Event correlation problems appear everywhere in information security and forensics: log analysis ("I'm seeing a lot of 404 errors from one range of IP addresses"), behavior detection ("That account may be compromised, he logged in twice from two different locations"), record linkage ("Is Jones, Robert the same as Bob Jones?"), and expert systems ("I have a system running Windows 7 Japanese Locale, with these hotfixes, what's my biggest security risk?", or from the other side, "What attacks should I try first?").
Despite the usefulness of event correlation, many security practitioners either ignore it or use ad hoc tools. This talk presents Giles, a compiler that creates event correlation engines. Its most interesting feature is that the output of Giles is a schema for a normal SQL database, and databases created using this schema are fully-fledged event correlation engines. This allows users to put an event correlation engine anywhere they could put a database (which is everywhere), and access it using any programming language that can access databases (which is all of them).
Rob King has seventeen years of experience in information security and software development. Over his career he has served as a senior researcher with KoreLogic, Inc., the architect for TippingPoint DVLabs, and contributing editor for the SANS @RISK newsletter. He helped design SC Magazine's Data Leakage/Extrusion Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at Black Hat, Shmoocon, SANS Network Security, and USENIX. He has also been invited to lecture privately at the United States Department of Defense, the IEEE, and the University of Texas atAustin on a variety of information security-related topics.