Determining Normal - Baselining with Security Log and Event Data

Explore practical strategies for baselining security log and event data in this BSidesLV conference talk. Delve into the importance of establishing normal patterns, hunting for anomalies, and effectively managing log data. Learn about normal and non-normal distributions, Windows event rates, and techniques for visualizing data. Discover how to identify and handle outliers using methods like QQ plots and the Three Sigma Rule. Examine real-world use cases, including RDP access analysis, and understand the requirements and event sources for effective baselining. Gain insights into log reduction techniques and weekend data patterns. Equip yourself with the knowledge to create meaningful baselines and enhance your security monitoring capabilities.

Intro
Who am I
Agenda
Log data is underutilized
Practical strategies
Importance of normal
Hunting
Baselines
Logging Log Management
Normal Distribution
NonNormal Distribution
Windows Event Rate
Example
Obtaining Data
Questions to Ask
Visualizing Data
Outliers
Weekend
Handling Outliers
QQ Plot
Three Sigma Rule
Use Cases
RDP
RDP Access
Use Case Primer
Requirements
Event Sources
Validation
Histogram
ShapiroWilkes
Recap
What can you create
References
Questions
Log Reduction
Weekends
Friday