Originally presented at BSides Ottawa on 06-Sep-2014, this talk lays out the challenges faced by todays defender (for context), the gap in our current defensive strategies (what we'll address), and explains how to start a basic behavioural analysis practice with minimal investment.
Remember this is a BSides presentation so there may be some language which causes a double-take ;-)
Open with caution.
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
Is That Normal? Behaviour Modelling On The Cheap
1. Is That Normal?
Behaviour modelling on the cheap
Mark Nunnikhoven, bunch of letters
@marknca
Just like you probably can’t see this, I can’t see the backchannel
Tweet me now @marknca, I’ll reply after the talk…
23. What to look for
Malicious patterns
You might want to consider buying something here or at least Martin’s solution
However, if you don’t have a strong process for handling alerts don’t bother!
24. What to look for
Odd access patterns
You can buy products that help here but we can get good ROI with DIY
If you already have a SIEM, put this effort into tuning it’s rules & alerts
26. The Goal
Provide actionable information
to your team
You’re never going to get 100% automated here
BUT you can reduce your team’s workload
27. In order of importance
Access
Transactions
Authentication
<< fancy circles for no particular reason
28. And then?
Dump it all in a database
Yes, an old school relational database
29. Dump it?
Well no…that’ll cause problems*
* Only if you want to do anything with the data.
If you want a(nother) shelfware project, go ahead
The #1 problem with RDBMS is that few people consider
what they want to get _out_ of them
30. Hardware Table Structure
Desktop Hour
Bigger Day
Biggest Week
Bigger-est Month
Ridiculous This talk has “on the Cheap” in the title.
Stop showing off
It’s amazing what an old school DB can do when structured properly
There is a reason why we’ve stuck with the tech for 40+ years
31. Anything else?
Add metadata on ingestion*
* You’re trying to save computation later on. And
it’s easier to line up usernames or groups now
rather than later. You can do fun things with
caching too
I felt like using the term “metadata” would add more credibility
and a nice NSA-esque feeling here
32. Indices?
Store the timestamp as
YYYY-MM-DD-HH-MM-SS*
* No wiggle room. It’s easier to do
computations on this way
First person to say “what about seconds since the epoch?” gets a free gift
It’s not a good gift. You don’t want it. Trust me on this
33. Hardware Query Breadth (in tables)
Desktop 1
Bigger 2-3
Biggest 3-5
Bigger-est 3-5
Ridiculous Didn’t you get the message on 2 slides ago?
How you structure your query has a major impact on performance
That should be obvious. If not, it is now
34. Hardware Query Size (in dimensions)
More dimensions == slower performance but potentially more useful answers
Use your judgement here
Desktop 2-3
Bigger 3-5
Biggest 5-7
Bigger-est 5-7
Ridiculous Seriously, WTF?
35. How do I frame questions for the data?
Based on the average of X,
what are the outliers?
* select min(thing_I_want) from (group_of_things_I_want)
select max(thing_I_want) from (group_of_things_I_want)
Not the Malcolm Gladwell Outliers, actual math-y type ones
36. Questions you should ask your data?
<Timeline for logins>
<Period of access for user>
<Size of transaction>
<Number of domains per day>
* These four will net a lot of interesting info
Start simple, build up the questions you ask based on success
“If it isn’t actionable, get rid of it”, Rob Edwards < awesome guy
37. Use your logs
Reduce work for your team
Start small, build