Network Security Monitoring Theory and Practice



Similar documents
Richard Bejtlich / taosecurity.blogspot.com BSDCan 14 May 04

The principle of Network Security Monitoring[NSM]

Open Source Network Security Monitoring With Sguil

Network Security Monitoring

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

When prevention FAILS: Extending IR and Digital Forensics to the corporate network. Ismael Valenzuela

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

TheTao of Network Security Monitoring

Open Source Network Security Monitoring With Sguil

The SIEM Evaluator s Guide

Network Security Monitoring: Beyond Intrusion Detection. By: rewtninja

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Missing the Obvious: Network Security Monitoring for ICS

NETWORK SECURITY. 3 Key Elements

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Intrusion Detection Systems

Network Security Monitoring: Looking Beyond the Network

Traffic Monitoring : Experience

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Network Security Forensics

COUNTERSNIPE

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Network Intrusion Analysis (Hands-on)

Architecture Overview

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Network Security Monitoring

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

Network Security Monitoring

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

NETWORK SECURITY. Scott Hand. Melanie Rich-Wittrig. Enrique Jimenez

Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware

The Need for Intelligent Network Security: Adapting IPS for today s Threats

Name. Description. Rationale

THE PRACTICE OF NETWORK SECURITY MONITORING

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Fail-Safe IPS Integration with Bypass Technology

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

Intrusion Detection for Mobile Ad Hoc Networks

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

BEGINNER S GUIDE to. Open Source Intrusion Detection Tools.

WHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM

The Truth about False Positives

Blacklist Example Configuration for StoneGate

Performance Evaluation of Intrusion Detection Systems

Tk20 Network Infrastructure

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

MANAGED SECURITY SERVICES (MSS)

The Importance of Cybersecurity Monitoring for Utilities

WHITE PAPER. Network Traffic Port Aggregation: Improved Visibility, Security, and Efficiency

CLOUD GUARD UNIFIED ENTERPRISE

A solution for comprehensive network security

NETWORK SECURITY (W/LAB) Course Syllabus

Network Monitoring and Forensics

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Intrusion Detections Systems

IDS / IPS. James E. Thiel S.W.A.T.

Security Event Management. February 7, 2007 (Revision 5)

Rashmi Knowles Chief Security Architect EMEA

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

Network- vs. Host-based Intrusion Detection

Open Source Software for Cyber Operations:

RAVEN, Network Security and Health for the Enterprise

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Introduction of Intrusion Detection Systems

Cisco IPS Tuning Overview

OpenWIPS-ng A modular and Open source WIPS. Thomas d Otreppe, Author of Aircrack-ng

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

USE HONEYPOTS TO KNOW YOUR ENEMIES

MANAGED SECURITY SERVICES (MSS)

Audit Logging. Overall Goals

Security Monitoring and Architectures for Security Logging

BIG DATA. Shaun McLagan General Manager, RSA Australia and New Zealand CHANGING THE REALM OF POSSIBILITY IN SECURITY

WhatWorks in Detecting and Blocking Advanced Threats:

Network-Based and Host- Based Intrusion Detection. Harley Kozushko. Graduate Seminar

SearchSecurity. Implementing Network Security Monitoring with Open Source Tools By Richard Bejtlick. IT Briefing: An IT Briefing produced by

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

Dynamic Rule Based Traffic Analysis in NIDS

Intrusion Detection in AlienVault

Transcription:

Network Security Monitoring Theory and Practice Michael Boman IT Security Researcher and Developer proxy@11a.nu http://proxy.11a.nu

About Me Born in Sweden, been working in Singapore for the last 6 years Spent the last 5 years specializing in IT Security Currently working for KPMG Singapore

Agenda Network Security Monitoring (NSM) Theory Network Security Monitoring (NSM) Practice

Assumptions Some intruders are smarter than you Intruders are unpredictable Prevention eventually fails

Limitations of Alert Based Approach 1)IDS generates an alert when a packet is matched 2)Analyst's interface displays the offending packet 3)Analyst trying to make decision regarding if the event is a false positive or if the incident response team needs to be informed 4)Usually no other information is easily available to the analyst to make a more informed judgement (if any was collected in the first place)

History of NSM 1980 Computer Security Threat Monitoring and Surveillance (James P. Anderson) 1990 A Network Security Monitor (L. Todd Heberlein et al.) 2002 Network Security Monitoring (Bamm Visscher & Richard Bejtlich) Defined NSM as the collection, analysis and escalation of indications and warnings (I&W) to detect and respond to intrusions

What is NSM? Collection Analysis Escalation

NSM Data Types Alert data Statistical Session Full content Less More Storage requirement

Data Collection Collect as much data you legally and technically can

Data Collection Sometimes you can't collect everything, but consider this: Data sampling is better than nothing Traffic analysis is better than nothing

NSM's role in Incident Response What else did the intruder potentially compromise? What tools did he download? Who else do we need to inform?

NSM in practice - Sguil Sguil is an open source project whose tag line is For Analysts - By Analysts Written in TCL/TK by Bamm Visscher, with many contributors (including myself) Sensor / Server / Client architecture

History of Sguil SPREG Proprietary in-house ancestor of Sguil developed in Perl/TK, around 2000-2001 Sguil development started late 2002 First public release was 0.2, May 2003 Current version is 0.6.1

Sguil Analyst Console

Sguil Framework Demo

Future of Sguil PADS (Passive Asset Detection System) Integration SnortSAM Integration Snort rule management

NSM in the Real World Who is using it Fortune 500 Companies US Government Labs Universities MSSPs

NSM in the Real World Real life success stories Charles Tomlin used Sguil to track down a recent compromise http://www.ecs.soton.ac.uk/~cet/2006-01-01.html

NSM in the Real World NSM Products / Projects Apparently Sguil is the only public available product / project that utilizes NSM methodology

What NSM is Not NSM Is Not Device Management NSM Is Not Security Event Management NSM Is Not Network-Based Forensics NSM Is Not Intrusion Prevention

Books The Tao of Network Security Monitoring: Beyond Intrusion Detection By Richard Bejtlich Publisher: Addison-Wesley; ISBN: 0321246772 Extrusion Detection: Security Monitoring for Internal Intrusions By Richard Bejtlich Publisher: Addison-Wesley; ISBN 0321349962

Thank You Questions? There is no secure end-state only eternal vigilance My Website is at http://proxy.11a.nu Sguil can be downloaded at http://www.sguil.net

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information