You
MUST register through eventbrite to gain access to this session (Day 2).
Zeek Agent: Correlating Host and Network Logs for Better Forensics
Summary: I'll present Zeek Agent, an open source endpoint monitoring framework that seamlessly correlates endpoint activity with Zeek network logs. I'll talk about Zeek Agent architecture, implementation, and its use-cases.
Abstract: There's a potentially great power for security analysis in having both endpoint and network visibility, but one big challenge is how to tie the two together in a meaningful way. In this talk, I’ll present Zeek Agent, an endpoint monitoring tool that provides deeper visibility into organization-wide activities through transparently observing endpoint activity and correlating it with Zeek network logs. I’ll describe the design and implementation of the Zeek Agent framework and the techniques that we employ to derive correlations between host and network logs. Later in this talk, I’ll explain how we use the notion of causal analysis on the correlated host and network logs to accelerate the threat investigation process. Causal analysis can generate contextual history around the alert through automatically reconstructing the chain of events that lead to the alert event. Using such analysis, security analysts can better understand alerts without needing to write long ad-hoc queries to chain together context during threat investigation. Finally, I’ll present an attack case study to show the effectiveness of the causal analysis technique during attack investigation.
Slack Channel for this session - #vzw-day2-talk5-zeek-agent
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQLink to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9
Video Stream
