2024-12-14 –, Workshop Room 2
Log collection is the foundation of Security Operations. It is critical to have the correct host/application and a collection mechanism for events to facilitate correlation into SIEM/SOAR/XDR. Ineffective security events not only waste platform resources but also increase false-positive detections within a SOC; which then impacts moral and how long it take to triage an alert.
Led by SIEM engineering specialists who boast a combined +20yrs experience with clients across government and industry, learn and try some of the best practices and tips that help some of the UKs most critical SOCs run smoothly.
If you are playing with Security Onion, or building content and correlation rules, improve your effectiveness by only collecting the events you need…this is for you, take the trash out!
The challenge to balance complete event coverage with efficient log onboarding is commonplace across Security Operations. Getting this balance wrong can lead to missing information in Events of Interest that would have provided context, even exclude some of the events being put in front of an analyst for triage. Conversely, excessive low value events can reduce the efficiency of the technology and overwhelm analysts.
Greater awareness and understanding of the process and best practices for log source onboarding, parsing and correlation will lead to better transparency between engineering and operations. This increased cohesion can reduce false-positives, and positively impact MTTD and MTTR.
In this workshop we will cover:
Introduction to Security Information and Event Management (SIEM) tools, on-prem/cloud
Common log sources and collection methods
Best practices to identify
- Use case definition
- Log verbosity (inc scenario)
- Log source documentation (inc scenario)
RegEx Introduction (inc practical exercise)
Review parsed example log source
Log source collection (inc practical exercise)
Tips / Tricks and lessons learned
- CEF/Sigma
- Mitre ATT&CK
By understanding the principals above the security operations function will be more effective from SIEM engineering through to SOC analysts.
Guy Kramer is a strategic technologist and founder of Cyber Intelligence & Advisory Ltd. With over 17 years of experience in the field, his expertise encompasses the design, development and implementation of security solutions. His in-depth knowledge of cybersecurity, combined with his hands-on approach, allows him to deliver effective guidance to executives and technical teams alike.
He has worked for high-profile clients in government as well as for globally recognised companies such as Rolls-Royce and Hewlett-Packard. A well-travelled individual who has advised on security best practices in 125 cities, Guy has led projects that have changed the shape of cyber security. Notably, he pioneered a ground-breaking technology (Global Adversary Signals Analytics) that has strengthened the defences of governments worldwide against sophisticated cyber threats.
With a fascination for cybersecurity innovation, Guy is dedicated to learning new attack and defensive techniques, mentoring talent and actively contributing to the information security community. His aim at Cyber Intelligence & Advisory Ltd is to build a globally respected firm that sets new standards of security in the industry.
Kyle Pearson is a solutions engineer with Graylog who has worked on enough SIEM and Log Management deployments to know his way around. After cutting his teeth in financial services, he held consulting roles for several SIEM vendors and has worked extensively with public sector and financial services customers.