Using Open Source Log Aggregation Tools to Improve Enterprise Security

Presented at BSidesSF 2019, March 2, 2019, 12:30 p.m. (330 minutes).

TO REGISTER FOR THIS WORKSHOP, GO [HERE](https://bsidessf.regfox.com/2019). NOTE THAT SPACE IS VERY LIMITED. Securing the enterprise is a demanding task that requires a complete understanding of the infrastructure and its running services. To uncover signs of compromise, it is first necessary to know what normal activity looks like. Almost all services make use of some type of logging function with the vast majority of logs adhering to RFC 5424 or the Syslog protocol. Centralizing log analysis functions opens new opportunities for cross-referencing and analyzing data. Log aggregation tools are available from a variety of vendors and are critical in presenting data in a timely and usable manner. With proper planning, log aggregation tools can be configured to track critical infrastructure activity and provide alerting when anomalies indicative of compromise are detected. Log analysis can be used to detect malicious login attempts, device compromise, data exfiltration, unexpected network traffic, unauthorized file changes, rogue application installations, and more. This course will provide students with hands-on development of practical, real-world log aggregation, analysis, and alerting skills that they can take back to their jobs, massage, and implement in their environments. We will use real world scenarios and provide virtual machines, instruction, and workable demos that students can take with them. Students should have basic Linux & Windows familiarity and be able to do basic virtual machine manipulation. We will provide all materials via AWS. Students will need laptops.

Presenters:

  • Lennart Koopmann - Graylog, Inc.
    Lennart founded the Graylog project in 2009 and has since then worked with many organizations on log management and security-related projects. He has extensive background in software development and architecture. His skills include Java, Ruby, Ruby On Rails, PHP, MySQL, MongoDB, and ElasticSearch.. Lennart attends many InfoSec conferences and has spoken at many including DerbyCon. He has several cats. Once he ran a marathon but was not very fast.
  • Jim Nitterauer - Graylog, Inc.
    Currently a Senior Security Specialist at AppRiver, LLC., his team is responsible for global network deployments and manages the SecureSurf DNS infrastructure and the SecureTide spam & virus filtering platform, internal applications and security operations. He holds a CISSP certification and is well-versed in ethical hacking with more than 20 years’ experience. Jim has presented at NolaCon, ITEN WIRED, BSides Las Vegas, BSides Atlanta, CircleCityCon, DEF CON, DerbyCon, BSides San Francisco, and several smaller conferences. Jim is a BSides Las Vegas senior staff member, on the ITEN WIRED Planning Committee, and the president of the Florida Panhandle (ISC)2 Chapter.

Links:

Similar Presentations: