Netwrk Security Mnitring: Beynd Intrusin Detectin By: rewtninja
Agenda Overview f NSM Benefits f NSM NSM vs IDS Limitatins f NSM Free slutins fr implementing NSM DEMO
Whami? Security enthusiast SecOps fr an int l sftware/clud cmpany. We are hiring! <Insert Certificatins Here>
Disclaimer? The standard blah blah blah
Why Mnitr? NSM Principle 1: Sme intruders are smarter than yu are
Why Mnitr? NSM Principle 2: Intruders are unpredictable
Why Mnitr? NSM Principle 3: Preventin eventually fails
Cute Bears! But what is NSM? Cllectin, analysis, and escalatin f indicatins and warnings t detect and respnd t intrusins. NSM is a way t find intruders n yur netwrk and d smething abut them befre they damage yur enterprise. It is mre than just waiting fr an alert t trigger, Successful NSM peratins are always cllecting multiple frms f NSM data, using sme f it fr matching activities (via IDS and related systems) and hunting activities (via human review f NSM data) Mre inf / Credits The practice f Netwrk Security Mnitring R. Bejtlich http://tasecurity.blgspt.cm Mandiant CSO blg http://www.securitynin.net
Benefits f NSM Imprve Detectin f the fllwing: Ptential netwrk intrusins Netwrk resurces abuse Malware Data exfiltratin/leakage Imprve Incident Respnse Imprve Evidence Cllectin - Law enfrcement, Legal Imprve security visibility int netwrk Additinal tl against Advance Persistent Threats (APT) Retrspective Security Analysis: checking yur ld #NSM data fr Indicatrs Of Cmprmise that yu didn't knw were applicable at the time the intruder acted
I have an IDS, what makes NSM better? NSM takes IDS int a whle new level Better data fr analysis, validatin, escalatin Alert Data - Pinter t the data that triggers an anmaly. Usually by a tl such as IDS Transactin Data - Fcuses n understanding the requests and replies exchanged between tw netwrk devices.(e.g. HTTP,FTP,SMTP) Sessin Data - Cnversatin Flw. Netwrk cnnectins t and frm a device Full Cntent Data - Full accunting fr every data packet transmitted between tw endpints. Statistical data Descriptive infrmatin that characterizes netwrk activity, like cunts f varius aspects f cnversatins Lg data eg. Syslg, OS/Firewall/Ruter lgs
NSM vs IDS Data Cmparisn Alert Data Pinter t the data that triggers an anmaly. Usually by a tl such as IDS Data NSM IDS Transactin Data - Fcuses n understanding the requests and replies exchanged between tw netwrk devices.(e.g. HTTP,FTP,SMTP) YES YES YES NO Sessin Data Cnversatin Flw. Netwrk cnnectins t and frm a device Full Cntent Data - Full accunting fr every data packet transmitted between tw endpints. Statistical Data - Descriptive infrmatin that characterizes netwrk activity, like cunts f varius aspects f cnversatins YES YES YES NO NO NO
NSM vs IDS Wrkflw cmparisn IDS NSM
NSM vs IDS All these NSM data makes it easier fr an analyst t validate alerts and make decisins r escalatins In the case f IDS, when an analyst des nt have enugh infrmatin n a particular alert, they tend t just ignre it.
OK.. But what are NSM Limitatins? Blind t Encrypted Traffic Cmmercial web filtering slutins have the capability t decrypt SSL and fflad decrypted SSL traffic int a prt where yu can cnnect the NSM slutin SSL Gateway SSLSniff / ViewSSLD? Cnsideratins when inspecting SSL traffic. Mbile platfrms Privacy / Legal prhibited by laws frm ther cuntries Cmpliance - sx/pci. Extreme traffic vlume may verwhelm NSM platfrms
What NSM Slutins are freely available ut there? SecurityOnin www.securitynin.net Ubuntu Linux OS, Open Surce - free GNU GPL v2.0 Leverages mature pen surce security prducts Snrt/Suricata, Br, OSSEC Elsa, Snrby, Squert Sguil, Netsniff-ng, Argus Etc Actively maintained Develper is the Deputy CSO f Mandiant (APT reprt)
Basic SecOnin Architecture Standalne Distributed
NSM Deplyment Cnsideratins Netwrk traffic HD Space (lts f) Span vs Inline
DEMO! Enugh f the bring stuff! :-D Let s see the thing
Credits / References / Add l Reading Richard Bejtlich www. tasecurity.blgspt.cm Dug Burks www.securitynin.net Securitynin Mailing List The practice f Netwrk Security Mnitring Applied Security Mnitring
Questins?