SOURCE Boston 2019
May 1 - 3, 2019 (Wed - Fri)
Let's Blow Up the SIEM and Start Over
Security and Operations teams spend a staggering amount of time and money buying and managing security products. We manage vast fleets of expensive, complex security agents and million-dollar next-gen blinkyboxes. We sit through endless budget meetings about data analytics tools that charge by the byte and actually disincent us from collecting and analyzing the quantities of data we need to accomplish our missions. All of this overhead dilutes our attention creates drag that degrades team focus, reduces output, and consequently increases risk. Security product sprawl is as much a threat to success as anything the attackers are doing.
What would an alternative world look like? Much of what the analytic, detection, monitoring oriented security products do - from generating primary data to pipelines and analytics - can be accomplished using lightweight, free and open source tools. We present Bark - a buzzword compliant framework of FOSS security tools used in concert to detect all the things and perform SIEM-like functions in the ELK stack with certain sidecar tooling. Compliance monitoring, behavioral and specification based intrusion detection, database monitoring, data loss detection, security analytics and threat hunting can be accomplished through the coordinated usage of open source tools. Another, and perhaps the most compelling, advantage of the open source approach is the freedom to engage in community driven development and sharing of searches and analytics, which is sometimes missing in the black-box security product space.
Alternative title: Making ~~Love~~ SIEMs Out of Nothing At All
Craig is a seasoned security leader with twenty years experience in security including service as a cloud security lead in one of the larger AWS environments. He is a patent holder; published researcher; advisor to various security product plays and VCs; credited bug hunter; and a veteran of four startups including two successful exits. A devotee of the "purple team" movement, he studies both offensive and defensive security art in order to better detect all the things. He has contributed, as an architect and / or core business logic developer, to three successful security products, and six large-scale security monitoring and threat hunting projects, in both cloud and terrestrial environments. He has been a SIEM / security analytics developer and / or threat hunter in the defense, financial, government, military and software manufacturing sectors. He has presented at the MISTI NetSec ESummit, B-Sides Boston, B-Sides Washington DC, SOURCE Boston, OpenSec Boston, Cloud Security World, and, a long time ago in a galaxy far away, ACSAC and the DHS Science & Technology Conference.