The Gravwell HTTP ingester now supports a default config block that's compatible with Splunk HEC ingester defaults. To show this in action, we will use an awesome attacker simulation tool, Scythe and our old pal Sysmon and also tease upcoming purple team content.
SC Magazine published an article headlined "SIEM rules ignore bulk of MITRE ATT&CK framework, placing risk burden on users." In the article, Bradley Barth writes about a study showing only 16 percent of the MITRE framework was covered by SIEM rules.
I take issue with the core premise of this article. MITRE ATT&CK is a framework for high level planning and strategic thinking, not for a series of checkboxes on which to overlay a vendor product. We need to avoid turning cybersecurity into checkboxes. What do I mean? Read on to hear my thoughts on the SC Magazine article, and to see how we work with customers to improve observability without forcing them to fit a pre-defined mold.
We're building a Gravwell Kit for Sysmon! This blog series examines some of the event types that Sysmon generates to see what data they contain, opportunities for enhancing security, and example queries with Gravwell. Part 1 covered the Process Creation event type. In part 2 we jump into: Network Connection events!
I'm building a Gravwell Kit for Sysmon! This blog series follows the development of that kit for the awesome (free) sensor for Windows EDR, Sysmon. In this series we'll look at each event type that Sysmon generates to see what data it contains, opportunities for enhancing security, and example queries with Gravwell.
This personal story I'm about to tell highlights one of the most important differentiators between Gravwell vs Splunk -- a non-abusive pricing model. Data rates aren't always predictable….
This month has been a big deal for IT logging of windows endpoints. Sysmon v10 was released last Tuesday and it includes the major changes of DNS logging and OriginalFileName reporting for Windows events. If you've ever tried to set up Windows DNS logging before, you understand how awesome this is. This post is all about the new functionality and how to make use of it in Gravwell.
Before founding Gravwell, I was doing quite a bit of vehicle cybersecurity. Lately I haven't had much opportunity for that kind of fun -- turns out founding a company is time consuming work. Today is a throwback Thursday, however, as I'll be presenting on CANBus and vehicle security at the local DEFCON meetup. We didn't build Gravwell for car hacking but I gotta say, having Gravwell years ago would have made my life a lot easier…
For the 2018 Super Computing Conference (SC18, held in Dallas, TX), Gravwell provided our analytics platform to the Network Security team. These brave souls were responsible for cyber security on a network consisting of $52 million in contributed hardware, software, and services plus 4.02 Terabits per second of external capacity. This means that not only does the SCinet Network Security team need to protect SCinet from the world, it needs to protect the world from SCinet.
Huge Gravwell updates today!
Thanks for your patience during this short period of radio silence, but it’s been for good reason. Today we’re happy to announce Gravwell version 3 which comes with a whole slew of delicious features and improvements.
The 2018 development year was primarily focused on improving search and ingest performance, scalability, and stability. We’ve made tremendous strides on this front and I’m excited to talk briefly about those here and in greater detail during the coming weeks. Our 2019 has a strong focus on improving out-of-the-box functionality -- keep reading for more info about the update and exciting plans for this year.
One of the biggest complaints that’s heard across the industry is that of cost. “Too expensive” or “untenable pricing scale” are things we have been hearing from colleagues at conferences and on forums for years. Years! Yet we’re still stuck with this extremely frustrating pricing model that disincentivizes people from using the very tool they purchased. What do I mean? Let’s dive in.