Wednesday, April 10, 2019

What I've Done

So I've been busy over the past year and wanted to share a bit about what I am presenting at SOURCE Boston 2019. I'm actually giving two talks this year;

1. Let's Blow Up the SIEM and Start Over (Wednesday, 2:20 PM)
2. Cloud Intrusion Detection and Threat Hunting With Open Source Tools (Friday, 1:00 PM )

The second is actually a sequel to my 2017 talk, "Engineering Challenges Doing Intrusion Detection in the Cloud" where I shared the results of a large research spike in 2015-2017. In 2018, I continued this work and developed a framework for doing behavioral intrusion detection and threat hunting using FOSS (free and open source) tools. This became the "SpaceCake" project you may have seen me talk about at the meetups and BSides events. In this talk I will present this framework and share some real-world data examples (and as before, there is a threat hunting exercise using real data.) Conventional wisdom sometimes holds that this is too much detail for a conference talk but attendees consistently tell me they love seeing real threat data so I keep including it. 

The first talk is partly about how, once upon a time, my business stakeholders were suffering from what I call "inflation fatigue" as we faced a roughly $4 million annual spend on tools combined with an increasing cost curve for security staff due to historic levels of full employment and market demand. At the same time, neither security nor operations teams were very happy with the expensive security tools we were using because of what I called "product sprawl." One day, my leadership asked if we could throw it out and start over with free and open source (F/OSS) tooling. I later spent 2018 developing the SpaceCake project to do that after I noticed several different organizations were asking me for the same thing. 

SpaceCake used data and telemetry from a wide variety of open source tools and instrumentation to accomplish all nine of Anton Chuvakin's SIEM use cases including cloud activity monitoring; EDR (endpoint detection and response; intrusion detection; malware detection; network monitoring and threat intelligence. Interestingly, we can also do machine learning based anomaly detection using the significant terms aggregation in ELK and I will show examples of how I use this to detect threats and intrusions that are hard to find using conventional or specification based rules.

No comments: