Explore enterprise security monitoring techniques using Security Onion in this 38-minute conference talk from BSides Tampa 2019. Learn about the capabilities and tools of Security Onion, including backend components, analysis interfaces, and various data types such as alerts, host data, metadata, and full content. Discover how to leverage Sguil, Squert, and Kibana interfaces for effective threat hunting and investigation. Gain insights into deployment options, event enrichment, alerting mechanisms, and the Elastic Stack integration. Follow along as the speaker demonstrates investigating an alert using Sguil and Kibana, providing practical knowledge for security professionals seeking to enhance their monitoring and incident response capabilities.
Overview
Syllabus
Intro
Introduction - What is Security Onion?
Introduction - What can I do with Security Onion?
Tools: Backend
Tools: Analysis
Data: Alert Data
Data: Host Data
Data: Metadata
Metadata: Example Bro HTTP Log
Data: Full Content Data
Data: Raw Files
Interfaces: Sguil
Interfaces: Squert
Interfaces: Kibana
Academia
Forensics
Enterprise Security Monitoring
Standalone Deployment
Distributed Deployment
Analyst VM
Event Conduit
Elastic Stack
Event Enrichment
Alerting
Hybrid Hunter
Stenographer
Investigating an Alert: Sguil - Kibana
