Skip to content

Latest commit

 

History

History
121 lines (96 loc) · 6.21 KB

README.md

File metadata and controls

121 lines (96 loc) · 6.21 KB

Tenzir Events

This repository contains slides and supplementary materials from events where we presented a talk.

Slides (in reverse-chronological order):

Suricon - November 2022

At Suricon, we showed how you can get more runway out of your EVE JSON logs by compacting them with VAST. We explained how compaction works as a trigger for pipelines that aggregate the EVE logs into a more space-efficient representation.

The Data Thread - June 2022

At The Data Thread, we presented how VAST uses Apache Arrow as data engineering toolkit. We showcase VAST's architecture and how Arrow helps us with interoperability of security data.

Potsdam Conference on National CyberSecurity - June 2022

At the Potsdam Conference on National CyberSecurity we highlighted one of the core problems of large SOCs: handling the complexity imposed by a myriad of interconnected security tools. We showed how VAST can help from an architectural standpoint, as a "sidecar for the SOC."

The International Conference on the EU Cyber Act - May 2022

At the International Conference on the EU Cyber Act 2022, we co-presented with IBM Security's Jason Keirstead about how standardization alone is insufficient to create an open, interoperable ecosystem of security tools. Going back to the articles in the act, we identified market and operational themes that need to be addressed comprehensively in order to have a real-world impact.

Suricon - November 2021

At Suricon 2021 in Boston, we co-presented with DCSO on a production architecture for threat-intelligence-based detection that unifies historical and live alerting. The architecture leverages VAST as embedded telemetry engine to deliver historical metadata as via Threat Bus, such that they appear as an alert event that is indistinguishable from a live alert.

ZeekWeek - October 2021

At ZeekWeek 2021, we presented how VAST can become a Zeek logger node and transparently receive logs from a Zeek cluster in an optimal fashion. To this end, we wrote a Broker plugin to acquire the binary log data. We then reverse-engineered the binary message format of batched logs, which allowed us to convert them directly into VAST's data plane using Apache Arrow.

Suricon - October 2019

At Suricon 2019 in Amsterdam, we demonstrated how to pivot between different network telemetry with VAST. In particular, we showed how one can extract the PCAP packets corresponding to a specific Suricata alert. The idea is model VAST's schema as a graph, where edges correspond to different types and edges exist if it is possible to join over a common record field. Users just express the pivot destination, e.g., "give me all PCAPs for alerts with severity N of type X".

Zeek Workshop Europe - April 2019

At the Zeek Workshop Europe at CERN, we showed how to bring together MISP and Zeek. This presentation was a joint talk with Liviu Vâlsan who explained how to use this prototype operationally at the CERN SOC. Our robo investigator expands on our approach that we presented two months earlier (see below). In addition to correlating historical sightings, robo now also interfaces with Zeek to propagate changes to intel in real time and report "noisy" intel items.

DFN Conference on Security in Networked Systems - February 2019

At this year's DFN conference on Security in Networked Systems, we gave a demo on how to perform live correlation of threat intelligence with historical data. Concretely, we showed how to tap into MISP feeds in real time and translate new indicators into queries over old data. Our tool reports hits in historical data back to MISP as sightings. This makes it possible to understand whether an organization has been breached even before the indicator became available.

BroCon - October 2018

At BroCon 2018 we talked about automated analysis with Broker. We used the example of automatic historic intelligence lookups with VAST to illustrate the Broker API. Additionally, we performed a performance analysis of Broker in terms of throughput and latency. See the brocon18 directory for the complete list of accompanying material.