On February 28th, RedLegg hosted a successful full-day workshop in Chicago for local LogRhythm® SIEM users.
The goal of the workshop was to share the practical subject matter expertise that RedLegg has accumulated over years of managed security service delivery using the LogRhythm SIEM platform with local customers and and non-customers. The workshop focused on technical aspects, providing opportunities for the attendees to ask questions throughout the day and to get live help on their platforms from the RedLegg team.
|Participant Feedback: "I found your LogRhythm SEIM workshop to be outstanding. The depth of technical insight and practical knowledge shared was extremely valuable. Thank you for taking the time and effort you put into making this workshop happen. It is obvious to me that RedLegg understands the challenges and technical hurdles I am facing every day as a Security Engineer, and is proactively looking for ways to help me become more effective."|
The workshop was presented by RedLegg’s Operational and Security subject matter experts, including:
- Chris Young, Senior Deployment Architect from RedLegg’s Managed Security Services team. Chris is RedLegg’s resident LogRhythm deployment specialist and subject matter expert for the operational use of SIEM platforms.
- JD Bacon, Senior Security Architect. JD’s expertise in building solutions around risk identification and threat modeling makes him an invaluable member of the RedLegg 96Bravo Threat Research team.
- Mark Kikta, a Senior Security Architect whose skillset was honed by a background of red team threat assessment and penetration testing, along with a strong competency in application engineering.
- JP Glab, Senior Threat Researcher, whose background in incident response and practical threat research has made him the go-to for our MSS Research Methodology and Analysis team.
According to feedback from both attendees and presenters, the talks facilitated informative discussion and the workshop was a great success. Attendees took away a number of new tricks and techniques that they could implement in their respective LogRhythm deployments to increase both operational efficiency and organizational security posture. Below are the descriptions of the talk tracks.
RedLegg would like to thank all who attended and plans to do additional workshops in the future!
Morning Operational Talk Tracks:
Security tool vs Operations tool
Learn the differences between Security and Operational focused tools and the impact that both can have within your environment. Emphasis will be placed on knowing the use cases for each and how a mature practice implements both.
Top log sources you should be ingesting and why
Discussion will be focused around what you NEED to log to get the necessary visibility into the critical aspects of your logging environment. This includes potential sensitive information, risk platforms, and potential ingress/egress point.
Designing for growth
Planning the growth of your logging infrastructure is a long-term plan, and while you may scope for your current logging environment, future growth and resource planning is critical to get the most out of expensive SIEM investment.
Do’s and Don’ts of windows logging
With Windows Logging there is a lot of information that is collected and forwarded to a logging solution. This talk discusses the key points and values in collecting Windows logs and focusing on the key things to keep in mind, so valuable information does not slip through the cracks of the noise.
Verbosity of logs / auditing levels
One of the most dauting aspects of deployment and managing a logging solution is the prospect of tuning and managing the logging levels of the reporting sources. This discussion will explain best practices used to help end users tune in and calibrate their hosts to get the most confident information.
Why fewer well-tuned rules are better than many rules
It can be difficult to know where to begin with enabling security rules within any logging solution. Our engineers will review best practices around LogRhythm and why in some cases “Less is More” with solidly built rules, and following an appropriate framework, a manageable ruleset can be attained.
Afternoon Security Focused Talk Tracks:
This topic delves into concept of mean-time to detect on a potential security risk. Our team will explain how we utilize information to quicker identify a potential risk and how much of a difference a quick identification of a risk can make.
What are you protecting?
You have to first know what you have and where it is before you can protect it. This discussion delves into properly identifying and classifying critical assets before designing the proper solutions to protect them.
Know your regulatory compliance requirements
It can be overwhelming to understand what all you are responsible for with all the various governance and auditing bodies that exist today. This topic explores building a proper path for practical and repeatable compliance and audit preparation.
Properly model a threat
Knowing how to properly model a potential threat can go a long way to proactively preparing to prevent it. This discussion around how to build and apply threat modeling for proactive security is key for anyone involved in security or operations.
Alarm methodologies and the development of use cases
To properly build effective alarms it is important to understand the use cases they are monitoring for. This discussion explores the various risk use cases and appropriate thresholds for building strong security alarms.
The importance of DNS Logs
One of the more les obvious logs that can shed illumination on potential risks is DNS logs. This topic dives into how the proper integration of these logs into a logging platform can add value to your overall security posture.
Hope you can join us next time!