This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to BSidesLV 2016, our 8th annual BSides in beautiful Las Vegas, Nevada!
View analytic
Wednesday, August 3 • 14:00 - 14:55
Determining Normal: Baselining with Security Log and Event Data

Sign up or log in to save this to your schedule and see who's attending!

Take a look at almost every log management best practice guide and you will find a bullet point for determining "normal" activity or analyzing trends.  These guides, and most log management best practices in general, lack the details for practically determining what is "normal" and how to investigate abnormal activity.


This presentation intends to outline practical strategies for determining "normal" activity using baseline analysis with logs and security events.  Topics will include overview of baselines and the necessary statistics, determining what to baseline with threat modeling, developing the baseline, reviewing the anomalous data, and tuning. 

avatar for Derek Thomas

Derek Thomas

Senior Information Security Consultant, eSentire
Derek is a security consultant focused on log management, threat detection, and security monitoring.  Derek enjoys developing use cases, watching logs like an operator in The Matrix, and looking for interesting ways to detect post exploitation activity.  He is a family man that is also actively involved in the Michigan Security (#MiSec) community. 

Wednesday August 3, 2016 14:00 - 14:55
Ground Truth Florentine F