BSidesAugusta 2023

BSidesAugusta 2023

Josh Brower

Josh Brower has been crashing computers since his teens, and now feels fortunate to be doing it professionally. He has spent the last 15 years focusing on InfoSec, particularly network and endpoint detection. He also enjoys teaching around InfoSec issues, especially to non-technical learners - helping them to understand how their actions in the digital world have real-world consequences, as well as how to proactively reduce the risk.

You can catch him on twitter @DefensiveDepth.


Preferred Social Media

Twitter

Social Media User/Handle

@DefensiveDepth


Session

10-07
11:15
30min
Applying Sysmon-type filtering to Elastic Agent Process Auditing
Josh Brower

Process Auditing is a powerful tool in the detection toolbox. According to @Cyb3rWard0g’s research, the vast majority of the adversarial techniques in the ATT&CK framework can be detected with process auditing. Unfortunately, this power comes with a price - process auditing generates a lot of results that can be overwhelming to sift through.

In this presentation, we will walk through a practical option to handle these problems using Security Onion’s Elastic Agent integration as an example. Specifically, we will use @SwiftOnSecurity Sysmon configuration as a source filter and convert it into a format that can be used by Security Onion to filter out known-good results.

Track 2