The State of Security Response in 2019
The session opens with a sobering statistic from Verizon's Data Breach Investigations Report: 68% of breaches take months or longer to discover. This fundamental failure in detection time creates massive business and legal exposure. The presenters identify five major challenges making real-time monitoring difficult: loss of visibility as users move to cloud platforms like Office 365 and AWS, increasingly sophisticated attack vectors including new ransomware strains, rising internal threats accounting for 30% of attacks, expanded attack surfaces from IoT device proliferation, and stringent new regulations like GDPR with mandatory breach reporting requirements. Despite these challenges, modern SIEM solutions have evolved with advanced correlation engines, cloud monitoring capabilities, machine learning-based user behavior analytics, threat intelligence integration, and extensive third-party integrations to accelerate threat detection and response.
Critical Windows Security Events and Active Directory Auditing
Vivin presents a framework for transforming raw log data into actionable security insights, using the analogy of a Fitbit converting step counts into meaningful health indicators. He emphasizes that effective SIEM implementation requires adding indicators to existing information to enable action. The session focuses on uncommon but critical Windows auditing use cases gathered from interactions with thousands of administrators. Key areas covered include detecting credential compromise beyond common brute-force attacks, identifying privilege escalation attempts through monitoring of security group modifications and administrative role assignments, tracking lateral movement by correlating logon events across multiple systems, and detecting persistence mechanisms through monitoring of scheduled task creation and service installations. A practical honeypot technique is shared: renaming the default Administrator account and creating a decoy account to trap unauthorized access attempts.
Essential Security Monitoring Beyond Windows
Siddharth expands the discussion to critical non-Windows monitoring areas that organizations must address. System events serve as inevitable indicators of attacks—ransomware must install itself, services must start, and systems may restart unexpectedly. Organizations should track service installations, software deployments, and server restarts as baseline security indicators. Data access monitoring requires tracking the four vital Ws: who accessed data, which data was accessed, when access occurred, and what modifications were made. File integrity monitoring and column integrity monitoring technologies help maintain audit trails for sensitive data. Web server activity monitoring is emphasized as a critical entry point defense, tracking site visitors, file uploads/downloads, HTTP error code spikes indicating denial-of-service attacks, and known attack patterns like SQL injection and cross-site scripting.
Firewall Traffic Analysis and Log Integrity Protection
Firewall traffic analysis provides early attack detection by establishing baselines of normal network behavior. Organizations should monitor traffic by source, destination, and protocol to detect anomalies like sudden SSH traffic spikes or unusual outbound data transfers indicating compromised hosts. Continuous blocking attempts against specific IP addresses signal potential breach attempts requiring permanent blacklisting. Firewall logs prove essential for post-breach investigation, enabling security teams to backtrack attacks and identify compromise sources. The session concludes with a critical but often overlooked security control: tracking logging policy changes. Attackers frequently attempt to disable logging services or tamper with collected logs to cover their tracks. Organizations must proactively monitor for syslog service shutdowns, event log service disruptions, and any attempts to modify or delete collected log data, as these actions themselves serve as strong indicators of compromise.
