Hack.lu 2017 Sigma - Generic Signatures for Log Events by Thomas Patzke
Sigma - Generic Signatures for Log Events
by Thomas Patzke
Log files are a great resource for hunting threats and analysis of incidents. Unfortunately, there is no standardized signature format like YARA for files or Snort signatures for network traffic. This makes sharing of log signatures by security researchers and software developers problematic. Further, most SIEM systems have their own query language, which makes signature distribution in large heterogeneous environments inefficient and increases costs for replacement of SIEM solutions.
Sigma tries to fill these gaps by providing a YAML-based format for log signatures, an open repository of signatures and an extensible tool that converts Sigma signatures into different query languages. Rules and tools were released as open source and are actively developed. This presentation gives an overview about use cases, Sigma rules and the conversion tool, the development community and future plans of the project.
Bio: Thomas Patzke
Thomas Patzke has more than 10 years of experience in the area of information security and currently works at thyssenkrupp CERT. His main job is the discovery of vulnerabilities in applications and products, but he also enjoys working on defensive topics, especially in the area of threat hunting. Thomas likes to create and contribute to open source security tools like Sigma, EQUEL, an ELK configuration for Linux systems, a POODLE exploit and various plugins for the Burp Suite (github.com/thomaspatzke).
He does not have a single certification and is quite proud of it.
Видео Hack.lu 2017 Sigma - Generic Signatures for Log Events by Thomas Patzke канала Cooper
by Thomas Patzke
Log files are a great resource for hunting threats and analysis of incidents. Unfortunately, there is no standardized signature format like YARA for files or Snort signatures for network traffic. This makes sharing of log signatures by security researchers and software developers problematic. Further, most SIEM systems have their own query language, which makes signature distribution in large heterogeneous environments inefficient and increases costs for replacement of SIEM solutions.
Sigma tries to fill these gaps by providing a YAML-based format for log signatures, an open repository of signatures and an extensible tool that converts Sigma signatures into different query languages. Rules and tools were released as open source and are actively developed. This presentation gives an overview about use cases, Sigma rules and the conversion tool, the development community and future plans of the project.
Bio: Thomas Patzke
Thomas Patzke has more than 10 years of experience in the area of information security and currently works at thyssenkrupp CERT. His main job is the discovery of vulnerabilities in applications and products, but he also enjoys working on defensive topics, especially in the area of threat hunting. Thomas likes to create and contribute to open source security tools like Sigma, EQUEL, an ELK configuration for Linux systems, a POODLE exploit and various plugins for the Burp Suite (github.com/thomaspatzke).
He does not have a single certification and is quite proud of it.
Видео Hack.lu 2017 Sigma - Generic Signatures for Log Events by Thomas Patzke канала Cooper
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Detecting Malicious Files with YARA Rules as They Traverse the NetworkSIEM: The art of monitoring, alerting, and auditing your network to enhance securityHack.lu 2017 How I’ve Broken Every Threat Intel Platform I’ve Ever Had (And Settled on MISP)403 To Catch a Penetration Tester Top SIEM Use Cases Ryan Voloch and Peter GiannoutsosHack42: Operation Rubicon - Crypto Museum EindhovenBsides Detroit 2017 202 Windows Event Logs Zero to Hero Nate Guagenti Adam SwanSIEM Ürünlerinde Bakılması Gereken Kritik Özellikler ve SOCOchko123 - How the Feds Caught Russian Mega-Carder Roman SeleznevAdvanced Windows Logging - Finding What AV MissedWebinar | My Interview Experience at VMwareYour 5 Year Path: Success in InfosecLessons Learned from Eight Years of Breaking HypervisorsJames Lyne: Everyday cybercrime -- and what you can do about itLog management best practices for SIEMHow Smartcard Payment Systems FailT309 Rapid Incident Response with PowerShell Mick DouglasHack.lu 2017 Malicious use of Microsoft “Local Administrator Password Solution”CSS2016D2S21:Hacking Exposed - CrowdstrikeTaking Event Correlation With YouHunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework