This talk was presented at BSides DC 2017. It dives deep into Cyphon.io for triage of security incidents and events. I also talk about threat intel management, threat hunting and upcoming features in Cyphon.
The document outlines the functions of an IT Cyber Security Operations team. It introduces the different teams within IT Cyber Security including Cyber Security Operations, Engineering, and Security Incident Management. It describes the key functions of each team such as security monitoring, network attack monitoring, and incident response. The document also reviews the current detection capabilities including the tools used, such as QRadar for security information and event management, Splunk for security analytics, and Symantec for web/email detection. It concludes by discussing planned improvements like greater insider threat detection, operational enhancements to triage and monitoring, and new cybersecurity controls and increased detection capabilities being delivered through the Cyber Programme.
This document discusses user behavioral analytics and machine learning for threat detection. It summarizes that legacy security information and event management (SIEM) technologies are not adequate for detecting insider threats and advanced adversaries. It then describes how user behavioral analytics uses machine learning to develop multi-entity behavioral models across users, applications, hosts, and networks to detect anomalous behavior indicative of insider threats or advanced cyberattacks. Contact information is provided for the security consultant presenting on this topic.
Incident response live demo slides finalAlienVault
So, you've got an alarm - or 400 alarms maybe, now what? Security incident investigations can take many paths leading to incident response, a false positive or something else entirely. Join this webcast to see security experts from AlienVault and Castra Consulting work on real security events (well, real at one point), and perform real investigations, using AlienVault USM as the investigative tool. Process or art form? Yes.
You'll learn:
Tips for assessing context for the investigation
How to spend your time doing the right things
How to to classify alarms, rule out false positives and improve tuning
The value of documentation for effective incident response and security controls
How to speed security incident investigation and response with AlienVault USM
Dr. Anton Chuvakin discusses the future of security information and event management (SIEM) technologies in 2012. He outlines five areas where SIEM is likely to expand: 1) collecting and analyzing more context data, 2) sharing intelligence between SIEM systems, 3) monitoring emerging environments like virtual systems, cloud, and mobile, 4) developing new analytic algorithms to better detect threats, and 5) expanding to monitor application security in addition to infrastructure security. Chuvakin advises organizations to start integrating more context data, collecting security feeds, and expanding SIEM coverage to prepare for these evolving capabilities.
Dr. Anton Chuvakin provides an overview of SIEM architecture and operational processes. He notes that while a SIEM tool can be purchased, developing a full security monitoring capability requires growing people and maturing processes over time. The document outlines key aspects of deploying, running, and evolving a SIEM program, including common pitfalls to avoid, such as failing to define an initial scope or assuming the SIEM will run itself. It emphasizes taking an "output-driven" approach focused on solving security problems.
Improve threat detection with hids and alien vault usmAlienVault
Host-based intrusion dection systems (HIDS) work by monitoring activity that is occurring internally on a host. HIDS look for unusual or nefarious activity by examining logs created by the operating system, looking for changes made to key system files, tracking installed software, and sometimes examining the network connections a host makes. AlienVault USM integrates HIDS with other key security controls to help you get the most out of HIDS, including:
Analyzing system behavior and configuration status to track user access and activity
Detecting system compromise, modification of critical configuration files (e.g. registry settings, /etc/passwd), common rootkits, and rogue processes
Correlating HIDS data with known IP reputation, vulnerability scans and more
Logging and reporting for PCI compliance
The document discusses advanced security operations centers (A-SOCs) and their capabilities. It describes how A-SOCs go beyond traditional SOCs by focusing on threat mitigation, proactive monitoring and intelligence. It outlines key A-SOC capabilities like threat assessment and hunting, threat intelligence, situational awareness, and security analytics. The document also provides examples of A-SOC architecture, frameworks, technologies, queries, organization structure, and processes. It proposes a maturity model for advanced SOC services and provides an example use case for the Carbanak attack.
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
The document discusses best practices for intrusion detection systems (IDS). It recommends a three phase process: collection, evaluation, and tuning. In the collection phase, an IDS gathers baseline data for 2 weeks. In evaluation, valuable and actionable events are identified based on policy, risk, and environment. Trending helps eliminate normal activity. Tuning removes unnecessary events to reduce false positives and save time through threshold adjusting and awareness of network details. Updates may require periodic re-evaluation and tuning to account for changes.
The document outlines the functions of an IT Cyber Security Operations team. It introduces the different teams within IT Cyber Security including Cyber Security Operations, Engineering, and Security Incident Management. It describes the key functions of each team such as security monitoring, network attack monitoring, and incident response. The document also reviews the current detection capabilities including the tools used, such as QRadar for security information and event management, Splunk for security analytics, and Symantec for web/email detection. It concludes by discussing planned improvements like greater insider threat detection, operational enhancements to triage and monitoring, and new cybersecurity controls and increased detection capabilities being delivered through the Cyber Programme.
This document discusses user behavioral analytics and machine learning for threat detection. It summarizes that legacy security information and event management (SIEM) technologies are not adequate for detecting insider threats and advanced adversaries. It then describes how user behavioral analytics uses machine learning to develop multi-entity behavioral models across users, applications, hosts, and networks to detect anomalous behavior indicative of insider threats or advanced cyberattacks. Contact information is provided for the security consultant presenting on this topic.
Incident response live demo slides finalAlienVault
So, you've got an alarm - or 400 alarms maybe, now what? Security incident investigations can take many paths leading to incident response, a false positive or something else entirely. Join this webcast to see security experts from AlienVault and Castra Consulting work on real security events (well, real at one point), and perform real investigations, using AlienVault USM as the investigative tool. Process or art form? Yes.
You'll learn:
Tips for assessing context for the investigation
How to spend your time doing the right things
How to to classify alarms, rule out false positives and improve tuning
The value of documentation for effective incident response and security controls
How to speed security incident investigation and response with AlienVault USM
Dr. Anton Chuvakin discusses the future of security information and event management (SIEM) technologies in 2012. He outlines five areas where SIEM is likely to expand: 1) collecting and analyzing more context data, 2) sharing intelligence between SIEM systems, 3) monitoring emerging environments like virtual systems, cloud, and mobile, 4) developing new analytic algorithms to better detect threats, and 5) expanding to monitor application security in addition to infrastructure security. Chuvakin advises organizations to start integrating more context data, collecting security feeds, and expanding SIEM coverage to prepare for these evolving capabilities.
Dr. Anton Chuvakin provides an overview of SIEM architecture and operational processes. He notes that while a SIEM tool can be purchased, developing a full security monitoring capability requires growing people and maturing processes over time. The document outlines key aspects of deploying, running, and evolving a SIEM program, including common pitfalls to avoid, such as failing to define an initial scope or assuming the SIEM will run itself. It emphasizes taking an "output-driven" approach focused on solving security problems.
Improve threat detection with hids and alien vault usmAlienVault
Host-based intrusion dection systems (HIDS) work by monitoring activity that is occurring internally on a host. HIDS look for unusual or nefarious activity by examining logs created by the operating system, looking for changes made to key system files, tracking installed software, and sometimes examining the network connections a host makes. AlienVault USM integrates HIDS with other key security controls to help you get the most out of HIDS, including:
Analyzing system behavior and configuration status to track user access and activity
Detecting system compromise, modification of critical configuration files (e.g. registry settings, /etc/passwd), common rootkits, and rogue processes
Correlating HIDS data with known IP reputation, vulnerability scans and more
Logging and reporting for PCI compliance
The document discusses advanced security operations centers (A-SOCs) and their capabilities. It describes how A-SOCs go beyond traditional SOCs by focusing on threat mitigation, proactive monitoring and intelligence. It outlines key A-SOC capabilities like threat assessment and hunting, threat intelligence, situational awareness, and security analytics. The document also provides examples of A-SOC architecture, frameworks, technologies, queries, organization structure, and processes. It proposes a maturity model for advanced SOC services and provides an example use case for the Carbanak attack.
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
The document discusses best practices for intrusion detection systems (IDS). It recommends a three phase process: collection, evaluation, and tuning. In the collection phase, an IDS gathers baseline data for 2 weeks. In evaluation, valuable and actionable events are identified based on policy, risk, and environment. Trending helps eliminate normal activity. Tuning removes unnecessary events to reduce false positives and save time through threshold adjusting and awareness of network details. Updates may require periodic re-evaluation and tuning to account for changes.
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) ArkhipovaOWASP Russia
This document discusses large enterprise security information and event management (SIEM) systems. It begins with an overview of what SIEM systems are and how they differ from traditional log collection and monitoring. The document then discusses the architecture, performance, and scaling challenges of the IBM qRadar SIEM system. It also covers important considerations for log collection, including what sources to log from, log storage, normalization, and indexing. Lastly, it provides an example of the scale of logging for a large company and considerations for sizing a SIEM system for growth.
Emerging Threats and Strategies of Defense Alert Logic
This document summarizes emerging threats and strategies for defense. It discusses recent data breaches and malware trends seen in honeypot findings. Common attack vectors and types of malware are outlined. The importance of defense in depth is emphasized using tools like firewalls, intrusion detection, encryption, and threat intelligence. Social media, forums, and open source intelligence are recommended for monitoring the adversary.
Cyber Scotland Connect: What is Security Engineering?Harry McLaren
Harry McLaren is a managing consultant at ECS who gives a presentation on cybersecurity engineering. Cybersecurity engineering involves building systems, deploying configurations, integrating systems, and developing solutions to protect against, detect, and respond to threats. It is important for engineering projects to consider people, process, technology, the end user, support requirements, and how the solution fits within the business and IT strategies. The presentation provides examples of scenario walkthroughs and best practices for engineers, such as using automation, version control, containers, and cloud technologies.
Big Data For Threat Detection & ResponseHarry McLaren
Slides used at the University of Edinburgh SIGINT group (cybersecurity society). Covering what is big data, the value for security use cases, hunting for threats/actions, using Splunk to detect and respond, SIEM use and some useful searches (which were demoed).
Information Security: Advanced SIEM TechniquesReliaQuest
Joe Parltow, CISO, ReliaQuest (www.reliaquest.com) -We’ve all heard it before; SIEM is dead, defense is boring, logs suck, etc. The fact is having total visibility into what’s happening on your network is absolutely necessary and keeps you from having to answer questions like “How did you not know we were compromised for the past 6 months!” This talk focuses on advanced tips and tricks you can implement with your SIEM to give you better visibility into all areas of your environment. Also includes top secret, 1337 (ok maybe just average) code snippets.
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
Dr. Anton Chuvakin discusses how security operations centers (SOCs) have evolved and modernized. He outlines three forces driving the need for modern SOCs: expanding attack surfaces, security talent shortages, and an overload of alerts. Key aspects of a modern SOC include organizing teams by skills rather than levels, structuring processes around threats instead of alerts, conducting threat hunting, using multiple data sources for visibility beyond just logs, and leveraging automation and third-party services. Modern SOCs also focus on detection engineering through content versioning, quality assurance of detections, reuse of detection content, and metrics to improve coverage. Chuvakin recommends that SOCs handle alerts but not focus solely on them, automate routines to free
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
This document provides an overview of the topics covered in Part 4 of CNIT 160: Cybersecurity Responsibilities, which focuses on information security program development. The key topics discussed include administrative activities like compliance management, personnel management, project/program management, and vendor management. It also covers security program operations such as event monitoring using security information and event management systems, and vulnerability management through periodic scanning and remediation. The document outlines additional topics that will be covered in later lectures related to other aspects of developing a comprehensive security program.
The document lists the executive team of a company and then provides information about SIEM integration, escalation, use cases, and an informational interview. It discusses how SIEM can integrate with various platforms and software to secure them from threats. It also describes how SIEM has escalated to work with different technologies over time and provides security updates. The informational interview covers benefits of SIEM, investment aspects, data storage strategies, analytics techniques, challenges, cloud capabilities, and skills needed for implementation.
To run a successful SIEM operation, you must develop the necessary people, processes, and long-term commitment beyond just purchasing tools. Key factors include defining clear use cases to solve security problems, establishing processes for configuration, monitoring, analysis, and response, and ensuring the program evolves through continuous review and integration with other technologies. Without the proper planning and operationalization, SIEM implementations are at risk of common pitfalls like remaining input-driven or failing to mature beyond the initial deployment.
The document describes a company's SIEM (Security Information and Event Management) design and integration services. It details a typical 4-phase SIEM project approach: 1) Assessment and requirements gathering, 2) System design, 3) Integration services, and 4) Long-term SIEM co-sourcing services. The company works collaboratively with clients to understand their needs, design a customized SIEM solution, implement the system in development and production environments, and provide ongoing support services.
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Andris Soroka
World's #1 SIEM technology in GRC (Governance, Risk, Compliance). QRadar Risk Manager provides organizations with a pre-exploit solution that allows network security professionals to assess what risks exist during and after an attack, while also answering many "What if?" questions ahead of time, which can greatly improve operational efficiency and reduce network security risks.
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce
This document discusses ways to protect intellectual property assets from theft. It recommends using a tool like Helix, which allows placing all code and files in a single source of truth with flexible access controls and protections. Advanced analytics can then monitor user behavior and file access to identify potential IP theft. A multi-layered approach including logging, encryption, regular reviews and security audits is advocated to strengthen protections. The document also offers a trial of Helix threat detection analytics and discounted consulting services.
SIEM stands for Security Information and Event Management. It involves collecting, aggregating, normalizing and retaining logs and other security-related data from across an organization. SIEM performs analysis on this data through correlation, prioritization and notification/alerting. It also provides reporting and workflow capabilities for security teams. While SIEM promises improved security through these functions, it requires careful planning, scoping, requirements development and ongoing focus to avoid failures and ensure value.
An SIEM solution provides the ability to collect, analyze, and manage log data from across an organization. It can collect data from various sources using different protocols and store large volumes of raw data in a scalable platform. This centralized log management allows organizations to generate insightful reports, detect threats in real-time, investigate incidents, ensure compliance, and more. By automatically learning baselines of normal activity, an SIEM can detect anomalies and prioritize the most critical alerts. Its analytics capabilities like correlation rules and taxonomy-driven classification further enhance threat detection and security operations.
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers:
• The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS.
• Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections)
• Best practices for how to protect your environment from the latest threats
HP Arcsight Services provides basic and advanced services for their Arcsight software. Basic services include planning, installation, deployment, administration and maintenance of Arcsight and Smartconnectors. Advanced services include creating custom content like rules, reports and cases to achieve specific business objectives. They also provide best practices documentation and have experience in security, compliance and open source tools.
This is an introduction to AlienVault’s Open Threat Exchange (OTX), an open threat information sharing and analysis network, created to put effective security measures within the reach of all organizations. Unlike invitation-only threat sharing networks, OTX provides real-time, actionable information to all who want to participate.
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Advanced Persistent Threat Life Cycle Management
This presentation will cover the full Advanced Persistent Threat (APT) Life Cycle and Management of the resulting intrusions. It will cover both what the APTs are doing as attackers and what we as defenders should be doing for both the APT Mission Flows and the Computer Network Defense (CND) Mission Flows.
John Whited, Principal Engineer, Raytheon
Software Assurance
Software Assurance (SwA) is also known by many other names -- application security, software security, secure application development, and others. The numbers vary from study to study, but a vast majority of cyber-attacks at least involve an element of attack on one or more software applications. Fundamentally, SwA provides a level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner. SwA is a development lifecycle endeavor requiring the participation of many disciplines. This presentation will explore some of the best practices in secure software development across its lifecycle.
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
This document provides an overview of topics covered in Part 4 of the CNIT 160 lecture on information security program development. It discusses administrative activities like external partnerships, compliance management, personnel management, project/program management, and budgets. It also covers security program operations such as event monitoring, vulnerability management, and secure engineering. Future lectures will address additional security program operations, incident management, awareness training, and other security controls and processes.
1) Most organizations are unprepared to deal with security incidents effectively due to complex networks, outsourcing of resources, and reduced budgets and staffing.
2) Proper log collection, normalization, storage, search, and reporting is needed to gain visibility into security events and identify suspicious activity, but many organizations only utilize a small portion of expensive SIEM capabilities.
3) Free and open source tools like Syslog utilities, Simple Event Correlation, and OSSEC can be used to build an effective log management solution while avoiding high SIEM costs. These raw logs provide valuable information if properly analyzed and correlated.
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
Watch this on-demand webast to learn how to acheive security compliance with AlienVault Unified Security Management (USM): https://www.alienvault.com/resource-center/webcasts/how-to-solve-your-top-it-security-reporting-challenges-with-alienvault?utm_medium=Social&utm_source=SlideShare&utm_campaign=solve-it-compliance-usm-webinar
Learn how you can take your on-premises and cloud security to the next level with a free online demo at: https://www.alienvault.com/products/usm-anywhere/demo?utm_medium=Social&utm_source=SlideShare&utm_campaign=solve-it-compliance-usm-webinar
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) ArkhipovaOWASP Russia
This document discusses large enterprise security information and event management (SIEM) systems. It begins with an overview of what SIEM systems are and how they differ from traditional log collection and monitoring. The document then discusses the architecture, performance, and scaling challenges of the IBM qRadar SIEM system. It also covers important considerations for log collection, including what sources to log from, log storage, normalization, and indexing. Lastly, it provides an example of the scale of logging for a large company and considerations for sizing a SIEM system for growth.
Emerging Threats and Strategies of Defense Alert Logic
This document summarizes emerging threats and strategies for defense. It discusses recent data breaches and malware trends seen in honeypot findings. Common attack vectors and types of malware are outlined. The importance of defense in depth is emphasized using tools like firewalls, intrusion detection, encryption, and threat intelligence. Social media, forums, and open source intelligence are recommended for monitoring the adversary.
Cyber Scotland Connect: What is Security Engineering?Harry McLaren
Harry McLaren is a managing consultant at ECS who gives a presentation on cybersecurity engineering. Cybersecurity engineering involves building systems, deploying configurations, integrating systems, and developing solutions to protect against, detect, and respond to threats. It is important for engineering projects to consider people, process, technology, the end user, support requirements, and how the solution fits within the business and IT strategies. The presentation provides examples of scenario walkthroughs and best practices for engineers, such as using automation, version control, containers, and cloud technologies.
Big Data For Threat Detection & ResponseHarry McLaren
Slides used at the University of Edinburgh SIGINT group (cybersecurity society). Covering what is big data, the value for security use cases, hunting for threats/actions, using Splunk to detect and respond, SIEM use and some useful searches (which were demoed).
Information Security: Advanced SIEM TechniquesReliaQuest
Joe Parltow, CISO, ReliaQuest (www.reliaquest.com) -We’ve all heard it before; SIEM is dead, defense is boring, logs suck, etc. The fact is having total visibility into what’s happening on your network is absolutely necessary and keeps you from having to answer questions like “How did you not know we were compromised for the past 6 months!” This talk focuses on advanced tips and tricks you can implement with your SIEM to give you better visibility into all areas of your environment. Also includes top secret, 1337 (ok maybe just average) code snippets.
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
Dr. Anton Chuvakin discusses how security operations centers (SOCs) have evolved and modernized. He outlines three forces driving the need for modern SOCs: expanding attack surfaces, security talent shortages, and an overload of alerts. Key aspects of a modern SOC include organizing teams by skills rather than levels, structuring processes around threats instead of alerts, conducting threat hunting, using multiple data sources for visibility beyond just logs, and leveraging automation and third-party services. Modern SOCs also focus on detection engineering through content versioning, quality assurance of detections, reuse of detection content, and metrics to improve coverage. Chuvakin recommends that SOCs handle alerts but not focus solely on them, automate routines to free
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
This document provides an overview of the topics covered in Part 4 of CNIT 160: Cybersecurity Responsibilities, which focuses on information security program development. The key topics discussed include administrative activities like compliance management, personnel management, project/program management, and vendor management. It also covers security program operations such as event monitoring using security information and event management systems, and vulnerability management through periodic scanning and remediation. The document outlines additional topics that will be covered in later lectures related to other aspects of developing a comprehensive security program.
The document lists the executive team of a company and then provides information about SIEM integration, escalation, use cases, and an informational interview. It discusses how SIEM can integrate with various platforms and software to secure them from threats. It also describes how SIEM has escalated to work with different technologies over time and provides security updates. The informational interview covers benefits of SIEM, investment aspects, data storage strategies, analytics techniques, challenges, cloud capabilities, and skills needed for implementation.
To run a successful SIEM operation, you must develop the necessary people, processes, and long-term commitment beyond just purchasing tools. Key factors include defining clear use cases to solve security problems, establishing processes for configuration, monitoring, analysis, and response, and ensuring the program evolves through continuous review and integration with other technologies. Without the proper planning and operationalization, SIEM implementations are at risk of common pitfalls like remaining input-driven or failing to mature beyond the initial deployment.
The document describes a company's SIEM (Security Information and Event Management) design and integration services. It details a typical 4-phase SIEM project approach: 1) Assessment and requirements gathering, 2) System design, 3) Integration services, and 4) Long-term SIEM co-sourcing services. The company works collaboratively with clients to understand their needs, design a customized SIEM solution, implement the system in development and production environments, and provide ongoing support services.
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Andris Soroka
World's #1 SIEM technology in GRC (Governance, Risk, Compliance). QRadar Risk Manager provides organizations with a pre-exploit solution that allows network security professionals to assess what risks exist during and after an attack, while also answering many "What if?" questions ahead of time, which can greatly improve operational efficiency and reduce network security risks.
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce
This document discusses ways to protect intellectual property assets from theft. It recommends using a tool like Helix, which allows placing all code and files in a single source of truth with flexible access controls and protections. Advanced analytics can then monitor user behavior and file access to identify potential IP theft. A multi-layered approach including logging, encryption, regular reviews and security audits is advocated to strengthen protections. The document also offers a trial of Helix threat detection analytics and discounted consulting services.
SIEM stands for Security Information and Event Management. It involves collecting, aggregating, normalizing and retaining logs and other security-related data from across an organization. SIEM performs analysis on this data through correlation, prioritization and notification/alerting. It also provides reporting and workflow capabilities for security teams. While SIEM promises improved security through these functions, it requires careful planning, scoping, requirements development and ongoing focus to avoid failures and ensure value.
An SIEM solution provides the ability to collect, analyze, and manage log data from across an organization. It can collect data from various sources using different protocols and store large volumes of raw data in a scalable platform. This centralized log management allows organizations to generate insightful reports, detect threats in real-time, investigate incidents, ensure compliance, and more. By automatically learning baselines of normal activity, an SIEM can detect anomalies and prioritize the most critical alerts. Its analytics capabilities like correlation rules and taxonomy-driven classification further enhance threat detection and security operations.
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers:
• The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS.
• Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections)
• Best practices for how to protect your environment from the latest threats
HP Arcsight Services provides basic and advanced services for their Arcsight software. Basic services include planning, installation, deployment, administration and maintenance of Arcsight and Smartconnectors. Advanced services include creating custom content like rules, reports and cases to achieve specific business objectives. They also provide best practices documentation and have experience in security, compliance and open source tools.
This is an introduction to AlienVault’s Open Threat Exchange (OTX), an open threat information sharing and analysis network, created to put effective security measures within the reach of all organizations. Unlike invitation-only threat sharing networks, OTX provides real-time, actionable information to all who want to participate.
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Advanced Persistent Threat Life Cycle Management
This presentation will cover the full Advanced Persistent Threat (APT) Life Cycle and Management of the resulting intrusions. It will cover both what the APTs are doing as attackers and what we as defenders should be doing for both the APT Mission Flows and the Computer Network Defense (CND) Mission Flows.
John Whited, Principal Engineer, Raytheon
Software Assurance
Software Assurance (SwA) is also known by many other names -- application security, software security, secure application development, and others. The numbers vary from study to study, but a vast majority of cyber-attacks at least involve an element of attack on one or more software applications. Fundamentally, SwA provides a level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner. SwA is a development lifecycle endeavor requiring the participation of many disciplines. This presentation will explore some of the best practices in secure software development across its lifecycle.
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
This document provides an overview of topics covered in Part 4 of the CNIT 160 lecture on information security program development. It discusses administrative activities like external partnerships, compliance management, personnel management, project/program management, and budgets. It also covers security program operations such as event monitoring, vulnerability management, and secure engineering. Future lectures will address additional security program operations, incident management, awareness training, and other security controls and processes.
1) Most organizations are unprepared to deal with security incidents effectively due to complex networks, outsourcing of resources, and reduced budgets and staffing.
2) Proper log collection, normalization, storage, search, and reporting is needed to gain visibility into security events and identify suspicious activity, but many organizations only utilize a small portion of expensive SIEM capabilities.
3) Free and open source tools like Syslog utilities, Simple Event Correlation, and OSSEC can be used to build an effective log management solution while avoiding high SIEM costs. These raw logs provide valuable information if properly analyzed and correlated.
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
Watch this on-demand webast to learn how to acheive security compliance with AlienVault Unified Security Management (USM): https://www.alienvault.com/resource-center/webcasts/how-to-solve-your-top-it-security-reporting-challenges-with-alienvault?utm_medium=Social&utm_source=SlideShare&utm_campaign=solve-it-compliance-usm-webinar
Learn how you can take your on-premises and cloud security to the next level with a free online demo at: https://www.alienvault.com/products/usm-anywhere/demo?utm_medium=Social&utm_source=SlideShare&utm_campaign=solve-it-compliance-usm-webinar
Часто аналитики SOC находят новые индикаторы и их нужно как-то применить для защиты сети. Если вы делаете это вручную, то это занимает долгое время. Как это автоматизировать?
Optimizing SAO with Open Source Tools. A deep dive into the Phishing Intelligence Engine (PIE) and how users can leverage infrastructure and open source to automate and respond to threats.
This document discusses security controls and monitoring for Drupal systems. It outlines frameworks like NIST SP-800-53 and the SANS Top 20 controls. It describes concepts like continuous monitoring, logging, auditing and the anatomy of security controls. It also discusses tools and techniques for Drupal security monitoring including Watchdog, Nagios, OSSIM, Logstash and SCAP. The goal is to provide focused, application-centric security monitoring moving from standard to intelligent monitoring.
Group Health Cooperative Customer PresentationSplunk
Group Health Cooperative uses Splunk's software and CIRTA system to conduct incident response. It ingests logs from various systems using Splunk and analyzes the data to detect anomalies and security incidents. When incidents are found, CIRTA is used to track, investigate, and categorize each incident to measure the effectiveness of the response. Examples provided show how Splunk detected phishing attempts and vulnerable systems to help Group Health address security issues.
Azure Operation Management Suite - security and complianceAsaf Nakash
Today’s IT Security and Operations teams are tasked with managing highly complex, hybrid-cloud, cross-platform systems which are increasingly vulnerable to a growing number of sophisticated cyber-attacks. With this, IT Operations teams have a requirement to identify any threats to their environment as soon as possible to mitigate damages, as well as continue to cost-effectively meet SLAs.
Security intelligence involves analyzing all available security data sources in an organization to generate actionable information. It is essential due to increasingly sophisticated attacks, disappearing network perimeters, and security teams facing high volumes of data with limited resources. IBM's QRadar security intelligence platform provides automation, integration, and intelligence to help organizations optimize security through advanced threat detection, compliance, and eliminating data silos. It uses embedded intelligence to identify true security incidents from massive amounts of data through automated collection, analysis, and reduction. Virtual appliance models are available in different capacities to suit organizations' needs.
Security intelligence involves analyzing all available security data sources in an organization to generate actionable information. It is essential due to increasingly sophisticated attacks, disappearing network perimeters, and security teams facing high volumes of data with limited resources. IBM's QRadar security intelligence platform provides automation, integration, and intelligence to help organizations optimize security through advanced threat detection, compliance, and eliminating data silos. It uses embedded intelligence to identify true security incidents from massive amounts of data through automated collection, analysis, and reduction. Virtual appliances are available in different models and capacities to support SMBs and enterprises.
BUSCAS UNA SEGURIDAD INTEGRADA Y DINÁMICA? ; INTELIGENCIA Y COLABORACIÓN LA ...Cristian Garcia G.
Actualmente las organizaciones enfrentan el reto de mejorar su eficiencia y niveles de seguridad, el desarrollar una estrategia de integración donde exista comunicación entre la infraestructura de seguridad garantiza que se tenga un nivel de colaboración y mejora en el nivel de seguridad. Hoy esto ya es posible siendo una realidad para mejorar gasto y mejora en la eficiencia operativa de seguridad de las organizaciones. Conozca cómo llegar a construir este modelo
SPEAKER : Juan Pablo Páez, CISSP, CISM - Gerente Regional Latinoamérica de Ingeniería y Preventa McAfee
Juan Pablo tiene 14 años de experiencia profesional en seguridad de la información, especializado en tecnologías de seguridad, arquitectura de seguridad y gestión de operaciones automatizadas e inteligentes. Certificado CISSP, CISM CEH. Adicionalmente, tiene conocimiento para el desarrollo de diseños de redes seguras, arquitecturas, operaciones de seguridad inteligente iSOC basados en las mejoras prácticas de la industria y estándares como el ISO27000, PCI-DSS entre otros.
IBM i Security: Identifying the Events That Matter MostPrecisely
This presentation discusses IBM i security monitoring and integration with SIEM solutions. It covers the basics of security monitoring on IBM i, including key areas to monitor like user access, privileged users, network traffic, and database activity. It emphasizes the importance of centralized log collection and correlation through a SIEM for advanced security monitoring, threat detection, and compliance. Finally, it outlines how Precisely's Assure Monitoring and Reporting solution can help organizations by comprehensively monitoring IBM i system and database activity, generating alerts and reports, and integrating IBM i security data with other platforms in the SIEM.
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
SIEM provides a single view of an organization's security by connecting and analyzing data from various security tools and systems. It gives security teams visibility into network activity, vulnerabilities, configurations, and risks. This allows SIEM to be the foundation for risk management, security operations centers, and governance, risk, and compliance programs. By providing security intelligence in real-time from logs, events, and other data sources, SIEM helps organizations detect threats, contain incidents, and ensure ongoing compliance.
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
This document discusses building a cyber security operations center (CSOC). It covers the need for a CSOC, its core components including security information and event management (SIEM), and integrating components like monitoring, alerting, and reporting. Key aspects that are important for a successful CSOC are people, processes, and technology. The roles and skills required for people in the CSOC and training needs are outlined. Developing standardized processes, procedures and workflows that align with frameworks like ISO are also discussed.
The typical process for investigating security-related alerts is labor intensive and largely manual. To make the situation more difficult, as attacks increase in number and diversity, there is an increasing array of detection systems deployed and generating even more alerts for security teams to investigate.
Netflix, like all organizations, has a finite amount of resources to combat this phenomenon, so we built FIDO to help. FIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.
Webinar - Feel Secure with revolutionary OTM SolutionJK Tech
Learn how you can adopt to use the best Security Mechanisms which leverages unmatched combination of behavioral analysis, machine learning & dynamic threat intelligence to deliver comprehensive rich visibility, holistic threat detection & containment of threats in real-time.
Presentation at CMSS Conference 2016 - I was recently honored with the opportunity of speaking at the CMSS 2016 Conference. My goal for this engagement was to educate about the importance of innovating and applying exponential technologies in IT Security within the organization. My audience included many professionals in the medical industry, so it was important for me to be able to convey the importance of cybersecurity in that industry.
The document discusses how Splunk can provide analytics-driven security for higher education through ingesting and analyzing machine data. It outlines how advanced threats have evolved to be more coordinated and evasive. A new approach is needed that fuses technology, human intuition, and processes like collaboration to detect attackers through contextual behavioral analysis of all available data. Examples are provided of security questions that can be answered through Splunk analytics.
All Your Security Events Are Belong to ... You!Xavier Mertens
This document discusses log management and security information event management. It begins by introducing the speaker and their background. It then discusses how most organizations are unprepared to deal with security incidents due to a lack of log management. It emphasizes the need for visibility into systems and integrating multiple log sources. It outlines technical, economic, and legal challenges around log collection, normalization, storage, search, reporting, and correlation. Finally, it discusses various open source and free log management tools that can be used to build out log monitoring capabilities.
BSidesLondon 20th April 2011 - Xavier Mertens (@xme)
========================
Your IT infrastructure generates thousands(millions?) of events a day. They are stored in several places under multiple forms and contain a lot of very interesting information. Using free tools, This presentation will give you some ideas how to properly manage this continuous flow of information and how to make them more valuable.
for more about Xavier
http://blog.rootshell.be
Cisco's Advanced Malware Protection (AMP) provides a new security model with both point-in-time protection and retrospective security through continuous analysis. AMP leverages the Talos security intelligence and analytics team and the Cisco Collective Security Intelligence cloud. AMP delivers visibility and control across the attack continuum through prevention, detection, containment, and remediation capabilities. It provides both point-in-time detection using techniques like reputation filtering, sandboxing, and behavioral analysis as well as retrospective security through continuous analysis of events. AMP can be deployed across networks, endpoints, and content to deliver a comprehensive defense against advanced threats.
Similar to Open Source Incident Management - BSides DC 2017 Presentation (20)
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfflufftailshop
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
2. What is Incident
Management?
Pre-processed
• Logs
• System Events
• Audit trail
• Netflow
• Threat Intel / Indicators
Post-processed
• Security Alarms
• Query Results (Alerts)
• Outages
• Daily Reports
• Policy Violations
First - we need to define what classifies an
“incident”
3. A sea of alerts from
hundreds of products
Alerts are actionable incidents, but
frequently false positives
How are actionable issues managed
today?
• Email
• SIEM
• Ticketing System
Average security manager is receiving
5000+ security alerts a day
Cisco 2017
4. What are the options?
SIEM tools
- Volume based pricing
- Expensive add on modules
Orchestration
- Still unproven
- Interoperability is still evolving
- Requires constant maintenance
Enterprise ITSM
- Not designed for security teams
- Few correlation capabilities
Threat Hunting tools
- Great for proactive inspection
- Can require advanced skillsets
We needed a platform for our SOC that:
• Enabled team collaboration
• Tracked accountability
• Enforced a consistent IM process
• Created a knowledge base
• Performed light orchestration
• Automated prioritization and analysis
• Connected to all varieties of source
data
5.
6. Open Source Incident
Management
• Designed for SOC
analysts to rapidly
triage security events
• Correlation and Search
• Monitoring of event
flow
• Priority Rules engine
• Open framework
• Project Maintained by
Dunbar Cybersecurity
• Community driven!
21. Latest Release
1.5.2
DataTaggers
Automatically tag alerts based on the content of the data that generated the alert. You can
even configure them to automatically create new tags based on the content of particular
fields. With autotagging, analysts can quickly understand the nature of an alert by looking at
the tags associated with it.
Articles
Articles are reference documents for particular subjects, such as port numbers or Snort
signatures. They can provide information to help analysts quickly diagnose and remediate
alerts.
Upcoming features – System wide search, front end article & link support, additional
Actions, REST and TAXII support
22. Want to learn more?
https://github.com/dunbarcyber/cyphon
https://gitter.im/cyphonproject
http://cyphon.readthedocs.io
https://www.cyphon.io