Watch the stream
"Surely we can make a detection for when the whoami command is executed, right? Nobody ever runs whoami but threat actors." - Someone with no experience in detection engineering
In this talk, we'll discuss how we addressed the dilemma between detection coverage and alert fatigue in a SOC by correlating minor or noisy detection logics. We'll go through our journey to build a custom platform that leverages the concept of indicators. We'll share the toolset and some implementation details and show how we use it to monitor tens of thousands of endpoints. It has become one of our main tools for threat hunting and is used by our SOC analysts to assist them in their investigations.
Émilio Gonzalez Blue Teamer,
Émilio works at a large Canadian organization doing software development, detection engineering and incident response. He's a co-organizer of MontréHack (a monthly cybersecurity workshop) and NorthSec's VP CTF.
Outside the cybersecurity world, he's passionate about urbanism and the economics of housing. He will gladly explain how exclusionary zoning and parking mandates are the reasons you can't buy a home to anyone who dare ask.