SIEM with Tactical Analytics

Provided by

Enquire about this course

About the course

Instructor: Tim Garcia
6,275 EUR 6,025 EUR paid by Aug 7

GCDA Certification
Affiliate Pricing
46 CPEs
Laptop Required

Many organizations have logging capabilities but lack the people and processes to analyze it. In addition, logging systems collect vast amounts of data from a variety of data sources which require an understanding of the sources for proper analysis. This class is designed to provide individuals training, methods, and processes for enhancing existing logging solutions. This class will also provide the understanding of the when, what, and why behind the logs. This is a lab heavy course that utilizes SOF-ELK, a SANS sponsored free SIEM solution, to train hands on experience and provide the mindset for large scale data analysis.

Today, security operations do not suffer from a "Big Data" problem but rather a "Data Analysis" problem. Let's face it, there are multiple ways to store and process large amounts of data without any real emphasis on gaining insight into the information collected. Added to that is the daunting idea of an infinite list of systems from which one could collect logs. It is easy to get lost in the perils of data saturation. This class is the switch from the typical churn and burn log systems, to achieving actionable intelligence and developing a tactical Security Operations Center (SOC).

This course is designed to demystify the Security Information and Event Management (SIEM) architecture and process, by navigating the student through the steps of tailoring and deploying a SIEM to full Security Operations Center (SOC) integration. The material will cover many bases in the "appropriate" use of a SIEM platform to enrich readily available log data in enterprise environments and extract actionable intelligence. Once collected, the student will be shown how to present the gathered input into useable formats to aid in eventual correlation. Students will then iterate through the log data and events to analyze key components that will allow them to learn how rich this information is, how to correlate the data, start investigating based on the aggregate data, and finally, how to go hunting with this newly gained knowledge. They will also learn how to deploy internal post-exploitation tripwires and breach canaries to nimbly detect sophisticated intrusions. Throughout the course, the text and labs will not only show how to manually perform these actions, but how to automate many of the processes mentioned so students may employ these tasks the day they return to the office.

The underlying theme is to actively apply Continuous Monitoring and analysis techniques by utilizing modern cyber threat attacks. Labs will involve replaying captured attack data to provide real world results and visualizations.

This Course Will Prepare You To:

Deploy the SANS SOF-ELK VM in production environments
Demonstrate ways most SIEMs commonly lag current open source solutions (e.g. SOF-ELK)
Bring students up to speed on SIEM use, architecture, and best practices
Know what type of data sources to collect logs from
Deploy a scalable logs solution with multiple ways to retrieve logs
Operationalize ordinary logs into tactical data
Develop methods to handle billions of logs from many disparate data sources
Understand best practice methods for collecting logs
Dig into log manipulation techniques challenging many SIEM solutions
Build out graphs and tables that can be used to detect adversary activities and abnormalities
Combine data into active dashboards that make analyst review more tactical
Utilize adversary techniques against them by using frequency analysis in large data sets
Develop baselines of network activity based on users and devices
Develop baselines of Windows systems with the ability to detect changes from the baseline
Apply multiple forms of analysis such as long tail analysis to find abnormalities
Correlate and combine multiple data sources to achieve more complete understanding
Provide context to standard alerts to help understand and prioritize them
Use log data to establish security control effectiveness
Implement log alerts that create virtual tripwires for early breach detection

Course Syllabus
SEC555.1: SIEM Architecture and SOF-ELK
SEC555.2: Service Profiling with SIEM
SEC555.3: Advanced Endpoint Analytics
SEC555.4: Baselining and User Behavior Monitoring
SEC555.5: Tactical SIEM Detection and Post-Mortem Analysis
SEC555.6: Capstone: Design, Detect, Defend



Start date Location / delivery
16 Sep 2019 Paris, France

Related article

A new cyber security training centre will open up in the Midlands soon. Construction crews are to begin breaking ground soon on a new cyber securit...