logo
allArticlesConferencesPresentations

Experimenting with Real-Time Event Feeds

Conference:  BlackHat USA 2020

2020-08-06

Abstract

Today, defenders in a typical security operation center rely on their SIEM to do forensics on past logs, and to define real-time detections. This assumes that the SIEM was configured ahead of time to collect the subset of logs that are useful. But how does one decide what is useful? Further, some data comes at such high-volume that storing it in raw form is prohibitively expensive. Such data must be prefiltered and summarized before storage for query.We present tools and a method of comparing various options of filtering and pre-processing real-time feeds of data before storage. This can be done in isolated environments without SIEM coverage, such as labs/honeypots for researching Malware or Proof of Concept (POC) for exploits.The learnings of the method can be applied to understanding novel threats and creating true-real-time detections that work directly on the stream of events (no storage involved).
Materials:
Tags:

Post a comment

Related work

Real-Time Analytics: Going Beyond Stream Processing with Apache Pinot

Conference:  OpenAI + Data Forum 2022
Authors: Karin Wolok, Rong Rong
2022-06-21

Understand Systems with OpenTelemetry: A Hybrid Telemetry Data Backend

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Ran Xu, Xiaochun Yang
2023-04-19

⚡ Lightning Talk: Cloud(Security)Events -- A Lightweight Framework for Security Reactions

Conference:  Cloud Native SecurityCon North America 2023
Authors: Evan Anderson

Fantastic Red-Team Attacks and How to Find Them

Conference:  BlackHat USA 2019
Authors:
2019-08-08

Return to Sender - Detecting Kernel Exploits with eBPF

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Perception Deception: Physical Adversarial Attack Challenges and Tactics for DNN-Based Object Detection

Conference:  BlackHat EU 2018
Authors:
2018-12-06