OnDemand + GIAC = Relevant Skills, Proven Ability

Webcasts

To attend this webcast, login to your SANS Account or create your Account.

Using osquery & MITRE ATT&CK to Provide Analytics for Incident Response and Threat Hunting

  • Friday, March 20th, 2020 at 3:30 PM EDT (19:30:00 UTC)
  • Guillaume Ross and Dave Shackleford
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

Sponsor

  • Uptycs

You can now attend the webcast using your mobile device!

Overview

Theres a disconnect between best practice frameworks and real-life nitty gritty. While many frameworks broadly approach the overarching principles that a robust security program should encompass, the MITRE ATT&CK framework takes it a step further by connecting the dots to detail specifically what kind of attacker behavior a defender should anticipate, and how an attacker would work to thwart those vaulted best practices.

Using Osquery, an open-source universal endpoint agent that makes our macOS, Linux, Docker, and Windows environments queryable using SQL, we can begin to harden our defenses by writing and deploying queries that identify those known behaviors as outlined in the twelve attack technique categories mapped by the MITRE ATT&CK matrix.

Incident Response professionals should attend this webinar to:

  • Gain an understanding of what osquery is, how it structures data & how that data can be used across security teams
  • Learn how to create SQL queries to solve for example scenarios, and get acquainted with the data and insight osquery provides
  • Map portions of the ATT&CK matrix to SQL queries, using osquery to observe for these activities

Speaker Bios

Guillaume Ross

Guillaume is a Principal Product Manager at Uptycs, where he works on making the best security analytics tools for practitioners. As someone who has worked as a defender and manager of blue-teams for many years, he knows what is needed to build a good security program. Guillaume is also a trainer for Pluralsight, producing training materials on network and endpoint security, and really enjoys leveraging open source security tools and guidance from the community to deliver cost effective, actually useful security solutions.


Dave Shackleford

Dave Shackleford, a SANS analyst, instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.