Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Managing Network Security with 
Puppet 
1 
Presented by: 
Mike Pananen – Vigilant LLC. 
Chris Nyhuis – Vigilant LLC. 
9/26...
2 
Mike Pananen 
mpananen@vigilantnow.com 
Twitter: @panaman13 
• Master of Puppets at 
Vigilant 
• Worked with Puppet sin...
3 
Chris Nyhuis 
cnyhuis@vigilantnow.com 
Twitter: @vigilance_one 
• Owner of Vigilant Technology Solutions 
an IT Cyber S...
4 
Agenda • Understanding the Problem 
• How attacks have changed and the 
Security industry hasn’t 
• Why NSM is importan...
5 
Understanding the Problem: 
The Compliance and Security Myth 
Compliance 
• PCI 
• HIPPAA 
• IRS Regulations 
• Control...
6 
Understanding the Problem 
The Compliance and Security Myth 
Compliance 
• Vulnerability 
• PCI/HIPPAA 
• IRS Regulatio...
7 
What do these companies have in common? 
Neiman Marcus HealthNet 
Know More. Secure More
130,000,000 
8 
What do these companies have in common? 
They were all compliant… 
HealthNet Heartland 
52,000,000 
145,00...
9 
Ponemon’s Cost of Data Breach Study: 
Global Study, sponsored by IBM. 
Studied 314 companies spanning 10 
countries.. 
...
10 
Take Away #1 
Security is not the same as Compliance – Security is a 
balance of Control and Visibility 
Know More. Se...
11 
Understanding the Problem: 
The threats have changed 
Before 
• Random Small Attacks 
• Attackers were more 
randomly ...
12 
Take Away #2 
SMB is the new gateway – Protect your reputation you may 
be the path 
Know More. Secure More
13 
Understanding the Problem: 
Threat protection has changed 
Before 
• Signatures - The 
Herd Mentality 
Protection 
Tod...
That is why… • 54% of malware typically evades anti-virus detection 
• Less than 2% of breaches are detected in the first ...
15 
And because of 
that… 
Symantec's senior vice president Brian Dye 
declared last quarter to the Wall Street Journal 
t...
16 
Understanding the Problem: 
The threat protection has changed 
Before 
• Signatures - The Herd 
Mentality Protection 
...
17 
Take Away #3 
Signature Based Detection is a layer, it should be a layer of your 
protection just not your only one. 
...
18 
NSM vs IDS 
IDS - “Possible Bad thing Detected – 10.0.9.5” 
NSM – “Possible Bad thing Detected – 10.0.9.5” -> 
Intel h...
19 
Advanced Network Security Monitoring 
Know More. Secure More
20 
Take Away #4 
NSM Gives you the full picture 
Know More. Secure More
21 
Lower Your Costs - Use tools to 
Catch them early 
Know More. Secure More
22 
NSM tools 
OPEN SOURCE TECHNOLOGY 
IDS 
FLOW 
HTTP 
PCAP 
Know More. Secure More
23 
NSM - IDS Tools 
Snort 
http://www.snort.org 
Suricata 
http://suricata-ids.org 
Bro 
http://www.bro.org 
Know More. S...
24 
Rules 
Write your own, download free or purchased rules 
Emerging Threats 
http://www.emergingthreats.org 
ETOpen, ETP...
25 
package { ‘snort’: 
ensure => present, 
}-> 
file { ‘/etc/snort/rules: 
ensure => directory, 
owner => ‘snort’, 
group...
26 
BRO 
Swiss army knife in your NSM tool box 
Notice Framework - Network anomaly and and scripted alerts 
Intel Framewor...
27 
Free Intel Sources 
(atomic indicators) 
http://www.malwaredomains.com 
Bad Domain Names 
https://zeustracker.abuse.ch...
28 
Deploy Bro with Puppet 
https://forge.puppetlabs.com/panaman/bro 
class { 'bro': 
int => 'bond0', 
} 
Know More. Secur...
29 
PCAP 
FULL PACKET CAPTURE 
netsniff-ng 
http://netsniff-ng.org 
daemonlogger 
http://sourceforge.net/projects/daemonlo...
30 
/usr/sbin/netsniff-ng -i bond0 -s -J -F 500MiB -o 
/nsm/pcap/$(date "+%Y-%m-%d") 
Know More. Secure More
31 
Take Away #5 
Puppet can deploy new configs, signatures and inteligence 
to your sensors quickly. Speed is important i...
32 
Network Tap 
http://www.networkinstruments.com/products/ntaps/index.php 
http://dual-comm.com 
http://www.netoptics.co...
Tap Placement - True source and true destination. 
Know More. Secure More 33
34 
Take Away #6 
Correct TAP Placement is as important and the right tools. 
Know More. Secure More
35 
Log Management 
ElasticSearch 
http://www.elasticsearch.org 
Splunk 
http://www.splunk.com 
Elsa 
https://code.google....
Know More. Secure More 36
Know More. Secure More 37
38 
Six Take Aways 
1. Security is not the same as Compliance 
2. SMB is the new gateway – Protect your reputation you 
ma...
39 
Puppet Conf 2014 - Questions 
Mike Pananen 
mpananen@vigilantnow.com 
Twitter @panaman13 
Chris Nyhuis 
cnyhuis@vigila...
Upcoming SlideShare
Loading in …5
×

Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf 2014

2,199 views

Published on

Managing Network Security Monitoring at Large Scale with Puppet - Michael Pananen & Chris Nyhuis, Vigilant Technology Services

Published in: Technology
  • Be the first to comment

Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf 2014

  1. 1. Managing Network Security with Puppet 1 Presented by: Mike Pananen – Vigilant LLC. Chris Nyhuis – Vigilant LLC. 9/26/2014 Puppet Conf Sept 24th, 2014 Know More. Secure More
  2. 2. 2 Mike Pananen mpananen@vigilantnow.com Twitter: @panaman13 • Master of Puppets at Vigilant • Worked with Puppet since 2011 • Built Global NSM Sensor grids 500+ Sensors. Know More. Secure More
  3. 3. 3 Chris Nyhuis cnyhuis@vigilantnow.com Twitter: @vigilance_one • Owner of Vigilant Technology Solutions an IT Cyber Security Firm based in Cincinnati. • In Security and IT Industry 17 Years • Cyber Security Instructor at Advanced Technical Intelligence Center (Dayton) • Passionate about Orphan Care Know More. Secure More
  4. 4. 4 Agenda • Understanding the Problem • How attacks have changed and the Security industry hasn’t • Why NSM is important • Lower your Security Operations Costs with Puppet Know More. Secure More
  5. 5. 5 Understanding the Problem: The Compliance and Security Myth Compliance • PCI • HIPPAA • IRS Regulations • Controls • Policy • Visibility • Process Security to learn from attacks • Ability to adapt defenses • Real-Time action required Know More. Secure More
  6. 6. 6 Understanding the Problem The Compliance and Security Myth Compliance • Vulnerability • PCI/HIPPAA • IRS Regulations • Controls • Policy Security • Visibility • Process to learn from attacks • Ability to adapt defenses • Real-Time action required Know More. Secure More
  7. 7. 7 What do these companies have in common? Neiman Marcus HealthNet Know More. Secure More
  8. 8. 130,000,000 8 What do these companies have in common? They were all compliant… HealthNet Heartland 52,000,000 145,000,000 70,000,000 94,000,000 1,500,000 92,000,000 3,900,000 24,000,000 Know More. Secure More
  9. 9. 9 Ponemon’s Cost of Data Breach Study: Global Study, sponsored by IBM. Studied 314 companies spanning 10 countries.. • Average total cost of a Data Breach increased by 15% • Average of $3.5 million • Cost per record is $145.00 • Your Reputation is priceless Know More. Secure More
  10. 10. 10 Take Away #1 Security is not the same as Compliance – Security is a balance of Control and Visibility Know More. Secure More
  11. 11. 11 Understanding the Problem: The threats have changed Before • Random Small Attacks • Attackers were more randomly skilled • I’m too small - Big targets were the focus Today • Highly designed organized attacks • Attackers are skilled - APT • Attacks are coming through supply chain Know More. Secure More
  12. 12. 12 Take Away #2 SMB is the new gateway – Protect your reputation you may be the path Know More. Secure More
  13. 13. 13 Understanding the Problem: Threat protection has changed Before • Signatures - The Herd Mentality Protection Today • Attacks are more targeted Know More. Secure More
  14. 14. That is why… • 54% of malware typically evades anti-virus detection • Less than 2% of breaches are detected in the first 24 14 hours, less than 46% in the first 30 days • 60% of breaches have data exfiltrated in first 24 hours • A Trustwave study considered 450 global data breach investigations, as well as thousands of penetration tests and scans. It found that the average time between an initial breach and detection was 210 days. In 2011 it was 90 Days. • Over 92% of breaches are discovered by a third party or customer Know More. Secure More
  15. 15. 15 And because of that… Symantec's senior vice president Brian Dye declared last quarter to the Wall Street Journal that antivirus "is dead." Know More. Secure More
  16. 16. 16 Understanding the Problem: The threat protection has changed Before • Signatures - The Herd Mentality Protection • Automated Alerting • UTM / Trad Firewalls on perimeter 100% Secure Today • Attacks are more targeted • Combination of Automation and People • Anomaly Detection -They are in, find them quick Know More. Secure More
  17. 17. 17 Take Away #3 Signature Based Detection is a layer, it should be a layer of your protection just not your only one. Know More. Secure More
  18. 18. 18 NSM vs IDS IDS - “Possible Bad thing Detected – 10.0.9.5” NSM – “Possible Bad thing Detected – 10.0.9.5” -> Intel hit – badguydomain.com -> HTTP – 10.0.9.5 visited http://badguydomain.com/badstuff on port 80 -> Session tracked 10.0.9.5 using FTP on IP 58.14.0.69 -> Packet capture – Detailed Map of incident including files -> Trace what else that IP talked to on your network -> Analyze badguy files -> Create new signatures/intelligence if needed to detect actor Know More. Secure More
  19. 19. 19 Advanced Network Security Monitoring Know More. Secure More
  20. 20. 20 Take Away #4 NSM Gives you the full picture Know More. Secure More
  21. 21. 21 Lower Your Costs - Use tools to Catch them early Know More. Secure More
  22. 22. 22 NSM tools OPEN SOURCE TECHNOLOGY IDS FLOW HTTP PCAP Know More. Secure More
  23. 23. 23 NSM - IDS Tools Snort http://www.snort.org Suricata http://suricata-ids.org Bro http://www.bro.org Know More. Secure More
  24. 24. 24 Rules Write your own, download free or purchased rules Emerging Threats http://www.emergingthreats.org ETOpen, ETPro Snort Community Rules https://www.snort.org/downloads Vulnerability Research Team https://www.snort.org/vrt Know More. Secure More
  25. 25. 25 package { ‘snort’: ensure => present, }-> file { ‘/etc/snort/rules: ensure => directory, owner => ‘snort’, group => ‘snort’, mode => '0660', recurse => true, purge => true, force => true, show_diff => false, source => ‘puppet:///modules/snort/rules', notify => Service[‘snort’], }-> file { ‘/etc/snort/snort.conf’: ensure => present, owner => ‘snort’, group => ‘snort’, mode => ‘0660’, source => ‘puppet:///modules/snort/snort.conf', notify => Service[‘snort’], }-> service { ‘snort’: ensure => running enable => true, } Deploy Snort with Puppet Know More. Secure More
  26. 26. 26 BRO Swiss army knife in your NSM tool box Notice Framework - Network anomaly and and scripted alerts Intel Framework - Network Intelligence detection, ip, domain, email, etc conn.log 1410156004.036451 C3SZcg4BiqLox95C6f 172.16.30.90 56978 10.10.20.60 8140 tcp ssl0.287418 4045 6226 SF T 0 ShADadfF 13 4729 13 6910 (empty) - - http.log 1410576714.203766 CcyC7F3M9pCMaEauR 10.0.20.3 50495 192.0.72.2 80 1 GET thechive.files.wordpress.com /2012/10/porn-stars-before-makeup-after-with-without-13.jpg?w=500&h=326 - Mozilla/4.0 (compatible;) 0 0 304 Not Modified - - - (empty) - - - - - - - - - FQY9eR3W1hezAV1yRhtext/plain smtp.log 1411473791.484895 C5Ulst3pXPGQ9Twt8h 10.0.4.5 57378 21.8.8411925 1 yaawfquh5.visime.eu <WonderHose@visime.eu> <billgates@microsoft.com> Tue, 23 Sep 2014 05:03:10 -0700 "Wonder <57691741739649757694320462663@yaawfquh5.visime.eu> - This hose contracts when the water stops! Other logs: dns, smtp, dhcp, dpd, intel, notice, ssl, ssh, software ………. Know More. Secure More
  27. 27. 27 Free Intel Sources (atomic indicators) http://www.malwaredomains.com Bad Domain Names https://zeustracker.abuse.ch IP List and Domain Names http://www.emergingthreats.com IP List Know More. Secure More
  28. 28. 28 Deploy Bro with Puppet https://forge.puppetlabs.com/panaman/bro class { 'bro': int => 'bond0', } Know More. Secure More
  29. 29. 29 PCAP FULL PACKET CAPTURE netsniff-ng http://netsniff-ng.org daemonlogger http://sourceforge.net/projects/daemonlogger/ tcpdump http://www.tcpdump.org Know More. Secure More
  30. 30. 30 /usr/sbin/netsniff-ng -i bond0 -s -J -F 500MiB -o /nsm/pcap/$(date "+%Y-%m-%d") Know More. Secure More
  31. 31. 31 Take Away #5 Puppet can deploy new configs, signatures and inteligence to your sensors quickly. Speed is important in NSM Know More. Secure More
  32. 32. 32 Network Tap http://www.networkinstruments.com/products/ntaps/index.php http://dual-comm.com http://www.netoptics.com/products/network-taps http://www.gigamon.com/network-tap Know More. Secure More
  33. 33. Tap Placement - True source and true destination. Know More. Secure More 33
  34. 34. 34 Take Away #6 Correct TAP Placement is as important and the right tools. Know More. Secure More
  35. 35. 35 Log Management ElasticSearch http://www.elasticsearch.org Splunk http://www.splunk.com Elsa https://code.google.com/p/enterprise-log-search-and-archive/ Know More. Secure More
  36. 36. Know More. Secure More 36
  37. 37. Know More. Secure More 37
  38. 38. 38 Six Take Aways 1. Security is not the same as Compliance 2. SMB is the new gateway – Protect your reputation you may be the path 3. Signature Based Detection is a layer, it should be a layer of your protection just not your only one. 4. NSM Gives you the full picture 5. Speed is key - Deploy Rules immediately with Puppet. 6. Correct TAP Placement is as important and the right tools. Know More. Secure More
  39. 39. 39 Puppet Conf 2014 - Questions Mike Pananen mpananen@vigilantnow.com Twitter @panaman13 Chris Nyhuis cnyhuis@vigilantnow.com Twitter @vigilance_one Know More. Secure More

×