In July, Eric & Whitney gave a talk titled "Breaches Be Crazy" at the SANS DFIR Summit outlining Recon’s unique approach at scaling enterprise forensic timelining.
Scaling Enterprise Forensic Timelining
Oct 6, 2021 2:29:00 PM / by Eric Capuano posted in Automation, DFIR, Velociraptor, Incident Response, Forensics, Operations, SecOps, Security, SOC, Open Source
Threat Hunting - A Critical Component of High Performing SOCs
Apr 23, 2021 2:03:00 PM / by Andrew Cook posted in Operations, Security, Threat Hunting
Whether your cybersecurity detection and response capabilities are in-house or managed through a partner, a prioritized approach to threat hunting is a key indicator of your security program’s maturity and effectiveness.
Detecting Threats with Graylog Pipelines - Part 3
Jan 15, 2021 2:14:00 PM / by Eric Capuano posted in Incident Response, Operations, SecOps, Security, SOC, InfoSec, Threat Hunting, Monitoring, Graylog
Now that we've normalized and enriched our events, let's get into the actual threat detection logic that brings SIEM-like features to open source Graylog.
Detecting Threats with Graylog Pipelines - Part 2
Jan 4, 2021 5:01:00 PM / by Eric Capuano posted in Operations, SecOps, Security, SOC, InfoSec, Monitoring, Graylog, Logging
In my previous post, I explained the fundamental purpose and use cases of pipelines in Graylog – now let's move towards some more advanced topics.
Detecting Threats with Graylog Pipelines - Part 1
Dec 31, 2020 5:16:00 PM / by Eric Capuano posted in Operations, SecOps, Security, SOC, InfoSec, Monitoring, Graylog, Logging
If you are here hoping to learn more about using Graylog for the purpose of monitoring the security posture of your organization, strap in – it's about to get real.
A SecDevOps Perspective on SUNBURST
Dec 16, 2020 5:32:00 PM / by Brian Greunke posted in Operations, Continuous Integration, Exploit, DevOps
Much has already been said about the recently reported SolarWinds compromise. In this post, we are not attempting to further investigate the attack, but rather, to provide a SecDevOps perspective on a few of the underlying software and development processes that are reported to have been involved in the initial compromise at SolarWinds. These processes are not unique to SolarWinds, and in fact, are often considered best practices in software development.
Securing Your Velociraptor Deployment
Sep 23, 2020 10:51:00 AM / by Whitney Champion posted in DFIR, Velociraptor, Incident Response, Forensics, Operations, SecOps, Security, InfoSec, Threat Hunting, DevOps, AWS, Cognito, Identity Aware Proxy
Our team are huge fans of Velociraptor. It's an incredibly powerful tool, for both DFIR and endpoint management. It currently supports Windows, Linux, and Mac endpoints, and BONUS: it's open source!
Graylog and Cylance Protect Integration
Dec 23, 2019 2:37:00 PM / by Whitney Champion posted in Operations, SecOps, Security, Graylog, Logging, DevOps, API, Cylance
TL;DR - we needed to ingest multiple sources of Cylance logs into Graylog, and this is how we did it.
Brokering Other Cloud Resources Behind AWS Services
Nov 21, 2019 2:43:00 PM / by Whitney Champion posted in DFIR, Operations, SecOps, Security, ZeroTier, DevOps, AWS, Cognito, Identity Aware Proxy, Cloud
I tweeted this the other day, and had a lot of folks reach out asking for more details/a diagram of this setup.
Slacking at Security Operations
Oct 24, 2016 4:58:00 PM / by Eric Capuano posted in Automation, Operations, Defense, Intel Sharing, Slack
Running a Security Operations Center requires fighting a constant battle to increase analyst efficiency, speed and accuracy. Fast and effective communication coupled with automation is the only answer. So why not have both in the same platform?