Training: 8–9 November 2016
Tutorials & Conference: 9–11 November 2016
Amsterdam, NL

The bad things happen when you're not looking

Ryan Huber (Slack Technologies, Inc), Nate Brown (Slack Technologies, Inc)
11:20–12:00 Friday, 11 November, 2016
Tech, tools, and processes
Location: G104/105 Level: Intermediate
Average rating: ***..
(3.67, 6 ratings)

Prerequisite knowledge

  • A working knowledge of Linux and general networking
  • Previous experience with auditd and log infrastructure (useful but not required)

What you'll learn

  • Understand why you should be logging everything and using automation and communication to make your security team more effective


Monitoring for potentially malicious activity in an environment and handling the resulting alerts is vital to the success of a defensive security program. How do we also ensure that we have eyes on potential issues while keeping noise to a minimum? What tools and techniques can we use to enhance the effectiveness and responsiveness of a security team? Powerful, centralized logging is available to all of us, but it is only useful if we understand and take action on the data collected.

Ryan Huber and Nate Brown discuss tools everyone should consider using to monitor their infrastructure, highlighting a Golang-based open source alternative to auditd, go-audit, which they wrote to help monitor activity on thousands of hosts. Ryan and Nate also explore creating a reliable logging pipeline with StreamStash, Elasticsearch, and ElastAlert, which they use to collect and process data from thousands of hosts. Ryan and Nate conclude by demonstrating how to scale these efforts by integrating security into a communication platform, which helps you look at more data by delegating event management to the affected individuals directly.

Photo of Ryan Huber

Ryan Huber

Slack Technologies, Inc

Ryan Huber does security things at Slack. Before that, Ryan did other security things. When he was 12, he wrote malware in Pascal + inline asm to steal his teacher’s password. His teacher wasn’t impressed.

Photo of Nate Brown

Nate Brown

Slack Technologies, Inc

Nate Brown is a developer at Slack, where he has helped to lead our security operations efforts. Nate has strong operational experience and a keen eye for security. He has contributed to numerous open source tools, including Vault, rsyslog, go-audit, and StreamStash.