Log All The Things! Proactive Forensics using Log Analysis

BSidesDC 2015

Presented by: Aaron Beuhring, Kyle Salous
Date: Saturday October 17, 2015
Time: 15:30 - 16:20
Location: Salon D
Track: Blue Team

Implementing a SIEM can be a complex and costly process. Many organizations fail to realize the full potential of their SIEM because they fail to capture the right logs. Others get mired in voluminous logs of little significance. Most also miss out on what is potentially the most useful log source of all, individual endpoints. SIEM vendors are equally to blame for failing to deliver on their promises to interpret and correlate logs.

Two years ago we started on a SIEM implementation project with a lofty goal: to collect logs from every endpoint on our network. We have nearly reached our goal and learned a lot of lessons along the way. In this presentation we will present lessons learned, unique correlations we have devised, suggestions for vendors to improve their logging, and suggestions for SIEM vendors to improve their products without using the words threat intelligence.

Aaron Beuhring

Aaron Beuhring has over 13 years of IT experience. He enjoys correcting configurations and occasionally misconfiguring things as well.

Kyle Salous

Kyle Salous has over 10 years of IT Security experience. He enjoys doing more with less while keeping the bad guys on their toes.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats