Sign Maine Arbitration Agreement Easy

Document type sign arbitration agreement maine easy

okay everybody uh this is mick here we're just doing pre-show banter um i don't even know what we're gonna be talking about before we started broadcasting we were talking about bespoke ice cream and fountain pens and all kinds of crazy stuff and i'm not making it makes us sound far fancier than we actually are well that's that's my one like i think my one and only fancy is fountain pens and things but i don't know i will say uh for those who i was talking with flynn about one of my favorite inks if you are in the um artist scene or want to play around with an interesting ink you should check out from noodler's links there's a thing called general of the armies which is a really interesting anti-tamper ink that it's kind of difficult to work with because it's a suspension as opposed to a normal ink so you have to keep the um like at least once a day you have to turn the bottle upside down to keep the metal salts in suspension but it um you can tell if somebody has been tampering with the ink because um like you can it stains the cellulose of the paper it also another neat function is that it fluoresces under uv light so it's a real cool ink the downside is it won't work with every fountain pen because of the very very tiny metal particles you could clog the feed or if you have a really tight tolerance nib it won't flow appropriately yeah but if you can use it in forensics that makes it really interesting what you're saying it rusts as well slightly so you can kind of tell when it was written oh yeah so i i had so i i very rarely have uh i don't do a whole lot of cases now but not too terribly long ago maybe a couple years ago i had one that was looking like it was heading to arbitration and for some reason the opposing side was challenging my handwritten notes and i had used the general of the army's ink and i went through the fact that it stains the cellulose that because it was this deeper shade of green versus the like lighter green that it comes out i knew that it was at least a couple weeks old like but the look on the opposing attorney's face it was just like ah yeah how do you argue that one thank you and well it was weird because like he almost stopped asking me any questions like there were there were plenty of things that like if he had pressed i would have been like well that's a good question and here's what i know but um i guess because i had the ink game on lockdown he kind of was assuming that the rest of everything was unlocked i wish you had something unlocked and i'm like um you know what no more questions for you that's kind of how it went so flynn you were talking before the webinar sir that you use the pilot inks like what's what are some of your shades or oh goodness that that's a loaded question i just ordered a red one i don't have any red ink but i like them they don't because that's a problem a lot of fountain pen eggs is on paper they just either flow or feather wrong and it looks bad so i think they don't do that there is it it is the tsukiyo i really like that one it's like this teal kind of color it's like a rice little okay i i use all sorts i have a steadily growing ink collection that i should probably stop growing as much as i do but yeah you know it's okay to have a couple of indulgences yeah it's really my own indulgence yeah i i will say that when i'm taking handwritten notes the thing i was really surprised by um and i noticed this after my very first case that i was using a fountain pen exclusively for note taking the level of effort that it takes to write is it's a totally different game like it's you're not pressing as hard or at least for me i'm not and so well you know it's supposed to it's supposed to make writing easier i'm saying to you i'm on my fourth notebooks and i started this internship so it's a nice valley back and say oh it's white down this day or this is the note i was taking then so i can really cross from it i take more notes i'm writing with fountain pens to be honest yeah wow form notebooks you're really going to town oh i have far too many well one of them was a three-second notebook too so i just finished that one a couple weeks ago to do my own forensics at least i date mine now that makes it easy to go back and be like i was on this day so i'm starting to see some folks are attending um folks welcome and i want to let you know that um flynn and i are both pretty easygoing folks so if you want to like ask questions feel free like this is not meant to be us like just coming from the mountain top having some sort of absurd level of knowledge well i think we're doing some interesting stuff i don't think it's anything truly absolutely brand spanking new that you shouldn't have heard of oh hey i've seen some a carlos oh cool some of my friends are pranking me i'm gonna turn my phone off i'll put it into do not disturb flynn you are you have do not disturb pierce capabilities but oh i'm special i can thank you for you you it's an option i'm just i'm putting it out there i love it so um i'll put you on the spot here flynn um i i'm kind of surprised that you did four notebooks of stuff during your internship um what like but i'm not also like it's kind of weird because i know like the level of effort you put into your stuff what are some things that you would recommend people to look for when they're looking for an information or it type internship looking for an internship uh that's a good question because i actually i applied for a couple at like nsa and stuff a couple years ago and in my respect it would have been awful for me i think it's i'm working for a small company where you're really going to be valued like for you i know that the work i'm doing is actual work and not just a case of here's some busy work for you go give me some coffee it's like hey do this research build this website i think in the case of findings might be a good fit for you and some of you can actually learn something i think it's a really really big thing because an internship should be a learning experience and has come to that so well cool i'm glad that i could do that for you because um my internship start is good and so i'm trying to push back against um what i had so cool and it's been great is that it's a case of dc i think it's there's there's so many options especially right now in infosec cyber security all the computer fields that you can afford to be a little picky and really really find something that's going to be a better fit for you because you are working at it and you don't want to be miserable it's a lot easier to go to work when you're enjoying what you're doing yeah no and also um one of the things that i've kind of noticed that's your style is you put a lot of effort into it so like it's not i don't know like you're not uh punching a clock you're not eating the gate on this well that's good that's one thing i guess my advice would be once you are in an internship or even in a job is take notes because i guarantee you'll be that time when you wish you had written something down and otherwise you do all over again it's happened i've had some commands that i've tried i'm like i said i tried but i wrote it down so i can go back and it saved me time so i like taking that i think it helps and it helps you remember stuff once you write it down it's kind of like a secondary way of remembering it yeah i'm a similar way having like doing the writing really helps um like commit it to memory oh yeah i think it more solidifies it than anything else just really really helpful yeah just find someone that you can be comfortable and that you're actually going to learn something because you should and i've learned a lot so i'm thankful for that but yeah find somewhere that's going to appreciate you as more than just intern i think words of wisdom all right well we are about at uh broadcast start time would be good for me to do my intro uh yeah please do all right well hello everyone and welcome to today's stanz webcast life is a bit easier with what to log.com my name is carol auth of sans today's featured speakers are mick douglas sand senior instructor and flynn weeks a scene is a senior i'm sorry excuse me senior cyber security student and intern at infosec innovations if during the webcast you have any questions for our presenters please enter them into the questions window at any time please note that this webcast is being recorded and a copy of the slides and recording of this webcast will be available for viewing later today and can be found on the sans registration page with that i'd like to end the webcast over to our presenters thanks so much carol so um before we get started i want to be very clear this is meant to be a fairly interactive webinar now i realize that some of you might just be here for cpe and don't care too much but i'm expecting that a lot of you who are here are just passionate about logs like we are or maybe curious about logs and you know take advantage of the fact that you dial in live and like ask questions away we will uh answer your questions live or some of them we may need to uh put on pause and go at the end of the talk but please please feel free to ask any questions we'd be happy to help dive into them in the time that we have together so a little bit about um who we are so hi my name is mick douglas i founded infosec innovations and i'm the managing partner of it and we're a boutique security consultancy that tries to make like new things you know innovations is in our name and so we try to move the needle forward and do novel things and this is part of our mission in my quote unquote spare time i teach for sans i do 504 which is the hacker techniques and incident response class i also do 555 which is the sim class and both of those have a very interesting blend of offense and defense to them but the common thread is that you do need to have logs to do well in these fields so this is this webinar is really near and dear to my heart also i'm a member of the heinz faculty and feel free to reach out to me on twitter at bettersafetynet hi i'm flynn weeks i am an intern at insect innovations and what's the law was kind of my baby for a long time so i'm really excited to see it get this far as carol mentioned i am a senior at the university of may of augusta i am a cyber security student with a focus in cyber forensics and i also reached on twitter at sounds all the time now this talk is available at the sans site and if you're watching this or watching the recording you can certainly get it from the sales registration site this is also available on our website at infosec innovations.com talks so feel free to get the the slide deck from there as well so what we're going to be talking about for the time that we have is this labor of love project that we've been doing called what to lock and you know no security project is complete unless it's got a logo of some sort so that shows you how serious we are about what to log now the thing that is worth pointing out is that within what's a log we to the extent possible with our projects we like to have a mission statement that helps drive how things are done on that project and the mission statement for the what's a log project is that it's a crowdsource site that helps teach you what to log how they help you and helps build custom scripts and just a little warning we're going to be showing you this mission statement over and over again because it really was a driving force for what the site is and what and what would make it on the site and what wouldn't make it on the city so what we're going to be doing through our time together is we're going to be highlighting what these different things are and what they mean for you so what to log like the the whole site itself okay you know let's just dive in and start talking about it and this demo will give you a very quick whirlwind view of what the site is and then we're going to dive in on some of the neater features because this site is actually a lot bigger than many people think and one of the things that i've noticed we don't have any tracking cookies on the site so we don't have any of those gdpr notifications we're not we're not tracking you but in me looking at the usage patterns from the logs i've noticed that there's certain parts of the site that people are using and others aren't getting as much love and i definitely want to show like show that now the main thing and i expect that most people would be doing within the site is viewing the logs so if you go to this view the logs section this is where you actually see the different you know operating systems you've got this neat little collapsible menu that you can use for navigation as we build out additional log sources different operating systems we'll be including them here i want to say a special shout out to sebastian our developer who made the front end so thank you for that but um this is what most people will be using on the site and that's perfectly okay um playing cards face up this is a resource that i'm using a lot now in my day-to-day work and i hope you use this too but the site goes so much deeper than that one of my favorite elements that hardly anybody ever goes to is this section right up here this os tools the os tools section actually shows you how to do living off the land logging activities and this is just a great cheat sheet that's nice and consolidated has nice cool little graphics it just man it makes life easier and um unfortunately as of right now this is the least used part of the site and um hopefully we can drive traffic to there up now the next section and this is a section that we're going to be spending quite a bit of time talking about is the sawmill so now one of the things and we'll demo this deeper in in a view like closer to the end of our time together one of the things that we've tried to do is to make this site be super easy to use and sawmill is a function that i released prior to this webinar as like a little sneak peek to show you what we're doing and the idea behind this is to actually help generate commands that you can run to learn how your systems are logging so this is a really really cool cheat sheet i expect that this probably will become the main draw of the site and that that's fine that's great um another part of the site that is super fun and i can't wait to hear flynn talk about is the blog we are clearly passionate about logging we hope you are too and we're going to be sharing a lot of that in the blog section so in a minute we'll be talking about what you can expect in this vlog because it's not going to be a you know traditional blogging oh excellent question so is mac os covered in terms of logging the answer is yes with a little asterisk we have it in our dev instance or we're building it out in our dev instance we don't yet have that so we'll cover that in just a little bit so yeah we will cover cover mac it's not available just yet and we'll dive into why that is but it will be on the site soon so i've already kind of covered um [Music] the main functions of the site honestly this slide is more of a throw throw for the people who are going to be watching the webinar afterwards or just want to go through the deck again the deck is freely available so this sounds really weird that we showed you the site now we need to go backwards a bit but it's really important that you understand why we built this site because this is a very weird and different project and we need community involvement but we don't i don't know how to phrase this without it sounding kind of snobbish but we want the right kind of community involvement we don't want help that will distract or pull us off mission and so what i want to do is help explain like why we built the site like what drove us to do this so that if you understand the origins of the site i think that you will be much quicker in alignment in terms of what the site can do and what the site can be so let's dive into why we did this um i know it sounds really weird but we had to um there's no really good at least that we were able to find it boy did we try we couldn't find any good platform agnostic vendor you know neutral site that shows all the different logs that are out there and so it became very much of yeah the information's out th re but it's a horrible scavenger hunt and nobody's done this now i'm sure other people have thought like oh this would be a neat thing to do but nobody's been in the situation where they either had the time resources or interest to actually start doing this and i got to say a big shout out thank you to flynn who actually got this whole thing started because and flynn i don't even remember what project it was for but i gave you a task to research a bunch of logging options for some it was some client-based question i don't i don't know if you remember which one it was for i was looking into instant response a little bit more and uh logging obviously came up because it's a great way to clean up after an attack and this conversation pretty much happened of where's this resource for it yeah and it just it was really weird because you know one of the things that happens after you've been in the field for a while you know in a particular industry you stop looking at the elephant that's in the room and when somebody has this fresh new set up eyes like they ask these questions that you've just kind of taken for granted certain things and when flynn asked that like my head exploded i was just like i don't know like why don't we have that and so we said like oh let's build this all we need to do is compile the information it can't be that hard wow we are like nine months later yeah and we're i mean we're at several hundred hours of time between all the people at infosec innovations who've been doing this between you t myself uh sebastian certainly so um this definitely has been a labor of love for the community and we hope that you folks start using it and when we say that this is for the community i want to be clear that if you're in i.t if you're in security this site really is for you now i'm not going to read you this slide okay chances are you've got your own motivations for you know why you're here and what you want to get out of this site but i want to be clear that from the get-go we knew that we needed to have a resource that spoke to just beyond us and so to that end we have worked very very hard to empathize and try to come up with you know what what do you need in order to succeed in your day-to-day job and later in the webcast we're going to share with you how to get involved because there's a very good chance that you have a use case for this site that we just haven't thought about and it's not because we're malicious it's not because we're you know kicking you to the curb it's because we don't know so help us get better so i see another question uh thank you for this this is a great one any plans to add sql or weblogs and the answer is absolutely um we're going to cover our current state where we're at with what we've got right now and then we'll talk about the next steps but the short answer yes we are planning to do that um really that makes actually for a really nice transition it's almost like that question was perfectly timed um where we're at with the site right now is and this is by design we're kind of like in death star 2.0 return of the jedi right it's it's dangerous it works but it's still being built and so what you're looking at is a viable functional site that has a lot of content but you're also looking at the scaffolding of what will eventually be and so we've got the operating system tools the major we got a couple major operating systems um i haven't gone into the logging levels though that this is a very interesting subtle subtle attack i need to be very transparent with you one of the goals of this project is to push back on the conventional wisdom of what logs are or how they're gathered or how they're used and the logging levels is a very carefully crafted shot across the bow of the rest of the industry because how things are done almost certainly isn't good a lot of people when they say i don't like my sim i don't like my log aggregator i don't like my score what they're really talking about is that they don't have the right logs they're not using the right logs and those issues ripple through their security stack and manifest in the sin or in the sore and so we'll get to that in a little bit so i do want to be very clear though and honest with everybody from the start there are some meta-level themes that we're going to explore in this webinar that are not immediately apparent that you need to be aware of because if you're going to contribute with this project there are some things that we're going to nudge against the conventional wisdom and then of course the sample codes this is what everybody's really resonated with the community and we're absolutely going to stay committed to doing that so this uh dives really neatly into what we want to do so flynn what's in the road map so we've kind of started picking up steam to log and we really don't intend on slowing down anytime soon and this kind of answers the two questions that were asked about if we're adding certain things so in the future for what to log we're planning on adding how to enable and disable logs from the command line so you can turn on and off logging mac os uh logs are being released specifically we're working on catalina at the moment and those are in progress we got some of them had a couple more to do we're also looking at adding other links distributions such as red hat um potentially others in the future if we can think of other ones that really need support we're also looking at adding more windows logs there is a wealth of information that is logged by windows so we want to add a bit more about that and about what it can give you application logs we are adding those we are adding specifically web servers first and then we're going to branch out a little bit more from there uh firewall logs are also coming because we think that's again really really important you also want to make what's log a lot more accessible to people and so you can get it in the format it's going to work best for you we're planning on releasing it like a github a json and a spreadsheet and other formats is that just to make it a bit more accessible so you can really get what you need out of it right and i want to jump in for just a second there's a really cool question are there any plans to have other projects like sigma or elk to provide assembly lines so that you can say like hey i want to use this sigma alert rule like what are the logs that we need to generate that's something that we've thought about um i think that we need a few more infrastructure elements set up but i definitely want to explore that space another thing somewhat related to this question that um would be one that i'm i think would be even more helpful in the short term would be um to generate uh configs for tools like uh sysblog um you know nx log different log agents so that you can copy and paste elements to enable or disable the log collection not only on the os itself but also on the log agents that are used so there's absolutely some plans to to go down that path but one of the things that we need to do a little bit before then is resolve some other dependencies and i know this sounds like a little bit of a stretch but we do need to solve some um logging uh framework dependencies first and that actually transitions really well into this next slide so we are in the process of adding these actually these are available on some of our logs we have to build it out a little bit more and it's a little bit deeper but we are adding support for the logging frameworks and what they require um specifically we're focusing on nist special publication 853 and 800 171. we're also looking at some guidances like jpcc and the nsa cyber event forwarding guidance because they give us a lot of information about what they think should log so give us another perspective we're also adding hepa compliance and pci dss so that you can again just make sure you're in compliance with things and what that means for your logs we're also going to add a bit more about these frameworks and how they apply to logs because they're not always written about here's the login to collect we're going to try and break it down and say this is a this framework needs these logs specifically right and um one item that i could envision we're not there yet but as this functionality builds out i could envision there being a component on the site where you say i need to follow this particular framework you click it and then it will build out all the log commands like that you need in order to be compliant with that particular framework we're not there yet but we're heading in that direction so i just saw a question come in about the time frame to have the hipaa and pcis integrated i don't can't give an exact date on that quite yet we are i said if some of the logs actually already have the information out there um they are big big documents to look through and make sure i don't want to miss anything so they are coming they are already actually in the works i just don't give an exact date on that and it's also the question about an offline repo that's kind of coming a bit more later with sawmill and something we'll discuss later yep yep absolutely so another next step for us is the um we want to get more information out of the logs rather than just having more logs everywhere um this includes a breakdown of each field of a log and what it means for the log and what it means for you so just getting more information out of our logs and also we're going to provide a suggested arrangements and how to get even more information out of these logs because there can be some times that you want a little bit more information there are some times you want less information so we're going to suggest fields that you can remove but don't just take our word for this please always consult compliance and legal first but this can help with just general storage because it adds up i mean you have sometimes millions of logs being generated on a network and if you can start removing fields for your own needs then you can really start saving space and making analysis a lot easier yeah and one thing i i don't know what the attendees on online right now or even those who will be listening in the future they you might be freaking out when you see this bullet point and i want to be very clear we are not advocating that you you know break any contract clauses or violate any laws or whatever that's not what we're saying but what we are saying is that if you can thin your logs you should do it and one of the things that i'm a little upset with the industry as a whole is it seems that there's a pretty strong perverse economic incentive for people to have this log everything approach and that just doesn't work it doesn't scale it doesn't it and actually and taken to extremes this approach is the root of many of our problems in the industry you absolutely with a few exceptions can remove fields from logs now the big thing i want to be clear about here is i'm not suggesting that you alter the system of record i would never advocate that but what i am saying is that you're almost certainly already if you're doing any kind of data analytics on your logs you likely have a working copy that is an exercise or an excerpt from your actual logs that's all we're advocating here is that you get the minimal amount in order to tell the story and in some cases i've worked with clients where we have 60 percent or more data reduction and that's huge so it the the savings can be managed oh yeah i see a call out to malware archaeology i love love that site and um also i'm happy to call some of the folks that are involved in that project friends so yeah we um that's you know what i'll own it i should have put that into this presentation so that's a massive oversight on my part sorry about that so okay at this point based on the questions and the feedback that we're receiving it it sounds like we're on to something okay now this is where the whole point of this webinar is from here on out yeah just real quick as a question about um is there is this my non-seen point of view as far as our log parsing and taking the fields out yes it's a bit more of just for your own records making an analysis easier okay also about the legacy windows we actually also support windows 7 at the moment so which is kind of considered legacy version i would like to go back a bit further and touch on some of the older at least even in blog posts talk about some of those older windows versions like some of this mentioned windows xp because they are unfortunately still used today so i think it's something that can definitely be considered we had talked about it in the past and we have xp in our lab so we absolutely can do that so yeah but um uh there was one question does the website tell you what credentials you have to run the different utilities under no we don't and that's actually a really good uh call out so i'm making a note about that we'll um most of the time you're going to need admin level for what uh work we're doing because um especially on windows machines the security log you will not be able to interact with in any meaningful way yeah i know that's mentioned in the powershell part of this but i think i have to add that to in that view thank you for that the uh so yes as mike was saying we need your help this is a we take a lot of ideas and a lot of crowd source information we really want the different points of view to be part of what to log so we can make a better resource overall and so flynn how can they reach out to us there's several different ways um we have a twitter account set up for what's a log where we post a lot of information about the blog posts any changes that are being made and we're also planning to have a bit more conversations going on there we also have a whole subreddit set up um so you can really start a proper conversation and have it as a thread and it's more that's more than just what to log that can also be as about logging in general about problems you're having with logging any questions you have and not only will i be able to answer them but other people in the community can go back and answer them as well so we're kind of trying to get those on the go as well yep and one thing to point out uh the choice for reddit was a deliberate one we were um discussing like having a slack instance or a discord server for this and eventually we settled on reddit because the idea of having a moderated threaded conversation that will be longer lasting than discord like i'm a big fan of discord and slack but for these sorts of conversations i think that it's important that we have a record of what people discussed and have it be a little more less fleeting than the stuff on discord that just scrolls on by and you'll never see again exactly so we kind of basically also get a bit of an archive there's a question about live versus offline commands i think that's something we can definitely explore there's not a always a huge difference but yeah i think it's definitely something we can definitely start looking at yeah just shooting from the hip most of the commands that we are using you would instead of just running the command as um as presented you would just point to the dead box artifact so like the ebtx file on the one that you've recovered from the dead box but i like that that should be at a minimum that's a really good question and i think should be a blog post i was thinking the same thing yeah this is this is exactly what we want we want these other suggestions and other things that you guys want us in the site because it makes it a better resource not just for us but for you and for everybody so that's really really important it kind of ties into our next slide yeah yeah and whoops what's advanced we have already gotten some really really great suggestions i know mick has reached out on twitter several times and just seen what do you guys want to see on the site and um these people all give us the suggestions for a lot of our compliance um coverage so thank you shout out to them we have been working on that pretty heavily behind the scenes um but other things like that we'd like to said we want a conversation and we want to know what you want to see on the site yeah yeah because if we just do thi for ourselves it'll be fun but like it's a lot more fun when it's a party and i saw a question about mitre attack we're talking about a little bit later actually that's mentioned in here so as far as contributions right now we're really um working on said it's just we want to start with the conversation at the very least and we wanted to hear your ideas and inputs um and that can then can then we can figure out how to translate that into the site or into a blog post something like that yeah we haven't really thought about any expectations really i mean we would be just eternally grateful like i know this sounds really weird but i'm the type of person that if you're like hey this log is wrong you got it bad like this is bad and you should feel bad well i will feel bad tell me what we're missing and we'll fix it like if you want to do more and help out more like for goodness sakes yeah we'll take it but um this isn't something where we're looking for like uh an ongoing level of input from you um i know that there's some open source uh projects where like if you don't contribute at a certain threshold you get like lesser status now this is just a hey let's all just kick this thing and see what we can do to make it better now one of the key things that we're trying to do here and this is the bit where some folks might get a little uncomfortable so understand that i'm a big person on nudging controversy i don't want to quite poke it in the eye but i do want to rub up against it a little bit to make if you're not having some discomfort you're doing things wrong and there is a lot that's wrong in the industry with logging and so what we're going to try to do to the extent possible is explore and challenge some of the conventional wisdom because sometimes it's based off of it ritual that might have worked decades ago but it doesn't carry over to today so so um let's let's dive into like some things okay probably the most controversial thing that a lot of uh people struggle with is that not all logs are equal and you know not to pick on windows but i'm totally going to pick on windows if you've ever looked at the windows event log the signal-to-noise ratio on that thing can be horrific and it just boggles my mind that a lot of people treat logs as if they're these sacred things and there's some logs like in the uh system event log that i just i don't think i'll ever care about ever and i'm passionate about logs so i want the industry to stop treating logs as this monolithic uniform thing certain events are infinitely more interesting than others and so one of the items in the next slide we're going to show you how we're trying to solve this how we're trying to nudge the industry into a different view of things and part of the reason that we're wanting to do this is simple raw economics if you dial up all the logging you're going to crush your storage you'll even have some localized network performance issues okay we don't want that and part of the reason that logging doesn't work is an ugly truth many of the sim vendors many of the log aggregator vendors and a lot of the cloud providers have a perverse economic incentive so that you log everything because they charge by the events per second that are sent to them they charge by the gig you consume per day and that's silly what we are going to advocate is for a pretty strong some would even say radical departure from how logging is done and you have to understand that logs are only useful for a certain time frame and this phrase half-life of usefulness comes from fellow sans instructor justin henderson and really like i knew when i first met him that justin and i would be friends but what really made me chuckle was the day that he said you know some logs age well you know a transaction that shows things that you can go back in time even a year later and show what happened when and who did what that's awesome and i agree i thought that was neat but he also shared with me that some age like milk and that is true like if you've ever done analysis on like a dns log a malware domain stays malware not that long and so what we're trying to do is treat logs for the the nuanced things that they are and how we're approaching that is using this log leveling system now each log whether it's an operating system or an application will be broken down into three buckets and um you saw this actually in passing when i showed the site this minimum ideal and extreme so now minimum as the name implies this is what we on the what's a log project think are the bare minimum of logs to collect these are logs that shouldn't be generating too much noise on a given day they help tell the story that needs to be told and nothing more they're not fancy but they get the job done now moving up in terms of volume are the ideal logs and these are things that may be happening a little more frequently they may be a little noisier so the signal-to-noise ratio might not be there and then logging the idea behind extreme logging is this within reason grabs the logs that tell the story but are a bit more noisy now a couple things i've been trying to be as honest as practical with y'all about this and one thing that i do want to point out is that these minimum ideal and extreme we didn't come off the top of some mountain we don't have this elder wisdom on what makes what what we're doing here is we have gone and looked at the various frameworks that flynn mentioned a couple slides back we've gone and asked a couple different industry experts and we've consulted different um resource guides from some of the certs that were mentioned on earlier slides and a couple that i neglected to put in there so sorry about that um what we've tried to do is break them out into what their usability is your mileage may vary that said what we're trying to do is give you a resource that you can use to management when they say well do we really need to collect this thing you can use this site as a tool so feel free to use this now i'm sure you might have a different opinion on some of these and this would be one that we would love to get some feedback on you know do we have this right um and we do realize that these these will probably fluctuate over time so uh there's a great question on network uh correlation um i'm gonna put a pin in that one that's that's one that we'll uh answer if time permits if not um i'll uh i'll address that on a very lengthy twitter uh blast there is a uh blog post actually a little bit about event correlation it was something i wanted to go into a little bit more further in a future blog post but that's a really good question yeah so plan take it away yeah speaking of i guess part of our foundational thing for what to log was how logs help you because i'm a firm believer in the fact that logs really really do help people they are huge sources of information that can help you clean up action attack detect and attack and all sorts i mean get that a little bit more i think is let logs help you um they can be signs of attack you can see something strange happening and prevent it they're also really really good breadcrumbs in the wake of an attack you may be able to see the whole event and really trace out and figure out exactly what happened they're also just a general health check even if it isn't an attack you can really see something isn't working just quite right and you can do whatever you need to do with that and that just saves everyone time and because it saves time and also saves money which i think most people like to do so i think to the case of blogs can really help you and it's in more ways than one i think it's something that's really important that people tend to forget with logs is let them help you and let them help you in the right ways yeah one of the rants that went on when we were preparing this deck is about the general health checks if you are in a security group at a company where you're not getting the funding that you need i want you to understand that what i'm about to say comes from a place of love and i'm not uh hating you but you do need to understand that if you are not getting the funding you need it's your fault it really is because logs tell how the infrastructure is behaving and you as the security practitioner have a view that most organizations would kill for and so if you can't tell how systems are performing like i don't know what to tell you i mean let's frame it differently okay what's the difference between a ransomware attack where your cpu is spiked and your brand is totally consumed what's the difference of that versus a machine that's over provisioned and needs to be you know swapped out with a more powerful system the answer is almost none so if you're gathering data that detects certain security events it almost certainly can be leveraged into things that the business cares about so operations might not care about security but at almost every organization they care about availability and logs can be used and in a way weaponized to that end so let the logs help you because frankly they're telling the story in many cases they're screaming and shouting and nobody's listening now to that one of the things that we're doing on each and every entry we have a certain taxonomy of how the entries are going to be broken down of course we'll say you know what the logging event is we give you what operating system or application that log comes from but then we also tell you why we why you want this log and this gets back to something that i really quite dislike about how you know quote-unquote traditional operations and you know quote-unquote traditional security is done it's just like do this thing or else the auditor gonna hit you and if you do the thing auditor don't hit you and you're happy well that's dumb that's not how you should be doing things instead what we do is we tell you what stories you can tell with a particular log we also for the ones that we've got on the site right now we tell you what frameworks can be advanced by gathering this data now earlier there was a question about will this have any integrations with tools like sigma and this is where that integration can happen as we start building out this um this functionality we would be able to tie the different sigma ids to these so stay tuned on that one item that we will always have is how to do the check from the command line now you can copy and paste this or you can use sawmill which is something we'll cover in just a little bit here we also show you how to enable via the gui um for the windows stuff this thing is going to be mainly gpo or the local security policy local audit policy settings and then we give you how to view from the gui or the cli someone mentioned how if you're tracking applications it can be more of a someone said if it's an expensive one you can see that did i waste my money or is it application actually being used i think that's a really good point it kind of highlights how logs can be for more than just a health check that can be foray and it's actually worth it kind of just more uses so that was a good point now sorry yeah that's an excellent excellent quote uh thing so builds the custom scripts this is the thing that we teased before this webinar you know you can copy and paste each entry so let's go back to the what to log site if you go to the logs let's do like software installed i could copy and paste this and run this in a powershell prompt i could do that or i could make advantage take advantage of the what to log sawmill function and here's how the what's a log sawmill function works what you do is rather than just copying and pasting you simply say add the sawmill now we probably should make a little notification that was successfully added but what we do is you can think of so this is now having been put into a shopping cart so if you go to view sawmill selection you'll see that the software installed is already selected so now if i do get my scripts it actually generates the command that you need in order to show that element um one thing that sebastian the developer hey sebastian if you're watching a replay thank you for all your hard work on this and one of the things that's neat about this is you can select multiple log elements you can even select them at a group like that what you do is you simply say get my scripts and it will pull down the elements that you need in order to accomplish this now you can either copy paste this or put it into a power shelf script and you're done now some of you probably are like but we're uh you know a mixed environment we're not just windows we also have unix well as you can see we have unix and one of the things that's neat about this is the way it's done like you select whichever things you're interested in and say get my scripts and we break it down for you based off of what method you're going to be pulling that information so we've tried to make this super easy super helpful and it's going to be going further soon we're going to be having functionality where we can have it show you is it enabled or disabled and then also have functionality that will change that log setting so right now what what to log sawmill does is it will pull the log entry which at least in our analysis we think is going to be the most used component but we also want to make sure that you can check the log and pull or adjust the log setting to all using this capability but as cool as that is there's actually a feature of what's a log that's even better and that's teaching you how to think about logging and we're going to do that through the blog so the log blog which is very fun to say is a weekly dive into logs logging systems information about logs all sorts and i try and make it so it's short easy to read and hopefully not incredibly boring um and we also feature updates about what to log there including the new versions and new features we tried to remain as transparent as possible when we were doing less to log and that was kind of part of it was we wanted you to know exactly what changes we were making to the site and what we were thinking of doing that kind of stuff so the blog exists as not only new information about logs or deep dive into logs but also just about the site itself yeah now we're not done with the presentation just yet but we do want to pause for a second and say thank you okay we've got a closing but right now i do want to say thanks to you like i i really appreciate these comments these questions we've been making notes like we're going to be making changes to the site based off of just the feedback that we've received so far so that's awesome and i want to say thank you i also want to say thanks to the fans defensive operations team for letting us give this webinar this is a weird webinar and i want to say thanks for letting us give this you know as much as it's cool that you know folks are learning how to stop the you know solar winds attack it's cool that they allowed us to focus on something that's so foundational so small that it often gets overlooked and i'd be remiss if i didn't say thanks to flynn um this you know there was something really cool about this project and i i know that this never would have happened without her asking not just the question that started this project but all the questions and challenges that she did along the way and this is absolutely a lot a lot of this project is due to fun so thank you flynn and thank you to you too like i said without you i i wouldn't have had opportunity and the chance to learn so much about this and you have been unwavering in your support for me on this project which i really appreciated so thank you for that thank you everyone that's here listening and all those suggestions and questions we've had because i said it gives us a lot more ideas to add to the site which is what we wanted yeah yeah yeah this is awesome now now comes the big closing and this is kind of a weird thing um here's the deal um i feel that this is the webinar we shouldn't have had to give i feel that this is a site that should not need to exist the fact that we don't have this clearinghouse is hella strange you know this this used to be better handled back in the 60s 70s move into a lesser extent the 80s i know i'm dating myself but i r member the orange books i learned unix from them why is it that we don't cover logging like it just it i realize that a lot of people think that logging isn't cool i realize people think that logging isn't fun they're dead wrong it's literally the foundational building block of all of it all of security and every single breach that i've worked every single purple team engagement every single pen test that i work i see that the defenders aren't detecting the attacks because they're not seeing the logs and it makes me so sad these shouldn't be tripping points these should be table stakes we're not there we need your help and this is going to take a long time to fix this because it's taken decades to get to this point and so please like to the extent possible if it's a single little like hey think about this thank you but if you want to do more man will we take it this is a long long journey we're starting and we're just starting and a big part of it is that i don't want it to be all doom and gloom i have had so much fun doing this like when i have had tons of cool webinars where we've discussed and really geeked out on these sorts of things you can't have fun with fundamentals i think that's a big thing is logs actually in my opinion can be really fun they really really paint a story for you and they are the building blocks to that story and if you don't have the building blocks you don't have the story at all so i think if you understand that logs they can be found there's a lot of information in them they paint the picture of what happened in an event but i think most importantly you can get the right answer and the whole answer and getting to the bottom of things is exciting you can figure out is that success of finding out exactly what happened and really understanding of event to its fullest and logs allow you to do that they give you that power to be like this is exactly what happened this is when it happened this is who did it and that's kind of it's a little bit of fun it's a little bit of i can understand now what happened i can understand the whole story which is always satisfying absolutely and one thing that i realize that's kind of weird is i don't know how long you folks have been in security but one thing that i've noticed is that we're starting to think about the security problem differently you know ooda loops come from the military in terms of how you can better orient and respond to attackers um you know lockheed martin gave us the cyber kill chain lockheed lawyers i put the tm please don't send me some cease and desists but these sorts of ways of thinking about what an attack is and what it what it constitutes helped us start thinking about things differently and i don't you know i i don't want to sound too grandiose or anything but i'm hoping that this project can at least be part of a rethinking of what vlogs are because you can do some amazing things i mean look at the work that miter's done like attack it the attack framework is amazing and awesome i love it but you know look at some of the more foundational projects like the common weakness enumeration the cwe that's one that does not get nearly enough love because attack is sucking all the oxygen out of the room and i think that's kind of what's happened with logs you know i remember a time before firewalls and you had to use logs and now like everything else has kind of just drawn our attention away and we've lost this really needed critical skill and you know there are people who are doing it and you know what we want to do is just kind of rekindle the excitement and get things going so in closing here's what we need help on exactly and we do need the help it said it's not what we can do on our own we've gotten quite far doing we want the input we want to hear what framework should we cover what oss should we cover what application launch we cover we really want to hear what you think we should add to the site and we're happy to take if you want to give us information as well we're happy to take that and also what can we do to make this site more useful for you and more helpful for you what is the thing is what stories do you want to tell because logs tell that story and if you have the right laws you can tell almost any story and if you have any suggestions please reach out we're on twitter what's logazee what's live account obviously um better sapnet is mick and i am sounds of the time if you want to reach out personally but you can reach out to us suggestions ideas anything and of course the subreddit is there if you really want to start a conversation about logs logging what to log itself we're always there so yeah so we've only got a few more moments left in the webinar we'll be addressing questions now um feel free to type any questions that you have um uh somebody just said i'm glad you've started this which i had this years ago about a couple months into this project i was like that i was feeling the same thing so yeah i get the feeling um i see a comment about the number of cis husbands that avoid logs as it's a black art they couldn't understand and definitely that's kind of the point if you want to make logs more accessible but make them a little less scary to people they're not that scary they should be pretty they should you should use them they should be helpful for you you should want to use them okay well first of all i want to say thank you to everybody who's giving the kind words that they're liking this project cannot overstate how happy that makes because i'm invested a substantial amount of time and effort and the our pro we have a proxmox lab that is absolutely unreasonable and a lot of it is dedicated to this uh to this project so i that just of makes me all warm and fuzzy inside yes and said this kind of been my baby for the past almost a year now so it's definitely nice to see people enjoying it there is a question about vertical application that aren't widely used again it's something we're willing to add as long as we know what you want us to add we can have it i think it's definitely could definitely look into yeah um okay um yep so making comments about like sims and like defaults well i i get that um part of it is that given the complexity of environments having worked at a value at a var and also at a mssp a lot of orgs don't invest the time to set up sims appropriately so getting beyond those defaults is tricky and um part of that is that they they just they don't invest appropriately and i hope i hope that this site can and this project can start nudging against that just a little bit we kind of want to shake things up a little bit not overly so but i think definitely it's time to get a bit of a new perspective and understand things just because that's the way things are doesn't mean that's what they have to be all the time oh this is an interesting one uh there's no uh real typical best practice um yeah the struggle is finding someone who actually cares about the data information yeah that you know what that's that's an excellent point and i guess you know i i would like it if everyone in it went to the site and used it i realized that only a very thin sliver of folks are going to be using this but for those that are willing to walk the path i want it to be a lot less punishing um you shouldn't need a 30 terabyte sand i think a half a gig of ram now with 128 cores in your lab environment to do this sort of analysis like that's not a reasonable cost like what if we can lower that barrier to entry and make it so that people can join in the party easier that's that's the win for us exactly we want to make it accessible and make logs a little less scary and a little more information uh do you compare what type of login code should be on uh domain controller versus workstation we don't really explore that yet um oh seen some uh about the completed yes that was fixed but has not been pushed this morning we've noticed that as well thank you yeah that's the we found that in one of our pre-show demos the the slash is a little wonky yeah um but the domain controller versus workstation um we don't get into that directly but it's kind of tangential we can explore how to make that a little more apparent like a lot of these things wouldn't be caught from them uh you can only catch them on one versus the other okay also the point about long event versus authorization that is a very good point um yes they are different i there's a blog post about one of the authorization vlogs i kind of want to explain that a bit further because that's a very good point is there are differences yeah yeah well unfortunately we're running out of time i just wanted to say thanks again to everyone who attended i also want to say thanks to the isi clients um a lot of your money got folded into this project so when you're when you buy isi services we put it to use for community things like this so if you want more stuff like that come aboard and we'll put it to good use so carol we're done over to you all right well thank you so much flynn and mick for your great presentation which helps bring this content to the sans community to our audience we greatly appreciate you listening in for a schedule of all upcoming and archived sans webcasts including this one please visit sams.org forward slash webcasts until next time take care and we hope to have you back again for the next sans webcast