Elastic-ing All the Things - Saving anything at elastic stack and having fun with detections

Presented at BSidesLV 2017, July 25, 2017, 2 p.m. (235 minutes).

Millions of events could easily be generated in your network daily. Your devices will generate events from simple and inoffensive daemon or application errors to very important events, that defensive and offensive would want to alert on. But by the end of the day how are you going to save or log all that information? How will you enrich this data generated by your users, tools, and devices? How you will correlate them? How will you create detection alerts and reports ? In this training our idea is to teach a fast track about how you could use Elastic Stack to cover all the steps of a event logs journey. From local log generation to Hero Detection, showing the attendee how to create smart configurations that will parse and split your data into key fields, transform your logs, correlate, and filter them to create useful outputs to be used in detection and network security analysis. This workshop will be entirely based on Elastic Stack and basic Python scripts (donít be afraid, we will provide what is needed for the course). Simulating situations with some opensource offensive and defensive tools that will show how the attendees could create great stuff on the cheap, improving your detection capabilities and metrics. And once successful, the important: ask for a raise!

Presenters:

  • Rodrigo Montoro - Security Researcher
    Rodrigo "Sp0oKeR" Montoro has 15 years of experience deploying open source security software (firewalls, IDS, IPS, HIDS, log management) and hardening systems. Currently he is Security Researcher/ SOC. Prior to joining Clavis he worked as a Senior Security administrator at Sucuri, and was a researcher at Spiderlabs where he focused on IDS/IPS Signatures, Modsecurity rules, and new detection researches. Rodrigo is the author of two patented technologies involving discovery of malicious digital documents and analyzing malicious HTTP traffic. He is also a coordinator and Snort evangelist for the Brazilian Snort Community. Rodrigo has spoken at a number of open source and security conferences including OWASP AppSec, Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE (Boston and Seattle), ZonCon (Amazon Internal Conference), BSides (Las Vegas and São Paulo), and Black Hat (Brazil).
  • Felipe Esposito / Pr0teus - Security Researcher   as Felipe “Pr0teus" Esposito
    Felipe "Pr0teus" has 10 years experience in T.I, masters degree in Computer Systems and network. His interests includes Network Covert Channels,Information visualization, Log analysis and Incident Response. Currently working for Rio de Janeiro state court as Network Security Admin, working hard to make Gov's minimum responsive against threats. Felipe has spoken at a number of security and open source conferences as Latinoware, FISL(Porto Alegre), H2HC(São Paulo), MindTheSec(Rio de Janeiro & São Paulo), BHack, BSides(São Paulo)

Links:

Similar Presentations: