An ingite talk given at DataGotham 2012 about how we extract security related events and alerts from our logs. I repeated the same talk at DevOpsDays NYC 2013.
6. Know your patterns. @jschauma
VPN Connections
July 4th was a Wednesday
People making up for
People slacking off early
last week?
on a Friday, eh?
5
08/28/12
13. High number of failed logins @jschauma
Admin : <username> (<internal login>, <site login>)
IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net
Geolocation : Brooklyn, NY, US
Whois : ETSY Inc, ARIN, NET64
# of failed logins : 13
doesn’t know what he’s doing;
do not trust!
Admin : jschauma (jschauma, jschauma)
IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr-
avec.ny.cable.rcn.com
Geolocation : New York, United States
Whois : RCN Corporation, ARIN, NET207
# of failed logins : 16
6
08/28/12
19. Of Liars and Outliers (good book, btw) @jschauma
wtf happened
here?
Ooh, right… this:
http://is.gd/fognju
http://is.gd/0hRDLY
http://is.gd/WxcA0r
6
08/28/12
20. This talk was too long! @jschauma
Log it now, log it all.
Geolocate all the things.
Build profiles. (Creepy, I know.)
Reduce false positives. (Whitelists!)
Have defined reactions to all alerts.
Notice the outliers.
Explain them.
That’s all, folks! Thanks!
2
08/28/12