Noise is a problem. As information security practitioners, we’ve been dealing with the problem of the signal-to-noise ratio for a long time. The solution hasn’t really changed, but the landscape certainly has. Ultimately, what drives noise down and elevates signal is, context.For his presentation at Black Hat USA, Travis Smith, a fellow Tripwirian, dove into how you can use the open source ELK stack and a few other tricks, to add valuable context to the noise of alerts from network security monitoring tools. The tools at play here are: ELK (Elasticsearch, Logstash and Kibana) along with the open-source BRO NSM and Criticalstack for aggregated threat intelligence.
I won’t spend time here on the code and configurations. You can get that from the slides.