As presented at BroCon 2015, MIT, Cambridge, MA.
Security analysts have to sift through a lot of information to hunt for and investigate incidents. Most tools, though, operate at a very low level, making it difficult to see past the individual events and get the big picture. Linked Data Analysis (LDA) visualizes the entities in your data as a graph and shows how they are related. When you are able to step back and see what’s going on at a higher level, it’s much easier to identify suspicious patterns and detect malicious activity that you might have otherwise missed.
In this presentation, we’ll use LDA techniques and open source software to visualize several different types of logs from the Bro network analysis platform. We’ll also demonstrate some practical strategies for identifying and investigating patterns that might indicate security incidents. By the end of the session, attendees will have a set of tools and techniques they can use to perform similar analyses on their own data, and begin to find the bad guys hidden in their networks.