David J Bianco
@DavidJBianco
http://detect-respond.blogspot.com
Before coming to work as a Security Architect and DFIR subject matter expert at Sqrrl, David led the hunt team at Mandiant, helping to develop and prototype innovative approaches to detect and respond to network attacks. Prior to that, he spent five years helping to build an intel-driven detection & response program for General Electric (GE-CIRT). He set detection strategies for a network of nearly 500 NSM sensors in over 160 countries and led response efforts for some of the company’s the most critical incidents.
David stays active in the community, speaking and writing on the subjects of Incident Detection & Response, Threat Intelligence and Security Analytics. He is also a member of the MLSec Project (http://www.mlsecproject.org). You can follow him on Twitter as @DavidJBianco or subscribe to his blog, “Enterprise Detection & Response” (http://detect-respond.blogspot.com).
Visual Hunting with Linked Data Graphs
Security analysts have to sift through a lot of information to hunt for and investigate incidents. Most tools, though, operate at a very low level, making it difficult to see past the individual events and get the big picture. Linked Data Analysis (LDA) visualizes the entities in your data as a graph and shows how they are related. When you are able to step back and see what’s going on at a higher level, it’s much easier to identify suspicious patterns and detect malicious activity that you might have otherwise missed.
In this presentation, we’ll use LDA techniques and open source software to visualize several different types of logs from the Bro network analysis platform. We’ll also demonstrate some practical strategies for identifying and investigating patterns that might indicate security incidents.