University of Oxford: building a next generation SIEM

Staying a step ahead of your adversaries is one of the most promising strategies to defend your organisation. Whilst it may seem aggressive to work on the “assumption of breach”, the reality is that attackers may operate undetected inside a network for days, weeks, and even months on end, to prepare for and execute their attack without any automated defense solution detecting their presence. Threat hunting stops these attacks by seeking out covert indicators of compromise so attacks can be mitigated before the adversary can achieve their objectives.

Combining logs and audit data for indicators of compromise can be tedious, time consuming and expensive. By proactively capturing and storing relevant activity, whether known to be bad or not, organisations can instantly leverage a comprehensive historical record of their environment for effective threat hunting.

While cloud computing makes security more difficult in many different ways, there are specific challenges for the threat detection and response function. Visibility is the key to full and effective threat detection. The Cloud can create a substantial blind spot in an organization's IT infrastructure: indicators of compromise go unseen; ones that would be picked up easily if the same application were deployed on-premises. For alerts generated on-premises, critical correlation data can be missed, leaving an incomplete view of the full scope of an attack.

In this presentation we will demonstrate examples and lessons learned from the University of Oxford's Cyber Security Incident Response Team in their journey developing their in-house next generation SIEM using the Elastic Stack.

Marko Jung

Global Head Information Security Operations

University of Oxford

Kristian Kocher

Security Big Data Lead

University of Oxford