log management tool, in unison with Snort, an open source IDS tool. We will further elaborate on different techniques that can be used to analyze your acquired log data. This unification of all logs, together with (H)IDS alerts and threat intelligence enrichment, let's us build an extremely flexible SIEM-like solution. Thus, we have combined the best of both worlds. The alerting and routing functionalities of Graylog lets it blend into existing architectures and allows flexibility for further processing security related data in other systems.

Presenters:

• Lennart Koopmann
  Lennart is the founder of Graylog and started the project in 2010. He has a strong software development background and recently started exploring the world of network security. Twitter: @_lennart

Links:

• https://nolacon.com/talk/lean-threat-intelligence-detecting-intrusions-combating-infiltrators-open-source-software

Similar Presentations:

• BSidesLV 2019 / The Contemplator Approach: Data Enrichment Through Elastic Stack
• BruCON 0x07 (2015) / Creating REAL Threat Intelligence ... with Evernote
• DerbyCon 7.0 Legacy (2017) / Love is in the Air - DFIR and IDS for WiFi Networks