Resources, events, news

Legacy SIEM and Log Management platforms are in many ways victims of their own successes. Providing tamper-evident security log storage and real-time event correlation is what they were built to do. But back when they were invented, nobody could foresee today's explosive volume of log records, the massive expansion of the threat landscape or the great promise of event detection using machine learning. That is why many legacy solutions are struggling.

This presentation reviews the history of SIEM and Log Management, presents a model for understanding modern SIEM functionality and outlines an Elastic-based solution that meets today's needs. It also shows how the model easily and flexibly scales for tomorrow's challenges. If you are exploring the modernization of your SIEM/Log Management platform, this 45-minute presentation is for you.

Elasticsearch for enterprise security log storage and management is a hot topic today. Specular gains in performance, functionality and cost are ready for harvest. But what exactly does it take to create a large Ela stic log storage infrastructure?

This talk will present war stories related to at 150,000 events per second (EPS) Elastic log storage implementation with two-month retention built at a large commercial client. We take you through sizing, design, staffing and cost; discuss architecture, storage density and ingestion: and share our gotchas and lessons learned. We also touch on evidentiary-quality log storage for compliance. Curious about what it would take for Elastic to hold your security logs? This 55-minute video shows you the way.

The LogStash MaxMind filter enriches documents with GeoIP information from the open source MaxMind database. But you can also customize this filter to enrich documents with all kinds of other IP-related data.

MaxMind uses its own database, which enables very fast searching based on IP address. We’ve found that this is the very best way to retrieve any type of IP-based information and store it upon ingestion without impacting performance.

In this 38-minute video, we demonstrate how to create customized instances of the MaxMind database and associated LogStash filters to enrich documents with all all kinds of other information, such as internal network descriptors, individual internal endpoints and threat intel on external IPs.