This talk delves into strategies and practices for large-scale security monitoring of Linux systems within enterprise environments. We will explore unique challenges posed by Linux-based infrastructures — from their highly diverse configurations to their widespread deployment across cloud and hybrid landscapes.

We will discuss how we have addressed the need for scalability in our tooling and why integrating our solutions into a SIEM or SOAR platform is critical for effective incident response. Additionally, we will explain why traditional EDR solutions fell short of meeting our requirements and how we instead built a customized, open-source-driven setup leveraging Auditd/Laurel and Velociraptor.

The presentation will begin with an overview of our threat-based logging and response strategy, followed by a deep technical dive into the customizations and enhancements we made to the aforementioned tools — many of which have been shared with the community. Special attention will be given to the asset identification features we added to Velociraptor, enabling us to efficiently operate and respond at scale within complex enterprise environments.