Neil Desai - Data Driven Analytics
Download as PPTX, PDF0 likes30 views
The document contains alerts related to malware, backdoors, and hacking attempts. It discusses the limitations of alerts alone without context from raw data. It emphasizes verifying logs and detections using frameworks like MITRE ATT&CK and testing tools. Links are provided for log collection with Winlogbeat, Sysmon, and Auditbeat to gain more visibility.
Neil Desai - Data Driven Analytics
- 1. Neil Desai Solver of Problems, Causer of Mahem Data Driven Analytics
- 5. SOC Alert MALWARE-BACKDOOR BackConstruction 2.1 Client FTP Open Request MALWARE-BACKDOOR BackConstruction 2.1 Server FTP Open Reply MALWARE-BACKDOOR Matrix 2.0 Client connect MALWARE-BACKDOOR Matrix 2.0 Server access MALWARE-BACKDOOR WinCrash 1.0 Server Active MALWARE-BACKDOOR CDK MALWARE-BACKDOOR DeepThroat 3.1 Server Response MALWARE-BACKDOOR PhaseZero Server Active on Network MALWARE-BACKDOOR w00w00 attempt MALWARE-BACKDOOR attempt MALWARE-BACKDOOR MISC r00t attempt MALWARE-BACKDOOR MISC rewt attempt MALWARE-BACKDOOR MISC Linux rootkit attempt MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x MALWARE-BACKDOOR MISC Linux rootkit attempt MALWARE-BACKDOOR MISC Linux rootkit satori attempt MALWARE-BACKDOOR MISC sm4ck attempt MALWARE-BACKDOOR MISC Solaris 2.5 attempt MALWARE-BACKDOOR HidePak backdoor attempt MALWARE-BACKDOOR HideSource backdoor attempt PROTOCOL-ICMP TFN Probe PROTOCOL-ICMP tfn2k icmp possible communication MALWARE-OTHER Trin00 Daemon to Master PONG message detected PROTOCOL-ICMP Stacheldraht server spoof PROTOCOL-ICMP Stacheldraht gag server response PROTOCOL-ICMP Stacheldraht server response
- 6. SOC Alerts
- 7. SOC Alert
- 8. SOC Alert
- 9. SOC Alert
- 11. Alerts vs Raw Data • Alerts give very specific information, but they don’t tell the whole story. Context is key, but isn’t in the alert. • Alert logic may not be visible to the analyst or hard to interpret. • Alert may not give enough details. • Raw data is high volume and hard to sift through. • Either create alerts from the raw data or get both.
- 12. Trust, But Verify • Log settings can change during an upgrade of a product, by mistake, or maliciously. • “Turn on Logs” is not really a setting. Check to see exactly what’s enabled and where. • Regularly test to ensure logs (volume and variety) are as expected. • Operationalize log collection. • Understand what you have today, and determine what you need
- 13. MITRE ATT&CK • Use the framework to determine your visibility gap (https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html) • Use testing frameworks to check detections (https://github.com/redcanaryco/atomic-red-team)
- 14. Winlogbeat + Sysmon + https://github.com/olafhartong/sysmon-modular
Editor's Notes
- #2: Hi, everyone. Over the past few years, we’ve been making it easier for our users to deploy Elastic for Security Analytics. We define Security Analytics as the highly scalable collection, indexing, and real-time advanced analysis of all kinds of security-related data… We’re now introducing Elastic SIEM to provide a curated experience for security analysts and investigators to perform: Security information and event management Threat detection Threat hunting
- #3: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #4: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #5: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #6: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #7: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #8: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #9: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #10: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #11: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #12: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #13: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #14: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #15: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.
- #16: This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. Threat hunting was the most common early use case and Elastic is still the runaway leader for this work. Speed, Scale, and Relevance are the biggest reasons why. This widespread community adoption brought us to explore how we can make it easier to use the Elastic Stack for security use cases. So what have we been building? Let me share some recent highlights: We built the Elastic Common Schema in order to enable our users to normalize all their diverse security-related data. We’ve introduced a number of “modules” for security-relevant use cases, including Suricata, Zeek, NetFlow, Linux Audit Framework, and more. In June, we introduced a new SIEM app in Kibana that gives SOC analysts a curated way to interact with their security events and alerts for investigations and threat hunting. We’ll talk about this in some detail in just a minute. We joined forces with security consultancy “Perched” soon afterward, expanding our bench of battle-tested security practitioners, helping customers be successful in the field. Saving the best for last, Endgame has joined Elastic.