2025-06-21 –, Track 2 (Moody Rm. 101)
Detection Engineering is the art and science of taking information about potential threats and turning it into automated alerts. In this talk I will discuss using the free and open Security Onion platform to monitor network traffic and logs in your environment and alert you to potentially malicious or suspicious events.
Every threat hunt, every incident response, and every bulletin from your ISAC comes with a wealth of intelligence and indicators that you can leverage to spot suspicious or malicious activity in the future. The process of taking that information and turning it into reliable, repeatable alerting is known as Detection Engineering.
In this presentation I will introduce the free and open Security Onion enterprise monitoring platform, the methods by which it can generate or ingest logs about what's happening in your environment, and how we can use that log data to trigger alerts for potential incidents. Whether you're looking for artifacts in network traffic, file structures, or endpoint logs, it's easy to create new detection rules so your analysts are aware when something suspicious rears its head.
Matthew Gracie is a defensive security specialist with fifteen years of Blue Team experience in higher education, manufacturing, financial services, and healthcare. He is currently a Senior Engineer on the professional services team at Security Onion Solutions, as well as an adjunct professor of Cybersecurity in the graduate school at Canisius University. Matt is also the lead organizer of Infosec 716, a monthly meetup for security enthusiasts in Western New York, and the BSides Buffalo technology conference. He enjoys good beer, mountain bikes, open source security tools, and college hockey, and can be found on Bluesky as @InfosecGoon.