FloCon 2020

This is the second day of a two-day session.  It builds upon information discussed on day one.

Securing a network often begins with the ability to generate alerts when malicious or non-standard network traffic is observed. This is routinely accomplished through intrusion detection and prevention systems (IDPS), such as Suricata. Unfortunately, an alert only provides a narrow view into a possible incident. Data surrounding an alert also needs to be available to help analysts build context before and after an alert. Context enables an organization to understand the threats it faces and gives it the ability to respond to incidents quickly and more effectively. To complicate network defense further, not all malicious traffic will generate an alert when it encounters an IDPS. Analysts need to look for anomalies in network traffic to identify malicious or suspicious patterns through a process commonly referred to as threat hunting.

While many know that Suricata as an IDPS, it can provide much more visibility than just alerts. From protocol-specific logs to full-packet-capture, Suricata can generate the data needed for a comprehensive view into an organization’s network.

Intended Audience: This is an ideal talk for security analysts, blue teamers, and malware
researchers to learn how Suricata can provide visibility beyond an alert.