This repository contains slides and supplementary materials from events where we presented a talk.
Slides (in reverse-chronological order):
- Suricon - November 2022
- The Data Thread - June 2022
- Potsdam Conference on National CyberSecurity - Jun 2022
- The International Conference on the EU Cyber Act - May 2022
- Suricon - November 2021
- ZeekWeek - October 2021
- Suricon - October 2019
- Zeek Workshop Europe - April 2019
- DFN Conference on Security in Networked Systems - February 2019
- BroCon - October 2018
At Suricon, we showed how you can get more runway out of your EVE JSON logs by compacting them with VAST. We explained how compaction works as a trigger for pipelines that aggregate the EVE logs into a more space-efficient representation.
At The Data Thread, we presented how VAST uses Apache Arrow as data engineering toolkit. We showcase VAST's architecture and how Arrow helps us with interoperability of security data.
At the Potsdam Conference on National CyberSecurity we highlighted one of the core problems of large SOCs: handling the complexity imposed by a myriad of interconnected security tools. We showed how VAST can help from an architectural standpoint, as a "sidecar for the SOC."
At the International Conference on the EU Cyber Act 2022, we co-presented with IBM Security's Jason Keirstead about how standardization alone is insufficient to create an open, interoperable ecosystem of security tools. Going back to the articles in the act, we identified market and operational themes that need to be addressed comprehensively in order to have a real-world impact.
At Suricon 2021 in Boston, we
co-presented with DCSO on a production architecture
for threat-intelligence-based detection that unifies historical and live
alerting. The architecture leverages VAST as embedded telemetry engine
to deliver historical metadata as via Threat
Bus, such that they appear as an alert
event that is indistinguishable from a live alert.
At ZeekWeek 2021, we presented how VAST can become a Zeek logger node and transparently receive logs from a Zeek cluster in an optimal fashion. To this end, we wrote a Broker plugin to acquire the binary log data. We then reverse-engineered the binary message format of batched logs, which allowed us to convert them directly into VAST's data plane using Apache Arrow.
At Suricon 2019 in Amsterdam, we demonstrated how to pivot between different network telemetry with VAST. In particular, we showed how one can extract the PCAP packets corresponding to a specific Suricata alert. The idea is model VAST's schema as a graph, where edges correspond to different types and edges exist if it is possible to join over a common record field. Users just express the pivot destination, e.g., "give me all PCAPs for alerts with severity N of type X".
At the Zeek Workshop Europe at CERN, we showed how to bring together MISP and Zeek. This presentation was a joint talk with Liviu Vâlsan who explained how to use this prototype operationally at the CERN SOC. Our robo investigator expands on our approach that we presented two months earlier (see below). In addition to correlating historical sightings, robo now also interfaces with Zeek to propagate changes to intel in real time and report "noisy" intel items.
At this year's DFN conference on Security in Networked Systems, we gave a demo on how to perform live correlation of threat intelligence with historical data. Concretely, we showed how to tap into MISP feeds in real time and translate new indicators into queries over old data. Our tool reports hits in historical data back to MISP as sightings. This makes it possible to understand whether an organization has been breached even before the indicator became available.
At BroCon 2018 we talked about automated analysis with Broker. We used the example of automatic historic intelligence lookups with VAST to illustrate the Broker API. Additionally, we performed a performance analysis of Broker in terms of throughput and latency. See the brocon18 directory for the complete list of accompanying material.