This presentation is a collaborative effort by Matthew Giannetto and Christopher Lee of Susquehanna International Group in Bala Cynwyd, PA. Together, Matt and Chris created a case study review of their efforts to bring endpoint and network visibility to their SIEM and through the use of PowerShell and SQL, enhanced their analysts ability to quickly and efficiently process security incidents.. Our SOC was ready for an endpoint detection and response solution, but we couldn't justify the spend before we clearly understood the value. We set out on a year-long journey to build our own solution around Sysinternals Sysmon. Using Sysmon, Windows Event Collection, SIEM, scripts, and a custom database app, we've created a solution that gets most of the value of a commercial solution at practically no cost. Our presentation is a case study for deploying Sysmon to thousands of endpoints, collecting the log data using native Windows features, and sending it to our SIEM in real-time. We'll detail our Sysmon and WEC infrastructure and config, while giving recommendations and pointing out pitfalls. We will share our favorite SIEM rules to detect evil on our endpoints, and how we present the data back to our analysts for effective investigations. Finally, we'll show how we're enriching the logs with third-party threat intel, and hunting with the data using more advanced analytics.

Chris Lee spends his days hunting for bad guys and identifying threats in an ever-changing environment. He began his career with Susquehanna International Group, LLP over five years ago, working in operations, security architecture, and most recently as a Threat Analyst. His experiences with designing and implementing Sysmon and event collection at scale have been an invaluable addition to his security tool belt. As a member of SIG,s Security Monitoring and Incident Response team, Chris enjoys sharing his experiences with his peers and training new members of the security community. Chris, interest in security began when, as a Desktop Support Engineer, he had an opportunity to work on an endpoint project with SIG,s Security team. Thanks to that project, Chris found his calling designing, detecting, and defending against a rapidly-growing threat landscape. Outside of work, Chris enjoys spending time with his family in the great outdoors.

Recorded at BSides Philly 2017