ELK for Enterprise IR Visibility
|
|
- Dale Lindsey
- 5 years ago
- Views:
Transcription
1
2 ELK for Enterprise IR Visibility Mark Goudie, Security Consulting Director Barry Anderson, Security Architect
3 Agenda Introduction Security Challenges IR and Issues ELK Inputs Enrichment Cloud Integration (Office 365) Cisco Offering
4 > whoami Mark Goudie 20+ years security / technology experience 8+ years data breach investigation experience Former author of SANS Top 20 Author SANS Ethics Committee member Inaugural President High Tech Crime Investigation Association (A/NZ) Payment card industry forensic investigator
5 > whoishe Barry Anderson 20+ years at the pointy end of the spear Built one of the first firewalls for a business in Australia Created the Forensicator FATE project for automating digital forensics evidence processing Presented at the 2015 SANS DFIR Summit
6 Security Challenges Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation
7 Security Challenges Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation TALENT CLOUD 60% data in breaches is stolen in hours 12x 45 25% increase in an organization s cybersecurity risk due to IoT 5 10 times more cloud services are being used than known by IT 54% of breaches remain undiscovered for months Demand for security talent Security vendors for some customers
8 Incident Response Worms Viruses Phishing Data loss DDOS Human Mistakes Not-so Human Mistakes
9 Incident Response - Reality No DNS log or we not collecting all DNS logs Cannot see communication in the HTTP proxy logs Not sure if connection was denied We can t see if there is outbound connection We don t have enough log data We don t log on that server/network/segment/system We can t PCAP data We don t have enough process to support It s all in the cloud
10 Visibility is essential Q. What is the common link between these victims? A. Threat persistence caused by a lack of VISIBILITY
11 What do we need visibility of? Have visibility to prevent data theft Focus on detecting active security incidents Must detect before significant data theft Active security incident
12 (A few) Reasons for Failure Being Human Bias We Know it ALL Syndrome Well-intentioned, ill-informed ASSumptions Too slow in response
13 Steps towards a Solution Enable informed decision making Prefetching as much data as you can Understand your network Enrich data sets Let system provide you what you need Increase automation IR Process Prepare before the incident
14 ELK
15 ELK Logstash Collect, Enrich & Transport Data more importantly, Collect, Normalize, Enrich & Transport Data ElasticSearch Search & Analyze Data in Real Time Kibana Explore & Visualize Your Data, or Explore & Visualize; Go Hunting!
16 Logstash What problem does it solve? In our enterprises, logs are stored: In different locations (read: all over the shop) In different formats Dates?! With different permissions Logs may also require domain knowledge to interpret, and so: Are not easily searchable!
17 Logstash: Input, Filter, Output Input Filter Output
18 Logstash - Config: Here is a very simple Logstash configuration. It takes events from standard input, does no filtering and sends them to Elasticsearch and standard output. input { stdin { } } output { elasticsearch { hosts => ["localhost:9200"] } stdout { codec => rubydebug } }
19 Logstash - Input Plugins: Here are some of the available input plugins stdin tcp, udp syslog eventlog (Windows) exec pipe (stream events from a long-running command) rabbitmq, zeromq kafka twitter s3, sqs (AWS) elasticsearch (Inception, anyone?) Beats (files,processes, Windows events
20 Logstash - Filter Plugins: Here are some of the available filter plugins grok grep csv mutate drop geoip dns anonymize
21 Logstash - Output Plugins: Here are some of the available output plugins elasticsearch redis file http jira pager graphite cloudwatch kafka exec rabbitmq, zeromq
22 Logstash Config: Input Capture logs and documents / Events input { # syslog, live via udp and tcp port syslog { port => 5514 type => "syslog" use_labels => false } # archived syslog files, in standard /var/log/* format file { type => "archive-syslog" path => [ "/usr/local/logstash-syslog/**/*" ] sincedb_path => "/var/db/logstash/sincedb" start_position => "beginning" exclude => [ "*.gz", "*.zip" ] } }
23 Elasticsearch Document Based Search Engine JSON based, Apache Lucene Distributed Multi-tenancy API exposure & RESTful Modules for programming and scripting
24 Kibana Visualize your DATA Build and Share queries, Visualization Build and Share Dashboards Export the Views Accessible via Web Easy to use, less learning curve
25 Sample data
26 Kibana
27 Kibana
28 Kibana
29 Kibana Terms Query : Query Elasticsearch Filter : Elasticsearch Filter to get specific results including Time Ranges Panel : View Search results Dashboard : Collection of panels
30 Input
31 How to Send logs to ELK? Syslog /Syslog-NG Logstash-forwarder FileBeat
32 What is FileBeat Replacement for Logstash Forwarder Lightweight Part of collection of shipping tools : Beats
33 ELK: Pipeline Shipper Visualization Indexer Logstash Search and Storage
34 <Your IDS goes here>
35 Suricata/Snort/Bro/SELKS/Security Onion Suricata an IDS built to be compatible with Snort but built for maximum speed Uses all the cores From 2.0 onwards Eve JSON event and alert output Snort Bro an NSM built on a DSL designed for network analysis (also called Bro!) We re using Bro as an example because it s quite interesting, and because it s the one you re least likely to be familiar with.
36 Where Bro Stands Signature IDS HIPS Host BRO Network FLOW Anomaly
37 BRO Logs DNS HTTP Connection SMTP SSH FTP Weird.. etc
38 BRO Log format By default CSV Consist of header describing the columns Can be changed to JSON format (if required)
39 BRO DNS example #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answersttls rejected C1UL0O1FbUwxOR2ol udp in-addr.arpa 1 C_INTERNET 12 PTR 3 NXDOMAIN F F T F F
40 Logstash-forwarder.conf { } "network": { "servers": [ " :5001" ], "timeout": 60 },
41 Secure logs while shipping } { "network": { "servers": [ " :5001" ], "timeout": 60 "ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt" },
42 Define logs to ship "files": [ ] { } "paths": [ "/nsm/bro/logs/current/dns.log" ], "fields": { "type": "bro_dns_log" }
43 FileBeat to Send Logs Edit /etc/filebeat/filebeat.yml filebeat: # List of prospectors to fetch data. prospectors: # Each - is a prospector. Below are the prospector specific configurations # Paths that should be crawled and fetched. Glob based paths. - /nsm/bro/logs/current/dns.log
44 FileBeat to Send Logs Contd.. Edit /etc/filebeat/filebeat.yml Contd.. # Possible options are: # * log: Reads every line of the log file (default) # * stdin: Reads the standard in input_type: log # Type to be published in the 'type' field. For Elasticsearch output, document_type: bro_dns_log
45 FileBeat to Send Logs Contd.. Edit /etc/filebeat/filebeat.yml Contd.. # Multiple outputs may be used. output: ### Logstash as output logstash: # The Logstash hosts hosts: [" :5002"]
46 Add Security to Filebeat # Optional TLS. By default is off. tls: # List of root certificates for HTTPS server verifications certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"] Note: Configure local GeoIP database support. geoip: paths: - "/usr/share/geoip/geolitecity.dat"
47 Logstash: Input (FileBeat) input { } beats { port => 5002 type => "bro_dns_log" ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" }
48 Filters
49 Logstash: Filter filter { if [message] =~ /^#/ { drop { } } else {..
50 Logstash: Filter if [type] == "bro_dns_log" { csv { columns => ["ts","uid","id_orig_h","id_orig_p","id_resp_h, separator => " " }
51 Output
52 Logstash: Output output { elasticsearch { hosts => " " } stdout { codec => rubydebug } }
53 Logstash: Multiple Output output { if [type] == bro_dns_log" { elasticsearch { hosts => " index => "bro_conn_log-%{+yyyy.mm.dd}" } } else if [type] == finance_log" { elasticsearch { hosts => "
54 Kibana
55 Kibana : Configure Index
56 Kibana Result
57 Kibana: Discover Events
58 Enrichment
59 Logstash: Add GeoIP geoip { } geoip { } source => "id_orig_h" target => "orig_geoip" source => "id_resp_h" target => "resp_geoip"
60 Logstash: Add ASN geoip { database => "/usr/share/geoip/geoipasnum.dat" source => "id_orig_h" target => "orig_geoip" }
61 Logstash: Add Intel translate { field => id_resp_h" destination => "Intel_hit" directory_path => /etc/logstash/intel_ip.yaml" } Intel_ip.yaml: <field>: <Message> <IP>: Intel received from.on
62 Cloud Integration (Office 365)
63 Office365 Integration Use internal SPAM filtering Use Native Office365 Trace logs Use Native Office365 API recently announced.
64 Office365 Integration step 1 Set-ExecutionPolicy RemoteSigned on the system $credential = Get-Credential
65 Office365 Integration step 2 $credential.password ConvertFrom-SecureString Set-Content c:\scripts\password.txt $proxysettings = New-PSSessionOption -ProxyAccessType IEConfig
66 Office365 Integration step 3 $session = New-PSSession -ConfigurationName Microsoft.Exchange - ConnectionUri -Credential $credential - Authentication Basic -AllowRedirection -SessionOption $proxysettings
67 Office365 Integration step 4 Import-PSSession $session Get-Mailbox Where-Object {_.RecipientTypeDetails -eq UserMailbox } Set- Mailbox Audit enabled $true
68 Office365: Get Traces Get-MessageTrace -StartDate $datestart -EndDate $dateend Export-Csv - NoTypeInformation $OutputCSVFile
69 LogstashForwarder / Filebeat : input { lumberjack { port => 5000 type => "logs" ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" } }
70 Logstash Filter : if [type]=="logs" { csv { separator => "," columns => ["PSComputerName","RunspaceId","Organization","message_id","time","src_user","recipient","subject","recipient_status","dest_ip","src_ip","size","message_tid","sta rt","end","index"] }
71 Logstash Filter: contd.. Drop header if (["PSComputerName"] == "PSComputerName") { } drop { }
72 Kibana: Lets Visualize
73 DashBoard
74 Where to from here?
75 What about once we start to scale? Look at the OpenSOC architecture. This is an architecture designed to scale (1.2Mpps analyzed in realtime?!): Telemetry Capture - Apache Flume Data Bus - Apache Kafka Stream Processor - Apache Storm Long-Term Data Store - Apache Hive 12 Long-Term Packet Store - Apache Hbase Real-Time Index and Search Elasticsearch This has entered the Apache Incubator as Apache Metron.
76 Cisco Managed Security Offerings
77 Active Threat Analytics (ATA) Near real-time analytics Analytics Anomaly detection Zero day threat focus Reduced mean time to respond Operationalization Advanced expertise People Combat security talent shortage Force multiply internal resources Access to actionable sources of intelligence Cisco proprietary telemetry Intelligence Adapted for customer intelligence Industry-specific intelligence Integration of the latest security technology Technology Scalable and modular architecture Extensible platform designed to evolve with market demands
78 ATA Enables: Speed Accuracy Focus Rapid threat detection reduces the mean time to respond High fidelity cuts down on false positives Increased visibility and control illuminates security blind spots Customer Benefits Risk Mitigation Proactive Security Operational Efficiency Strategic Focus Comprehensive Coverage
79 FIREWALL FIREWALL ATA Architecture Overview CUSTOMER PREMISE CISCO DATA CENTER Full Packet Cisco NetFlow Third Party Machine Exhaust Full Packet Capture Sourcefire AMP Sourcefire IDS Netflow and Metadata Extraction Anomaly Detection Collective Security Intelligence Deterministic and Statistical Analytics Big Data Analytics ThreatGrid VPN SOC INTERNET Secure Connection (HTTPS/SSH/IPSec) VPN CUSTOMER 24/7 ACCESS DEDICATED CUSTOMER SEGMENT Investigator Portal Administrative Consoles Authentication Services CMSP PORTAL Dedicated Customer Portal TICKETING Alerting/Ticketing System COMMON SERVICES Threat Intelligence
80 Solution Overview Full packet capture Protocol metadata NetFlow Machine exhaust (logs) Parse + Format Threat Intelligence Feeds Enrich Alert Applications + Analyst Tools Log Mining and Analytics Network Packet Mining and PCAP Reconstruction Big Data Exploration, Predictive Modelling Unstructured telemetry Other streaming telemetry Enrichment Data
81 Q & A
82 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2016 T-Shirt! Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected in the World of Solutions on Friday 11 March 12:00pm - 2:00pm Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.
83 Thank you
84
Ingest. Aaron Mildenstein, Consulting Architect Tokyo Dec 14, 2017
Ingest Aaron Mildenstein, Consulting Architect Tokyo Dec 14, 2017 Data Ingestion The process of collecting and importing data for immediate use 2 ? Simple things should be simple. Shay Banon Elastic{ON}
More informationLOGSTASH: BFD* Security Weekly: December 4, Phil Hagen. / +PhilHagen. *Big Forensic Data
TASH: BFD* Security Weekly: December 4, 2014 Phil Hagen phil@redcanary.co / phil@lewestech.com @PhilHagen / +PhilHagen 1 *Big Forensic Data ALL ABOUT PHIL SANS Certified Instructor and Course lead, FOR572:
More informationEnd-to-End Security Analytics with the Elastic Stack. Samir Bennacer
End-to-End Security Analytics with the Elastic Stack Samir Bennacer!1 !2 Attacks are inevitable Cybersecurity Maturity Curve Phase 1 Security Event Management Phase 2 Automation Phase 3 Proactive Analytics
More informationIngest. David Pilato, Developer Evangelist Paris, 31 Janvier 2017
Ingest David Pilato, Developer Evangelist Paris, 31 Janvier 2017 Data Ingestion The process of collecting and importing data for immediate use in a datastore 2 ? Simple things should be simple. Shay Banon
More informationPost-Exploitation Hunting with ATT&CK & Elastic
Post-Exploitation Hunting with ATT&CK & Elastic John Hubbard @SecHubb SOC Lead at GlaxoSmithKline SANS Author & Instructor SEC455: SIEM Design & Implementation SEC511: Continuous Monitoring & Security
More informationUnifying logs and metrics data with Elastic Beats. Monica Sarbu Team lead, Elastic Beats
Unifying logs and metrics data with Elastic Beats Monica Sarbu Team lead, Elastic Beats # Who am I Team lead at Elastic Beats Software engineer Joined Elastic 1 year ago @monicasarbu http://github.com/monicasarbu
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationTHE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson
THE RSA NETWITNESS SUITE REINVENT YOUR SIEM Presented by: Walter Abeson 1 Reality Goals GOALS VERSUS REALITY OF SIEM 1.0 Single compliance & security interface Analyze & prioritize alerts across various
More informationThe State Of Open Source Logging
The State Of Open Source Logging Rashid Khan (@rashidkpc) Shay Banon (@kimchy) Rashid Khan Developer @ elasticsearch Operations guy Logging Nerd Kibana project IRC/Twitter: rashidkpc Logs suck. 3am What
More informationDesign and Deployment of SourceFire NGIPS and NGFWL
Design and Deployment of SourceFire NGIPS and NGFWL BRKSEC - 2024 Marcel Skjald Consulting Systems Engineer Enterprise / Security Architect Abstract Overview of Session This technical session covers the
More informationApplication monitoring with BELK. Nishant Sahay, Sr. Architect Bhavani Ananth, Architect
Application monitoring with BELK Nishant Sahay, Sr. Architect Bhavani Ananth, Architect Why logs Business PoV Input Data Analytics User Interactions /Behavior End user Experience/ Improvements 2017 Wipro
More informationSOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationIntelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales
Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales The Industrialization of Hacking Sophisticated Attacks, Complex Landscape Hacking Becomes an Industry Phishing,
More informationBUILDING HA ELK STACK FOR DRUPAL
BUILDING STACK FOR DRUPAL Marji Cermak DevOps track, Experience level: Intermediate Marji Cermak Systems Engineer at @cermakm Scope of this presentation technical talk targeting sysadmins and systems savvy
More informationInfrastructure at your Service. Elking your PostgreSQL Database Infrastructure
Infrastructure at your Service. About me Infrastructure at your Service. Arnaud Berbier Senior Consultant +41 79 128 91 45 arnaud.berbier@dbi-services.com Page 2 Agenda 1.Playground Infrastructure 2.Elastic
More informationby Cisco Intercloud Fabric and the Cisco
Expand Your Data Search and Analysis Capability Across a Hybrid Cloud Solution Brief June 2015 Highlights Extend Your Data Center and Cloud Build a hybrid cloud from your IT resources and public and providerhosted
More informationELK Stack Elasticsearch, Logstash, Kibana
www.netways.de ELK Stack Elasticsearch, Logstash, Kibana Munich 19.10.2015 INTRODUCTION Bernd Erk CEO at NETWAYS GmbH Co-Founder Icinga @gethash info@netways.de NETWAYS GmbH Open Source Service Provider
More informationSOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM
RSA NETWITNESS EVOLVED SIEM OVERVIEW A SIEM is technology originally intended for compliance and log management. Later, as SIEMs became the aggregation points for security alerts, they began to be more
More informationMonitor your containers with the Elastic Stack. Monica Sarbu
Monitor your containers with the Elastic Stack Monica Sarbu Monica Sarbu Team lead, Beats team monica@elastic.co 3 Monitor your containers with the Elastic Stack Elastic Stack 5 Beats are lightweight shippers
More informationLog Analysis When CLI get's complex. ITNOG3 Octavio Melendres Network admin - Fastnet Spa
Log Analysis When CLI get's complex ITNOG3 Octavio Melendres Network admin - Fastnet Spa Introduction Network engineer at Fastnet Spa from 2003 Fastnet Spa is an ISP from Marche Region located in Ancona
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More informationAutomated Response in Cyber Security SOC with Actionable Threat Intelligence
Automated Response in Cyber Security SOC with Actionable Threat Intelligence while its biggest weakness is lack of visibility: SOCs still can t detect previously unknown threats, which is a consistent
More informationAre you visualizing your logfiles? Bastian Widmer
Are you visualizing your logfiles? Bastian Widmer / @dasrecht Visualizing Logfiles with ELK Stack Bastian Widmer / @dasrecht Hola Com estàs? Bastian Widmer @dasrecht / bastianwidmer.ch DrupalCI: Modernizing
More informationSDN Security BRKSEC Alok Mittal Security Business Group, Cisco
SDN Security Alok Mittal Security Business Group, Cisco Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined
More informationCisco Cloud Security. How to Protect Business to Support Digital Transformation
Cisco Cloud Security How to Protect Business to Support Digital Transformation Dragan Novakovic Cybersecurity Consulting Systems Engineer January 2018. Security Enables Digitization Digital Disruption,
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationQualys Cloud Platform
18 QUALYS SECURITY CONFERENCE 2018 Qualys Cloud Platform Looking Under the Hood: What Makes Our Cloud Platform so Scalable and Powerful Dilip Bachwani Vice President, Engineering, Qualys, Inc. Cloud Platform
More informationThreat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ
Threat Containment and Operations Yong Kwang Kek, Director of Presales SE, APJ 2018-07-19 1 1 2017 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. Three Aspects of Security #1
More informationTable 1 The Elastic Stack use cases Use case Industry or vertical market Operational log analytics: Gain real-time operational insight, reduce Mean Ti
Solution Overview Cisco UCS Integrated Infrastructure for Big Data with the Elastic Stack Cisco and Elastic deliver a powerful, scalable, and programmable IT operations and security analytics platform
More informationesendpoint Next-gen endpoint threat detection and response
DATA SHEET esendpoint Next-gen endpoint threat detection and response esendpoint powered by Carbon Black eliminates endpoint blind-spots that traditional technologies miss. Operating on a philosophy that
More informationSharing is Caring: Improving Detection with Sigma
SANS Tactical Detection and Data Analytics Summit 2018 Sharing is Caring: Improving Detection with Sigma John Hubbard (@SecHubb) The Blue Team's Journey Sharing is Caring - John Hubbard @SecHubb 2 Blue
More informationOperationalizing the Three Principles of Advanced Threat Detection
SESSION ID: SDS2-R08 Operationalizing the Three Principles of Advanced Threat Detection ZULFIKAR RAMZAN, PH.D Chief Technology Officer RSA @zulfikar_ramzan Dealing with Traffic Congestion Singapore: Major
More informationMonitor your infrastructure with the Elastic Beats. Monica Sarbu
Monitor your infrastructure with the Elastic Beats Monica Sarbu Monica Sarbu Team lead, Beats team Email: monica@elastic.co Twitter: 2 Monitor your servers Apache logs 3 Monitor your servers Apache logs
More informationA Bro Primer. Presenter: Adam Pumphrey, Bricata
A Bro Primer Presenter: Adam Pumphrey, Bricata Intro Working in cybersecurity for about 17 years - most of which was with the civilian federal government Role and responsibilities have varied but mainly
More informationStreaming Integration and Intelligence For Automating Time Sensitive Events
Streaming Integration and Intelligence For Automating Time Sensitive Events Ted Fish Director Sales, Midwest ted@striim.com 312-330-4929 Striim Executive Summary Delivering Data for Time Sensitive Processes
More informationTRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany
TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE Ralf Kaltenbach, Regional Director RSA Germany 1 TRUSTED IT Continuous Availability of Applications, Systems and Data Data Protection with Integrated
More informationCisco pxgrid: A New Architecture for Security Platform Integration
Cisco pxgrid: A New Architecture for Security Platform Integration Brian Gonsalves Product Manager #clmel Agenda Cisco pxgrid in Summary pxgrid Use-Cases How to Develop Using pxgrid Getting Started Cisco
More informationAbout the Tutorial. Audience. Prerequisites. Copyright and Disclaimer. Logstash
About the Tutorial is an open-source, centralized, events and logging manager. It is a part of the ELK (ElasticSearch,, Kibana) stack. In this tutorial, we will understand the basics of, its features,
More informationCisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339
Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339 Agenda Introduction to Lab Exercises Platforms and Solutions ASA with
More informationSeceon s Open Threat Management software
Seceon s Open Threat Management software Seceon s Open Threat Management software (OTM), is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in real
More informationTop 10 use cases of HP ArcSight Logger
Top 10 use cases of HP ArcSight Logger Sridhar Karnam @Sri747 Karnam@hp.com #HPSecure Big data is driving innovation The Big Data will continue to expand Collect Big Data for analytics Store Big Data for
More informationSOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE
RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE KEY CUSTOMER BENEFITS: Gain complete visibility across enterprise networks Continuously monitor all traffic Faster analysis reduces risk exposure
More informationSourcefire Network Security Analytics: Finding the Needle in the Haystack
Sourcefire Network Security Analytics: Finding the Needle in the Haystack Mark Pretty Consulting Systems Engineer #clmel Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics
More informationSecurity Operations & Analytics Services
Security Operations & Analytics Services www.ecominfotech.biz info@ecominfotech.biz Page 1 Key Challenges Average time to detect an attack (Dwell time) hovers around 175 to 210 days as reported by some
More informationBUILDING AND MAINTAINING SOC
BUILDING AND MAINTAINING SOC Digit Oktavianto KOMINFO 7 December 2016 digit dot oktavianto at gmail dot com 1 Digit Oktavianto Profile in 1 Page Currently working as a Security Architect Professional Certifications:
More informationTodays Threat Landscape Cloud / Big data / Mobile Jonathan Martin HP Enterprise Security Products
Todays Threat Landscape Cloud / Big data / Mobile Jonathan Martin HP Enterprise Security Products Agenda Today s Threat Landscape HP ArcSight Summary Agenda Today s Threat Landscape HP ArcSight Summary
More informationThe Future of Threat Prevention
The Future of Threat Prevention Bricata is the leading developer of Next Generation Intrusion Prevention Systems (NGIPS) technology, providing innovative, disruptive, high-speed, high-performance network
More informationP:\filebeat.yml 18 October :55
######################## Filebeat Configuration ############################ # This file is a full configuration example documenting all non-deprecated # options in comments. For a shorter configuration
More informationCybersecurity Roadmap: Global Healthcare Security Architecture
SESSION ID: TECH-W02F Cybersecurity Roadmap: Global Healthcare Security Architecture Nick H. Yoo Chief Security Architect Disclosure No affiliation to any vendor products No vendor endorsements Products
More informationStreamline AWS Security Incidents
IMF 2018 Streamline AWS Security Incidents Asif Matadar @d1r4c #whoami Director of Endpoint Detection & Response (EDR), EMEA at Tanium Seasoned Incident Response professional with over 7 years experience
More informationAnalytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS
Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS Overview Cyberattacks are increasingly getting more frequent, more sophisticated and more widespread than ever
More informationTechnical Overview TDAC Anomaly Detection. copyright 2018 by Telesoft Technologies. All rights reserved.
Technical Overview TDAC Anomaly Detection www.telesoft-technologies.com copyright 2018 by Telesoft Technologies. All rights reserved. TDAC Anomaly Detection The volume of network events within National
More informationRSA NetWitness Platform
RSA NetWitness Platform Event Source Log Configuration Guide Microsoft Office 365 Last Modified: Thursday, June 7, 2018 Event Source Product Information: Vendor: Microsoft Event Source: Office 365 Versions:
More informationCNIT 121: Computer Forensics. 9 Network Evidence
CNIT 121: Computer Forensics 9 Network Evidence The Case for Network Monitoring Types of Network Monitoring Types of Network Monitoring Event-based alerts Snort, Suricata, SourceFire, RSA NetWitness Require
More informationCisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH
Cisco Tetration Analytics Demo Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH Agenda Introduction Theory Demonstration Innovation Through Engineering
More informationSecurity in Bomgar Remote Support
Security in Bomgar Remote Support 2018 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their
More informationAn Alert has Fired. Now What?
An Alert has Fired. Now What? Open-source Bro solves security problems traditional tools can t. May 2017 Anyone who works in a security operations center understands the drill: An alert fires from a source
More informationAnalyze Bug Statistics using Kibana Dashboard and Get Voice Alerts
Analyze Bug Statistics using Kibana Dashboard and Get Voice Alerts Kibana Dashboard Elast Alert Sensiple Notification System Abstract This white paper describes how Kibana Dashboard can be used to analyze
More informationEmpower stakeholders with single-pane visibility and insights Enrich firewall security data
SonicWall Analytics Transforming data into information, information into knowledge, knowledge into decisions and decisions into actions SonicWall Analytics provides an eagle-eye view into everything that
More informationEndpoint Protection : Last line of defense?
Endpoint Protection : Last line of defense? First TC Noumea, New Caledonia 10 Sept 2018 Independent Information Security Advisor OVERVIEW UNDERSTANDING ENDPOINT SECURITY AND THE BIG PICTURE Rapid development
More informationTake Your SIEM to the Next Level with 3rd Party Tools and Scripts
Take Your SIEM to the Next Level with 3rd Party Tools and Scripts SIEM & Tactical Analytics SUMMIT November 2017 Who Am I? Austin Taylor Chief Security Research Engineer @ IronNet Cybersecurity Cyber Warfare
More informationPopular SIEM vs aisiem
Popular SIEM vs aisiem You cannot flip a page in any Cybersecurity magazine, or scroll through security blogging sites without a mention of Next Gen SIEM. You can understand why traditional SIEM vendors
More informationGetting Started with AWS Security
Getting Started with AWS Security Tomas Clemente Sanchez Senior Consultant Security, Risk and Compliance September 21st 2017 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Move
More informationWHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief
WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION A Novetta Cyber Analytics Brief Why SIEMs with advanced network-traffic analytics is a powerful combination. INTRODUCTION Novetta
More informationIncrease Value from Big Data with Real-Time Data Integration and Streaming Analytics
Increase Value from Big Data with Real-Time Data Integration and Streaming Analytics Cy Erbay Senior Director Striim Executive Summary Striim is Uniquely Qualified to Solve the Challenges of Real-Time
More informationQuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview
Overview Product overview Aruba s User and Entity Behavior Analytics (UEBA) solution, Aruba IntroSpect, detects attacks by spotting small changes in behavior that are often indicative of attacks that have
More informationVMware AirWatch PowerShell Integration Guide Securing your infrastructure
VMware AirWatch PowerShell Integration Guide Securing your email infrastructure AirWatch v9.1 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.
More informationRSA ECAT DETECT, ANALYZE, RESPOND!
RSA ECAT DETECT, ANALYZE, RESPOND! Cyber Threat Landscape Attack surface (& attackers) expanding Web app Existing strategies & controls are failing Laptop EHR Firewall Attacks sophistication on the rise
More informationVMware AirWatch PowerShell Integration Guide Securing your infrastructure
VMware AirWatch PowerShell Integration Guide Securing your email infrastructure Workspace ONE UEM v9.4 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard
More informationHarvesting Logs and Events Using MetaCentrum Virtualization Services. Radoslav Bodó, Daniel Kouřil CESNET
Harvesting Logs and Events Using MetaCentrum Virtualization Services Radoslav Bodó, Daniel Kouřil CESNET Campus network monitoring and security workshop Prague 2014 Agenda Introduction Collecting logs
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationUSM Anywhere AlienApps Guide
USM Anywhere AlienApps Guide Updated April 23, 2018 Copyright 2018 AlienVault. All rights reserved. AlienVault, AlienApp, AlienApps, AlienVault OSSIM, Open Threat Exchange, OTX, Unified Security Management,
More informationFirst Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.
18 QUALYS SECURITY CONFERENCE 2018 First Look Showcase Expanding our prevention, detection and response solutions Marco Rottigni Chief Technical Security Officer, Qualys, Inc. Secure Enterprise Mobility
More informationVMware AirWatch PowerShell Integration Guide Securing your infrastructure
VMware AirWatch PowerShell Integration Guide Securing your email infrastructure Workspace ONE UEM v1810 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard
More informationNovetta Cyber Analytics
Know your network. Arm your analysts. Introduction Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility
More informationAffordable High-Speed Sensors Everywhere. ntop Meetup Flocon 2016, Daytona Beach Jan 13th 2016
Affordable High-Speed Sensors Everywhere ntop Meetup Flocon 2016, Daytona Beach Jan 13th 2016 Welcome to the ntop Meetup Meeting Goals: Meet ntop users Describe our ideas and plans for 2016 Hear your comments
More informationNetwork Automation using modern tech. Egor Krivosheev 2degrees
Network Automation using modern tech Egor Krivosheev 2degrees Key parts of network automation today Streaming Telemetry APIs SNMP and screen scraping are still around NETCONF RFC6241 XML encoding Most
More informationCost Effective, Scalable Packet Capture and Cyber Analytics Cluster for Low Bandwidth Enterprise Customers
Cost Effective, Scalable Packet Capture and Cyber Analytics Cluster for Low Bandwidth Enterprise Customers The Enterprise Lite Packet Capture Cluster Platform is a complete solution based on NextComputing
More informationPowering Monitoring Analytics with ELK stack
Powering Monitoring Analytics with ELK stack Abdelkader Lahmadi, Frédéric Beck To cite this version: Abdelkader Lahmadi, Frédéric Beck. Powering Monitoring Analytics with ELK stack. 9th International Conference
More informationCisco s Appliance-based Content Security: IronPort and Web Security
Cisco s Appliance-based Content Security: IronPort E-mail and Web Security Hrvoje Dogan Consulting Systems Engineer, Security, Emerging Markets East 2010 Cisco and/or its affiliates. All rights reserved.
More informationCatch an Active Cyber Attack in minutes
Catch an Active Cyber Attack in minutes SIGS SOC FORUM, GENEVA FABIAN GENTINETTA FABIAN@VECTRANETWORKS.COM Vectra Networks www.vectranetworks.com 1 It starts with your data source Data Quality and Speed
More informationWe b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)
We b Ap p A t ac ks U ser / Iden tity 33% 53% Apps And Identities Initial Targets In 86% Of Breaches P hysi ca l 11% Other (VPN, PoS,infra.) 3% Fix vulnerabilities Stop web attacks Risk & compliance What
More informationWhy Most IoT Projects Fail And how to ensure success with OSIsoft and Cisco Kinetic
Why Most IoT Projects Fail And how to ensure success with OSIsoft and Cisco Kinetic Presented by Stephen Friedenthal, IoT Solutions Architect About Cisco Systems, Inc. San Fran Companies want to derive
More informationTanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018
Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018 $> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years
More informationSIEM Product Comparison
SIEM Product Comparison SIEM Technology Space SIEM market analysis of the last 3 years suggest: Market consolidation of SIEM players (25 vendors in 2011 to 16 vendors in 2013) Only products with technology
More informationDDoS Detection&Mitigation: Radware Solution
DDoS Detection&Mitigation: Radware Solution Igor Urosevic Head of Technical Department SEE CCIE #26391 Ingram Micro Inc. 1 Agenda DDoS attack overview Main point of failures Key challenges today DDoS protection
More informationForescout. Configuration Guide. Version 3.5
Forescout Version 3.5 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationSIEMLESS THREAT DETECTION FOR AWS
SOLUTION OVERVIEW: ALERT LOGIC FOR AMAZON WEB SERVICES (AWS) SIEMLESS THREAT DETECTION FOR AWS Few things are as important to your business as maintaining the security of your sensitive data. Protecting
More informationReserve Bank of India Cyber Security Framework
Reserve Bank of India Cyber Security Framework HOW SMOKESCREEN HELPS YOU COMPLY RBI Cyber Security Framework How Smokescreen Helps You Comply Table Of Contents Executive Summary 3 About the Framework 3
More informationTRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald
TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE John McDonald 1 What is Trust? Can I trust that my assets will be available when I need them? Availability Critical Assets Security Can I trust
More informationNETWORKING &SECURITY SOLUTIONSPORTFOLIO
NETWORKING &SECURITY SOLUTIONSPORTFOLIO NETWORKING &SECURITY SOLUTIONSPORTFOLIO Acomprehensivesolutionsportfoliotohelpyougetyourbusiness securelyconnected.clickononeofoursolutionstoknowmore NETWORKING
More informationRSA NetWitness Platform
RSA NetWitness Platform RSA SecurID Access Last Modified: Tuesday, January 29, 2019 Event Source Product Information: Vendor: RSA, The Security Division of Dell EMC Event Sources: Authentication Manager,
More informationAvoiding Information Overload: Automated Data Processing with n6
Avoiding Information Overload: Automated Data Processing with n6 Paweł Pawliński pawel.pawlinski@cert.pl 26th annual FIRST conference Boston, June 23rd 2014 Who we are part of national CERT for Poland
More informationCalendar updated presence
Calendar updated presence Setting up MiCloud and Microsoft Exchange Server Table of Contents Copyright 2016 Mitel Networks Corporation 1. Preconditions and assumptions... 1 2. Presence synchronization
More informationAKAMAI CLOUD SECURITY SOLUTIONS
AKAMAI CLOUD SECURITY SOLUTIONS Whether you sell to customers over the web, operate data centers around the world or in the cloud, or support employees on the road, you rely on the Internet to keep your
More informationELK. Elasticsearch Logstash - Kibana
ELK Elasticsearch Logstash - Kibana Welcome to Infomart Infomart is a media monitoring app which monitors both Social and Traditional Media. Social media includes Twitter, Facebook, Youtube, Wordpress,
More informationThe Evolution of : Continuous Advanced Threat Protection
The Evolution of : Continuous Advanced Threat Protection Craig Bird Senior Solutions Engineer Security is a combination of protection, detection and response You need Prevention to defend against low-focus
More informationForeScout Extended Module for Splunk
ForeScout Extended Module for Splunk Version 2.7.0 Table of Contents About Splunk Integration... 5 Support for Splunk Enterprise and Splunk Enterprise Security... 7 What's New... 7 Support for Splunk Cloud...
More information