On July 25th, RedLegg hosted a successful full-day workshop in Chicago for local LogRhythm® SIEM users. RedLegg’s Security Research and Deployment Architects held discussions around both Operational and Threat-based topics: preparing, deploying, and maximizing your logging environment by utilizing best practices, security frameworks, and additional tools.
The goal of the workshop was to share the practical subject matter expertise that RedLegg has accumulated over years of managed security service delivery using the LogRhythm SIEM platform with local customers and non-customers. The workshop placed special emphasis on completeness of logging and dialing-in on key information to provide the customer with high confidence, actionable, and in some cases, proactive intelligence.
Expert Speakers:
The workshop was presented by RedLegg’s Operational and Threat-based subject matter experts, including...
- Stew Williams, Director of RedLegg's Managed Security Services and Operations. Stew's customer-focused approach delivers efficient, scalable, and lasting solutions.
- JD Bacon, Manager of Threat and Incident Research. JD’s expertise in building solutions around risk identification and threat modeling makes him an invaluable member of the RedLegg 96Bravo Threat Research team.
- Mark Kikta, a Senior Security Architect. Mark's skillset was honed by a background in red team threat assessment and penetration testing, along with a strong competency in application engineering.
The workshop tracks focused both on Operational and Threat-based topics. Here are the sessions, in review:
Operational Track:
- Network Tools: Security vs Operational - Learn the differences between Security and Operational focused tools and the impact that both can have within your environment. Emphasis will be placed on knowing the use cases for each and how a mature practice implements both.
- Logging for Critical Visibility - Discussion will be focused around what you NEED to log to get the necessary visibility into the critical aspects of your logging environment. This includes potential sensitive information, risk platforms, and potential ingress/egress point.
- Designing for growth - Planning the growth of your logging infrastructure is a long term plan, and while you may scope for your current logging environment, future growth and resource planning is critical to get the most out of an expensive SIEM investment.
- Windows Logging Fundamentals - With Windows logging, there is a lot of information that is collected and forwarded to a logging solution. This talk discusses the key points and values in collecting Windows logs and focusing on the key things to keep in mind so that valuable information does not slip through the cracks of the noise.
- Noise and Volume: Keeping Visibility and Sanity - One of the most daunting aspects of deployment and managing a logging solution is the prospect of tuning and managing the logging levels of the reporting sources. This discussion will explain best practices used to help end users tune in and calibrate their hosts to get the most confident information.
- Less CAN be More - It can be difficult to know where to begin with enabling security rules within any logging solution. Our engineers will review best practices around LogRhythm and explain how a manageable ruleset can be attained (ex. in some cases, a “Less is More” approach with solidly built rules and following an appropriate framework).
Threat-based Track:
- Quantifying Risk - This topic delves into the concept of mean-time to detect a potential security risk. Our team will explain how we utilize information to identify a potential risk more quickly and how much of a difference a timely response can make.
- What Are You Protecting? - You have to first know what you have and where it is before you can protect it. This discussion delves into properly identifying and classifying critical assets before designing the proper solutions to protect them.
- Regulatory Compliance Requirements - It can be overwhelming to understand what all you are responsible for with all the various governance and auditing bodies that exist today. This topic explores building a proper path for practical and repeatable compliance and audit preparation.
- Use Cases and Alarm Creation - To properly build effective alarms, it is important to understand the use cases they are monitoring for. This discussion explores the various risk use cases and appropriate thresholds for building strong security alarms.
- Threat Modeling - Knowing how to properly model a potential threat can go a long way to proactively preparing to prevent it. This discussion around how to build and apply threat modeling for proactive security is key for anyone involved in security or operations.
- The Importance of DNS Logging - One of the more non-obvious logs that can shed illumination on potential risks is DNS logs. This topic dives into how the proper integration of these logs into a logging platform can add value to your overall security posture.
- Threat Intel Time Sensitivity - With lots of options out there, our team will review the concept of Threat Intelligence and discuss some of the top providers and how they integrate with your security logging platform. Focus will be placed on the age of the data and how important reliable up-to-date intelligence is.
According to feedback from both attendees and presenters, the talks facilitated informative discussion and the workshop was a great success. Attendees took away a number of new tricks and techniques that they could implement in their respective LogRhythm deployments to better both operational efficiency and organizational security posture.
RedLegg would like to thank all who attended and plans to attend additional workshops in the future!
