Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015


Published on

The modern web-scale network is a pretty complicated place. Modern techniques in Systems Management have made it trivial to create, destroy and repurpose any number of instance types. These instances can span the range from bare metal machines sitting in a datacenter, to 3rd party virtual machines on demand, and now these new containers and microservices seem to be all the rage. Instances are cattle, they are no longer pets. All of this perpetual churn and flexibility is exactly what you want in a constantly changing, highly available, and efficient infrastructure. The ability to create or destroy nodes on demand, or continuously and automatically scale up, down, and re-deploy applications as part of a continuous integration pipeline, have become necessary and an integral part of daily operations. However these systems can generate terabytes of network logs a day. And if your job is detecting, correlating, and alerting on the correct anomaly in all that data, the analogy of the needle in the haystack really doesn’t do it justice, something closer would be akin to finding a needle in the windstorm. How do you begin to collect, store, analyze, and alert on this much data without costing the company a small fortune? What are some practical steps you can take to reduce your overall risk and begin to gain more insight, visibility, and confidence into what is actually taking place on your network? This talk aims to give the attendee a solid understanding of the problem space, as well as recommendations and practical advice from someone who built their own ‘big data’ network and security monitor. It really is easier than it sounds.

Published in: Internet
  • Be the first to comment

Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015

  1. 1. Practical Network Defense at Scale Or Defending the Eierlegende Wollmilchsau
  2. 2. whoami? Name: Travis Carelock Occupation: Engineer at 15+ years experience in the IT and security fields… wow, I’m old……
  3. 3. node
  4. 4. Goals • Investigate Network Traffic • Network Traffic Rules with Alerts • Forensic evidence and long term analysis
  5. 5. IPs? Rx/Tx?Ports?
  6. 6. What are the Sources of Truth?
  7. 7. • How Consistent? • How Independent? • Ease of Corruption? • Confidence Score? • Retention Policy?
  8. 8. timestamp
  9. 9. data transfer
  10. 10. “src_ip”
  11. 11. “’dst_ip”
  12. 12. Integer
  13. 13. IP
  14. 14. Shoulder of Giants. • Animate of me on should of ES. me elasticsearch
  15. 15. write !!
  16. 16. is Whatthe target?
  17. 17. What connects? To what?
  18. 18. SD
  19. 19. Automate
  20. 20. ->
  21. 21. Current View of the World
  22. 22. False Positives -Better Query Design -Blocking-Policy and Guidelines -Additional Services
  23. 23. Not all anomalies are created equal
  24. 24. What about Alert: Actions?
  25. 25. Create Feedback Cycle
  26. 26. Query External Services
  27. 27. Query Tools HistoryAlert Management & Search Help Dashboard Generation
  28. 28. ….but how well is it working??
  29. 29. Questions What goals am I trying to accomplish? What are the sources of truth? What tools would work best? What is an anomaly? Am I correlating the alerts? What about user experience? Is the system robust and secure? What else can I do with all the data?
  30. 30. you!
  31. 31. name: travis carelock twitter: @l3d email: pgp: 463E B548 F3B1 F879 4589 6505 E417 7480 D1A4 A990 private: pgp: 4CFC 8E69 4A07 59F2 4508 8A39 0AFA 9CC3 2D65 031E otr: fingerprint: 40FCAFD7 FAA097B6 29BE95CE 6740E37E 0790E295 is hiring! Web: Email: Thank You! Special Thank You to Code Blue and the Organisers!