Monitoring for potentially malicious activity in an environment and handling the resulting alerts is vital to the success of a defensive security program. How do we also ensure that we have eyes on potential issues while keeping noise to a minimum? What tools and techniques can we use to enhance the effectiveness and responsiveness of a security team? Powerful, centralized logging is available to all of us, but it is only useful if we understand and take action on the data collected.
Ryan Huber and Nate Brown discuss tools everyone should consider using to monitor their infrastructure, highlighting a Golang-based open source alternative to auditd, go-audit, which they wrote to help monitor activity on thousands of hosts. Ryan and Nate also explore creating a reliable logging pipeline with StreamStash, Elasticsearch, and ElastAlert, which they use to collect and process data from thousands of hosts. Ryan and Nate conclude by demonstrating how to scale these efforts by integrating security into a communication platform, which helps you look at more data by delegating event management to the affected individuals directly.
Ryan Huber does security things at Slack. Before that, Ryan did other security things. When he was 12, he wrote malware in Pascal + inline asm to steal his teacher’s password. His teacher wasn’t impressed.
Nate Brown is a developer at Slack, where he has helped to lead our security operations efforts. Nate has strong operational experience and a keen eye for security. He has contributed to numerous open source tools, including Vault, rsyslog, go-audit, and StreamStash.
©2016, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • email@example.com