Log All The Things! Proactive Forensics using Log Analysis

Presented at BSidesDC 2015, Oct. 17, 2015, 3:30 p.m. (50 minutes)

Implementing a SIEM can be a complex and costly process. Many organizations fail to realize the full potential of their SIEM because they fail to capture the right logs. Others get mired in voluminous logs of little significance. Most also miss out on what is potentially the most useful log source of all, individual endpoints. SIEM vendors are equally to blame for failing to deliver on their promises to interpret and correlate logs.

Two years ago we started on a SIEM implementation project with a lofty goal: to collect logs from every endpoint on our network. We have nearly reached our goal and learned a lot of lessons along the way. In this presentation we will present lessons learned, unique correlations we have devised, suggestions for vendors to improve their logging, and suggestions for SIEM vendors to improve their products without using the words threat intelligence.

Presenters:

• Kyle Salous
  Kyle Salous has over 10 years of IT Security experience. He enjoys doing more with less while keeping the bad guys on their toes.
• Aaron Beuhring
  Aaron Beuhring has over 13 years of IT experience. He enjoys correcting configurations and occasionally misconfiguring things as well.

Links:

• https://bsidesdc2015.busyconf.com/schedule#activity_558db64499bdae1cab000020

Similar Presentations:

• SAINTCON 2019 / Building your first SIEM with the Elastic Stack
• ShmooCon XIV (2018) / This Is Not Your Grandfather's SIEM
• BSides Austin 2017 / Forget enumerating a network, hack the SIEM and win the war