Brussels / 2 & 3 February 2019

schedule

Let's use centralized log collection to make incident response teams happy


The OWASP top 10 most critical web application security risks report published that insufficient logging is one of the top risks security teams face today.

In this talk, we will go through issues with incident response teams without centralized logging as well as other reasons to do centralized logging (if you need more!), brief intro about structured data as well as configuration and output examples using NXLog Community Edition. This talk is aimed at administrators (IT, security) involved with setting up centralized logging on their networks.

Issues with IR without centralized logging - 30 seconds talking IR issues without centralized logging

Even more reasons why you should you do centralized logging - OWASP insufficient logging risk to cover - What needs to be monitored for IR using log collection

Why should you do structured data - Structured data is important for integrations - such as with SIEM integrations

Configuring log collection samples from NXLog Community Edition - This will run about 2.5 minutes and mainly a lot of screenshots, config examples, and so on. - Examples based on input modules across agent sources - Parsing examples based on these input modules - Output examples in JSON, CSV, XML formats - Example scenarios will include items from networking (ie DNS monitoring) right through to host agent-based monitoring. - Pentest OS software one can be used (zaproxy, nmap) to do red team simulations and collect logs - During the scenarios there will be references back to IR points made earlier

Conclusion - We'll show the Gitlab repo, Docker link to the hub, the config samples should also be available online

Speakers

Photo of Hannah Suarez Hannah Suarez

Links