DeepSec 2019 Talk: Setting up an Opensource Threat Detection Program – Lance Buttars
Through the use of event detection monitoring and do it yourself monitoring techniques on a Linux Apache PHP MySQL stack, I will demonstrate how you can create different alarms and reporting surfaces that alert you when your application is being attacked. This case study will demonstrate the use of hacking tools as a defense strategy in a corporate network and will cover the story of the detection of insider threats from the internal application point of view. The entire presentation is a hands-on lab that can be used after the presentation as a guide for attendees to set up a Threat Detection program.
We asked Lance a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- The talk covers ways of discovering insider threats.
- It’s a starting point for understanding how honey pots work.
- It’s a great way to go beyond standard threat detection.
- It’s meant for IT personal who have zero to no budget.
- It’s designed to be a hands-on lab.
How did you come up with it? Was there something like an initial the spark that set your mind on creating this talk?
I came up with this talk because I wanted to see what I could do using open source tools and techniques when it came to threat detection inside a production environment. My goal was to create a framework for detecting insider threats that would alert me when the system became compromised, or data was leaving my environment.
Why do you think this is an important topic?
I think this topic is essential because a lot of IT shops have limited funding and resources, and the talk guides you through setting up simple, easy to use threat detection techniques to help jump-start a threat detection program.
Is there something you want everybody to know – some good advice for our readers, maybe?
The presentation will be made available after the talk and should provide a type of guide for doing the techniques I will discuss at the presentation.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I imagine that threat detection will become more standard, and hopefully, more open source tools will be created to help address the need for better threat detection beyond standard IDS / WAF.
Lance works as a software engineer in the payment industry developing software that transfers money between banking systems. He is a founding member of 801 Labs; a hackerspace located in Salt Lake City and is an active member of his local Defcon group DC801. Lance has a BS in Computer Science and a Master’s Degree in Cybersecurity and Info Assurance.