Collect All the Data, Protect All the Things

Collect All the Data; Protect All the Things

Protecting all the things, all the time requires the collection and analysis of all the data. The range of threats is wide and can be highly advanced. To bring the sexy back to blue team, the next generation security operations team has too look across all the available data sources. Correlating of network, application, machine, and endpoint OS data events to find anomalous behavior and reduce false positives. This talk covers application of different methods of collection and analysis as well as the use of machine learning to generate behavioral anomalies that are incorporated into overall continuous monitoring capabilities to catch a variety of apt activity before a signature has been developed. This is not a vendor talk and nearly all tools discussed are open source and free.

Venues & Recordings

• BSides Jacksonville 2018

• BSides SF 2019

• Infosecurity Blog Post

• Derby Con Finish Line:

• Iron Geek Post

• Adobe Cyber Security Monthly - Internal

Long Description

This talk covers application of different methods to collect analyze and correlate multiple types of data as well as the use of machine learning to generate behavioral anomalies that are incorporated into overall continuous monitoring capabilities. This is not a vendor talk and with very few exceptions, all methods and tools discussed are open source and free, the focus is instead on the application of concepts. The focus is on leveraging all available capabilities to create custom alerts based on behaviors and not signatures and with the capability to catch a wide variety of advanced persistent threat activity before a signature has been developed.

Technical coverage:

Signature and Session analysis with snort, bro, AOL’s Moloch, and NetSA SiLK and jA3 certificates identifying various DNS c2, HTTPS exfil, scans and brute force activity, statistical regression analysis with x-pack. Machine Data collected with Elasticsearch, detecting various on the box activity, population analysis with x-pack. Application data ingested from DNS, Fileserver, DHCP identifying DNS abuse and correlating with network session activity. Endpoint OS data collected and interrogated with OSquery, Kolide, Fleet and Elasticsearch for live memory inspection, network connection interrogation and asset identification….finding various activity like malicious processes running in memory. Correlation in a workflow management system for event triage and incident response the hive project with alerts from all of the previous actions forwarded, triaged, and IOC’s and observables generated that reveal the connections between the kill chain events found with the different sources of data. The technical topics will be quickly covered along with a proposed architecture to collect the required data, analyze the information and create custom alerts based off multiple data points. Further addition of time-based analysis for alerting will be discussed along with the integration of intelligence sources. By the end of the talk the audience will be informed of the different capabilities available and how they can work together to automate and increase efficiency of security operations and incident response. Further they will hopefully be inspired to participate in the open source collection information found here https://github.com/arosenmund/Protoss that is being built to provide a framework for creating these capabilities in new security operations centers, all with freely available software.

• ← Previous
Next →