Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o...
Transcript of Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o...
![Page 1: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/1.jpg)
By: rewtninja
Network Security Monitoring: Beyond Intrusion Detection
![Page 2: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/2.jpg)
Agenda
o Overview of NSMo Benefits of NSMo NSM vs IDSo Limitations of NSMo Free solutions for implementing NSMo DEMO
![Page 3: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/3.jpg)
Whoami?o Security enthusiasto SecOps for an int’l software/cloud company.
We are hiring!o <Insert Certifications Here>
![Page 4: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/4.jpg)
Disclaimer?o The standard … blah blah blah
![Page 5: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/5.jpg)
Why Monitor?NSM Principle 1: Some intruders are smarter than you are
![Page 6: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/6.jpg)
Why Monitor?NSM Principle 2: Intruders are unpredictable
![Page 7: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/7.jpg)
Why Monitor?NSM Principle 3: Prevention eventually fails
![Page 8: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/8.jpg)
Cute Bears! But what is NSM?o Collection, analysis, and escalation of indications and warnings to detect
and respond to intrusions. NSM is a way to find intruders on your network and do something about them before they damage your enterprise.
o It is more than just waiting for an alert to trigger, Successful NSM operations are always collecting multiple forms of NSM data, using some of it for matching activities (via IDS and related systems) and hunting activities (via human review of NSM data)
o More info / Credits
o “The practice of Network Security Monitoring” – R. Bejtlich
o http://taosecurity.blogspot.com – Mandiant CSO blog
o http://www.securityonion.net
![Page 9: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/9.jpg)
Benefits of NSMo Improve Detection of the following:
ü Potential network intrusions
ü Network resources abuse
ü Malware
ü Data exfiltration/leakage
o Improve Incident Response
o Improve Evidence Collection - Law enforcement, Legal
o Improve security visibility into network
o Additional tool against Advance Persistent Threats (APT)
“Retrospective Security Analysis: checking your old #NSM data for Indicators Of Compromise that you didn't know were applicable at the time the intruder acted”
![Page 10: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/10.jpg)
I have an IDS, what makes NSM better?o NSM takes IDS into a whole new level
o Better data for analysis, validation, escalation
o Alert Data - Pointer to the data that triggers an anomaly. Usually by a tool such as IDS
o Transaction Data - Focuses on understanding the requests and replies exchanged between two network devices.(e.g. HTTP,FTP,SMTP)
o Session Data - Conversation Flow. Network connections to and from a device
o Full Content Data - Full accounting for every data packet transmitted between two endpoints.
o Statistical data Descriptive information that characterizes network activity, like counts of various aspects of conversations
o Log data – eg. Syslog, OS/Firewall/Router logs
![Page 11: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/11.jpg)
NSM vs IDS Data ComparisonData NSM IDS
Alert Data – Pointer to the data that triggers an anomaly. Usually by a tool such as IDS
ü YES YES
Transaction Data - Focuses on under-standing the requests and replies exchanged between two network devices.(e.g. HTTP,FTP,SMTP)
ü YES NO
Session Data – Conversation Flow. Network connections to and from a device
ü YES NO
Full Content Data - Full accounting for every data packet transmitted between two endpoints.
ü YES NO
Statistical Data - Descriptive information that characterizes network activity, like counts of various aspects of conversations
ü YES NO
![Page 12: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/12.jpg)
NSM vs IDS Workflow comparisonIDS NSM
![Page 13: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/13.jpg)
NSM vs IDSo All these NSM data makes it easier for an analyst to
validate alerts and make decisions or escalations
o In the case of IDS, when an analyst does not have enough information on a particular alert, they tend to just ignore it.
![Page 14: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/14.jpg)
OK.. But what are NSM Limitations?o Blind to Encrypted Traffic
o Commercial web filtering solutions have the capability to decrypt SSL and offload decrypted SSL traffic into a port where you can connect the NSM solution
o SSL Gateway
o SSLSniff / ViewSSLD?
o Considerations when inspecting SSL traffic.
o Privacy / Legal – prohibited by laws from other countries
o Compliance - sox/pci.
o Mobile platforms
o Extreme traffic volume may overwhelm NSM platforms
![Page 15: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/15.jpg)
What NSM Solutions are freely available out there?
o SecurityOnion – www.securityonion.net
o Ubuntu Linux OS, Open Source - free – GNU GPL v2.0
o Leverages mature open source security productso Snort/Suricata, Bro, OSSECo Elsa, Snorby, Squerto Sguil, Netsniff-ng, Arguso Etc …
o Actively maintained o Developer is the Deputy CSO of Mandiant (APT report)
![Page 16: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/16.jpg)
Basic SecOnion Architectureo Standaloneo Distributed
![Page 17: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/17.jpg)
NSM Deployment Considerationso Network traffico HD Space (lots of)o Span vs Inline
![Page 18: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/18.jpg)
DEMO!o Enough of the boring stuff! :-Do Let’s see the thing
![Page 19: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/19.jpg)
Credits / References / Add’l Readingo Richard Bejtlich – www. taosecurity.blogspot.como Doug Bourks – www.securityonion.neto Securityonion Mailing Listo “The practice of Network Security Monitoring”o “Applied Security Monitoring”
![Page 20: Network Security Monitoring: Beyond Intrusion Detection 8/Talks/ROOTCON 8 - Network Sec… · o Collection, analysis, and escalation of indications and warnings to detect and respond](https://reader037.fdocuments.in/reader037/viewer/2022090606/605b5bf6289b31096b663842/html5/thumbnails/20.jpg)
Questions?