Using Grafana Loki to aggregate and search logs with detection rules from Sigma.
Watch the video
 |
 |
Click the images to view full size.
Download the presentation slides (PDF)
Synopsis
Many security breaches can be detected in logs, but how do you collect together logs from all parts of your IT infrastructure, then scan for evidence? The first part of the talk will describe the architecture of the Loki project for log aggregation, based on S3-type cloud storage with no full-text index.
Then, we will look at how rules from the Sigma project can be used in Loki searches. Sigma is a platform agnostic format to define rules for compromise detection and threat hunting. All of the software described is Open Source.
About the speakers
Bryan Boreham
Bryan Boreham is a Distinguished Engineer at Grafana Labs, working on highly scalable storage for metrics, logs and traces. Bryan's career has ranged from charting pie sales at a bakery to real-time pricing of billion-dollar bond trades.
An Open Source contributor since 1988, Bryan is a Prometheus maintainer and a member of the Kubernetes project. Outside of work he is a father, a helicopter pilot, and can cook a mean risotto primavera.
Nick Moore
Nick Moore is a Senior Security Developer at Grafana Labs, where he is working to develop the next generation of Security Observability tooling. He's largely doing full-stack system development, but you may also find him providing data science expertise, and some security incident response every once in a while. His previous roles have included developing tools to help protect the UK's critical national infrastructure, providing security analysis for an autonomous vehicle project, and teaching the next generation of technologists as a cyber security lecturer for a variety of UK Universities. When he's not busy on the computer, you'll most likely find Nick running around the Cotswolds, up and down its many, many rolling hills.
Our events are for adults aged 16 years and over.
BCS is a membership organisation. If you enjoy this event, please consider joining BCS. You’ll be very welcome. You’ll receive access to many exclusive career development tools, an introduction to a thriving professional community and also help us Make IT Good For Society. Join BCS today
COVID-19
BCS is following government guidelines and we would ask attendees to continue to also follow these guidelines. Please go to https://www.nhs.uk/conditions/coronavirus-covid-19/ for more information, advice, and instructions.
This event is brought to you by: BCS DevSecOps specialist group
