practical network defense at scale or: protecting the “eierlegende wollmichsau“ by travis...
TRANSCRIPT
Practical Network Defense at Scale
Or Defending the
Eierlegende Wollmilchsau
whoami?
Name: Travis Carelock
Occupation: Engineer at
15+ years experience in the IT and security fields… wow, I’m old……
BuildingDefense
What are we trying to Accomplish?
Stop the HACK4RS!!
not realistic
node
our servers
our servers
/ˌaɪ̯ɐ.leːɡəndə ˈvɔl.mɪlç.zaʊ̯/Eierlegende Wollmilchsau
Don’t Panic. Start Simple.
Goals
• Investigate Network Traffic
• Network Traffic Rules with Alerts
• Forensic evidence and long term analysis
IPs? Rx/Tx?Ports?
Investigate Network Traffic
Traffic Rules
Forensics and Analysis
What are the Sources of Truth?
• How Consistent?
• How Independent?
• Ease of Corruption?
• Confidence Score?
• Retention Policy?
Data Integrity
Normalize Logs
timestamp
Normalize Logs
data transfer
Tag Logs
“src_ip”
Tag Logs
“’dst_ip”
Type Logs
Integer
Type Logs
IP
What is in the
toolbo
x?
Shoulder of Giants.• Animate of me on should of ES.
me
elasticsearch
Your hands will get
dirtywrite !!
is
Whatthe
target?
What connects?
To what?
SD
Dependency
Automate
10.0.0.50:23463 -> 10.1.1.255:3306
Current View of the World
False Positives-Better Query Design
-Blocking-Policy and Guidelines-Additional Services
Not all anomalies are created equal
What about Alert: Actions?
Create Feedback Cycle
Query External Services
ALERT!
Fatigue!
User Interface?
Query Tools
HistoryAlert Management &
Search Help
Dashboard Generation
….but how well is it working??
Automated
Tests
System Security
Network and Dependency Investigations
QuestionsWhat goals am I trying to accomplish?
What are the sources of truth?
What tools would work best?
What is an anomaly?
Am I correlating the alerts?
What about user experience?
Is the system robust and secure?
What else can I do with all the data?
you!
KeepFighting!!!
name: travis carelock twitter: @l3d email: [email protected] pgp: 463E B548 F3B1 F879 4589 6505 E417 7480 D1A4 A990 private: [email protected] pgp: 4CFC 8E69 4A07 59F2 4508 8A39 0AFA 9CC3 2D65 031E otr: [email protected]: 40FCAFD7 FAA097B6 29BE95CE 6740E37E 0790E295
is hiring!
Web: http://soundcloud.com/jobsEmail: [email protected]
Thank You!Special Thank You to Code Blue and the Organisers!