Automating Security - QCon London · A 3rd party contacts the company because they notice something...

58
Automating Security @ Ryan Huber Twitter: @ryanhuber

Transcript of Automating Security - QCon London · A 3rd party contacts the company because they notice something...

Page 1: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Automating Security @

Ryan HuberTwitter: @ryanhuber

Page 2: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

whoami

Page 3: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)
Page 4: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Additional Information

Page 5: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Breaches

Page 6: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

How does a company know when it has been hacked?

Page 7: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

The company’s employees notice something strange

Page 8: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

A 3rd party contacts the company because they

notice something strange

(*Krebs)

Page 9: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Hacker(s) contact the company because they

want them to notice something strange

Page 10: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

They don’t

Page 11: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Time

Page 12: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

How did they get in?

Page 13: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Verizon DBIR

Page 14: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

“Pulling back from a single industry view, we find that most of the attacks make use

of stolen credentials, [...]”

“[...] 95% of these incidents involve harvesting creds from customer devices, then logging into web applications with

them.”

Page 15: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)
Page 16: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Overview

Page 17: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Collecting DataDetection

RulesAlerts

VerificationQ&A

Page 18: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Step 1: Collecting data

Page 19: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Our own AWS account

Page 20: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Set up a reliablelogging pipeline

Page 21: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

rsyslog (w/ RELP)

Page 22: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

streamstash(or logstash)

Page 23: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)
Page 24: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Elasticsearch

Page 25: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Data Sources

Page 26: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

auditd

Page 27: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

go-audit

Page 28: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)
Page 29: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

auth logs(ssh…)

Page 30: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

cloudtrail

Page 31: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

web logs

Page 32: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

everything, really...

Page 33: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Step 2: Detection

Page 34: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

The defender’s advantage

Page 35: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

ZERO DAYS ARE NOT INVISIBILITY CLOAKS

Page 36: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

The Hypothetical Malicious Insider

Page 37: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Off-the-shelf rulesets

Page 38: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Monitoring Tools

Page 39: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Elasticsearchor

$plunk

Page 40: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

ElastAlert

Page 41: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Rules

Page 42: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Time awake

Page 43: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Impossible GeoIP

Page 44: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

IP

Page 45: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)
Page 46: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Alerts

Page 47: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

AlertCenter

Page 48: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

SecurityBot

Page 49: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)
Page 50: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Don’t overwhelm everyone

Page 51: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Verification

Page 52: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Carbon Black, anectotally..

Page 53: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Canaries

Page 54: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Red team exercises

Page 55: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Bonus:

What if they got in anyway?

Page 56: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Forensic data is there

Page 57: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

Summary

Page 58: Automating Security - QCon London · A 3rd party contacts the company because they notice something strange (*Krebs)

https://goo.gl/ZAxCnH

@ryanhuber


Ciclo de Krebs Prof. Rodrigo Alves do Carmo. Ciclo de Krebs Descoberto por Hans Krebs, em 1937.

Ciclo de Krebs Prof. Rodrigo Alves do Carmo. Ciclo de Krebs Descoberto por Hans Krebs, em 1937.

QCON London 2013

QCON London 2013

1st4sport Level 3 Certificate in Supporting Physical Development …€¦ · QCON 1.1 Qualification workforce capacity and ratios QCON 1.2 Qualification administrator QCON 1.3 Qualification

1st4sport Level 3 Certificate in Supporting Physical Development …€¦ · QCON 1.1 Qualification workforce capacity and ratios QCON 1.2 Qualification administrator QCON 1.3 Qualification

Automating Netflix ML QCon SF 2017 | Eugen Cepoi, Davis ...Automating Netflix ML Pipelines With Meson? Goal Create a personalized experience to help members find content to watch and

Automating Netflix ML QCon SF 2017 | Eugen Cepoi, Davis ...Automating Netflix ML Pipelines With Meson? Goal Create a personalized experience to help members find content to watch and

Rainer Krebs

Rainer Krebs

Taobao practice-liyu-qcon

Taobao practice-liyu-qcon

Netflix keynote-adrian-qcon

Netflix keynote-adrian-qcon

Contigous improvement - QCon

Contigous improvement - QCon

Spring design-juergen-qcon

Spring design-juergen-qcon

Qcon 111122082620-phpapp02

Qcon 111122082620-phpapp02

Fofo Krebs

Fofo Krebs

Qcon SF 2013

Qcon SF 2013

DA W 6 Tools - Amazon S3€¦ · midiin2 (icon qcon ex v1.05) midiin3 (icon qcon ex v1.05) icon qcon ex v1.05 midiin4 (icon qcon ex v1.05) 17 18 15 16 14

DA W 6 Tools - Amazon S3€¦ · midiin2 (icon qcon ex v1.05) midiin3 (icon qcon ex v1.05) icon qcon ex v1.05 midiin4 (icon qcon ex v1.05) 17 18 15 16 14

F# Tutorial @ QCon

F# Tutorial @ QCon

Netflix web-adrian-qcon

Netflix web-adrian-qcon

Domainlang keynote-eric-qcon

Domainlang keynote-eric-qcon

Catalogo Krebs

Catalogo Krebs

Setup up for your QCON Pro & QCON EX controller section Note:

Setup up for your QCON Pro & QCON EX controller section Note:

Ciclul Krebs

Ciclul Krebs

Mobile Transformation - QCon

Mobile Transformation - QCon