Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security 
Analytics 
in 
Action 
Josh 
Sokol 
& 
Walter 
Johnson
Josh 
Sokol 
! OWASP 
Foundation 
Global 
Board 
Member 
! Creator 
of 
SimpleRisk 
(simplerisk.org) 
! Information 
Secur...
Walter 
Johnson 
! Security 
Analyst, 
National 
Instruments 
! LASCON 
Graphics 
Guy 
! Likes 
long 
walks 
on 
the 
beac...
Visibility 
(or 
lack 
thereof) 
! Am 
I 
under 
attack? 
! Which 
systems 
are 
they 
attacking? 
! What 
kind 
of 
attac...
" We 
need 
to 
create 
an 
ecosystem 
of 
security 
tools 
that 
work 
together 
to 
answer 
these 
questions 
and 
more....
Firewall 
IPS 
NAC 
Malware 
Analysis 
Vulnerability 
Mgmt 
# Tools 
Working 
in 
Silos 
# Proprietary 
Protocols 
# “Gree...
$ Open 
API 
$ Open 
DB 
$ Data 
Export
$ Events 
$ Alerts 
$ SNMP 
$ Syslog
Exploitation 
– 
Parasitism. 
The 
leech 
gains 
food 
and 
nutrients, 
but 
the 
host 
gains 
nothing 
from 
having 
a 
l...
You 
can 
assemble 
an 
arsenal 
of 
best-­‐ 
in-­‐breed 
tools 
that 
work 
together. 
Even 
smaller 
purchases 
can 
hav...
Question 
Data 
Do 
I 
trust 
the 
source? 
Reputation 
Data 
How 
am 
I 
being 
attacked? 
Attack 
Data 
What 
attacks 
a...
! Common 
feature 
for 
modern 
routers 
and 
switches. 
! Provides 
a 
lot 
of 
data 
for 
a 
reasonable 
amount 
of 
sto...
! “Security 
Flaws 
in 
Universal 
Plug 
and 
Play” 
whitepaper 
by 
HD 
Moore 
! Over 
23 
million 
IPs 
are 
vulnerable ...
! Source 
address 
is 
external 
to 
my 
network. 
! Destination 
address 
is 
on 
my 
network. 
! Connection 
uses 
UDP 
...
! A 
pattern 
search 
of 
our 
NetFlow 
data 
over 
the 
past 
24 
hours 
returned 
539 
results 
in 
1 
minute 
and 
38 
...
! Source 
address 
is 
on 
my 
network. 
! Destination 
address 
is 
external 
to 
my 
network. 
! The 
destination 
IP 
i...
! Most 
of 
the 
pattern 
matches 
returned 
showed 
one 
MDL 
IP 
with 
multiple 
internal 
hosts 
connecting 
to 
it. 
!...
! Source 
address 
is 
on 
my 
network. 
! Destination 
address 
is 
external 
to 
my 
network. 
! Destination 
is 
associ...
! A 
pattern 
search 
of 
our 
NetFlow 
and 
MPS 
data 
over 
the 
past 
hour 
returned 
134 
results 
in 
2 
minutes 
and...
! Create 
a 
list 
of 
unused 
IP 
addresses 
on 
your 
network. 
! Look 
for 
the 
internal 
systems 
making 
the 
most 
...
! Source 
address 
is 
on 
my 
network. 
! Destination 
address 
is 
external 
to 
my 
network. 
! Connection 
is 
UDP 
po...
! Source 
address 
is 
on 
my 
network. 
! Destination 
address 
is 
external 
to 
my 
network. 
! Sum 
up 
the 
number 
o...
! Source 
address 
is 
on 
my 
network. 
! Destination 
address 
is 
on 
my 
network. 
! Get 
the 
count 
of 
connections ...
! Source 
address 
is 
specified 
at 
runtime. 
! Destination 
address 
is 
any 
IP. 
! Show 
all 
ports 
and 
bytes 
of 
...
! What 
is 
connecting 
to 
that 
IP 
address? 
! What 
is 
that 
IP 
address 
connecting 
to? 
! Do 
I 
have 
any 
alerts...
! What 
is 
connecting 
to 
that 
IP 
address?
Dewan 
Communications 
Facebook
! What 
is 
that 
IP 
address 
connecting 
to?
AWS 
hosted-­‐by.ihc.ru 
Feral 
Hosting? 
softlayer.com 
Dewan 
Communications
! Do 
I 
have 
any 
alerts 
associated 
with 
that 
IP 
address?
! Is 
there 
any 
significant 
amount 
of 
data 
loss 
from 
that 
system?
https://code.google.com/p/collective-­‐intelligence-­‐framework/
! Are 
there 
alerts 
associated 
with 
this 
host 
on 
my 
IPS 
or 
other 
monitoring 
devices? 
No. 
! WAFSEC 
reputatio...
! Should 
I 
accept 
packets 
from 
random 
IP 
X? 
$ Reputation 
Data 
$ Attack 
Data 
$ Vulnerability 
Data 
$ Asset 
Da...
! Block 
an 
IP 
address 
with 
a 
Firewall 
or 
IPS 
system. 
! Create 
WAF 
rules 
based 
on 
attack 
data. 
! Ban 
a 
s...
! Many 
companies 
suffer 
from 
a 
lack 
of 
visibility 
into 
critical 
security 
threats. 
! Security 
analytics 
allow...
Josh 
Sokol 
Twitter: 
@joshsokol 
Blog: 
http://www.webadminblog.com 
Walter 
Johnson 
Twitter: 
@sirmodok
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in Action
Upcoming SlideShare
Loading in …5
×

Burning Down the Haystack to Find the Needle: Security Analytics in Action

Your network is already compromised, but do you know how and by whom? Can you find them, remove them, and prevent them from getting back in again? In this presentation, we will examine actual attacks and indicators of compromise and show how, using some basic network flow pattern analysis, we can detect and prevent contemporary malware, advanced persistent threats (APTs), zero-day exploits and more. In addition, we will discuss how to feed this data into a security analytics program to create a new, broader perspective on the threats that your organization faces.

Over the past four years at National Instruments, we have been collecting tools to work cohesively as part of a larger security analytics platform. The goal of this presentation is to provide the attendee with the basic information that they need in order to build a security analytics program of their own. We will begin by talking about the problem of a lack of visibility within the enterprise environment. From there, we will talk about the traits that characterize a tool as being good for security analytics. Next, we will talk about the types of data that exists in the different tool sets and what types of questions they are good at answering. From there, we will talk about what it means to create patterns and analyze your data to find those specific patterns. Then, we will look at some specific analytics that are useful to run on a regular basis to find malware, misconfigured systems, APTs, and more. Lastly, we will talk about actionable (and even automated) next steps once we discover the patterns that we are looking for.

This talk will encourage audience participation by encouraging them to share what they are doing to perform security analytics and is appropriate for both novice and experienced security professionals.

  • Be the first to comment

Burning Down the Haystack to Find the Needle: Security Analytics in Action

  1. 1. Security Analytics in Action Josh Sokol & Walter Johnson
  2. 2. Josh Sokol ! OWASP Foundation Global Board Member ! Creator of SimpleRisk (simplerisk.org) ! Information Security Program Owner, National Instruments Twitter: @joshsokol Blog: http://www.webadminblog.com
  3. 3. Walter Johnson ! Security Analyst, National Instruments ! LASCON Graphics Guy ! Likes long walks on the beach and candlelight dinners ! Former Yakuza Assassin Twitter: @sirmodok
  4. 4. Visibility (or lack thereof) ! Am I under attack? ! Which systems are they attacking? ! What kind of attacks are they using? ! Who is attacking me? ! Were they successful?
  5. 5. " We need to create an ecosystem of security tools that work together to answer these questions and more. " We need tools that are able to talk to each other in order to leverage siloed data for mutual gain. " We need a platform to enable the analysis of and reporting on threats in our environment in near real-­‐ time. We need Security Analytics!
  6. 6. Firewall IPS NAC Malware Analysis Vulnerability Mgmt # Tools Working in Silos # Proprietary Protocols # “Greedy” Platforms # Duplication of Functionality
  7. 7. $ Open API $ Open DB $ Data Export
  8. 8. $ Events $ Alerts $ SNMP $ Syslog
  9. 9. Exploitation – Parasitism. The leech gains food and nutrients, but the host gains nothing from having a leech suck its blood.
  10. 10. You can assemble an arsenal of best-­‐ in-­‐breed tools that work together. Even smaller purchases can have a large impact.
  11. 11. Question Data Do I trust the source? Reputation Data How am I being attacked? Attack Data What attacks are my systems vulnerable to? Vulnerability Data What versions of O/S and software am I running? Asset Data Who is using my systems? Identity Data Who should have access to what? Data Classification Who do I trust and who trusts me? Trust Hierarchy Do I have access? Authentication Data What can I access? Authorization Data What has been tested? QA Data Is data crossing between two trust levels? Trust Boundaries
  12. 12. ! Common feature for modern routers and switches. ! Provides a lot of data for a reasonable amount of storage. ! Data can help make many security decisions easier.
  13. 13. ! “Security Flaws in Universal Plug and Play” whitepaper by HD Moore ! Over 23 million IPs are vulnerable to remote code execution through a single UDP packet. ! Affects Simple Service Discovery Protocol (SSDP) which runs on UDP/1900. Question: Are people actively scanning my network in order to exploit this flaw?
  14. 14. ! Source address is external to my network. ! Destination address is on my network. ! Connection uses UDP (protocol 17) on port 1900.
  15. 15. ! A pattern search of our NetFlow data over the past 24 hours returned 539 results in 1 minute and 38 seconds.
  16. 16. ! Source address is on my network. ! Destination address is external to my network. ! The destination IP is listed on the Malware Domain List.
  17. 17. ! Most of the pattern matches returned showed one MDL IP with multiple internal hosts connecting to it. ! Then there was this…
  18. 18. ! Source address is on my network. ! Destination address is external to my network. ! Destination is associated with a malware event from one of our Malware Prevention appliances (scoped to 1hr).
  19. 19. ! A pattern search of our NetFlow and MPS data over the past hour returned 134 results in 2 minutes and 4 seconds.
  20. 20. ! Create a list of unused IP addresses on your network. ! Look for the internal systems making the most connections to those IPs.
  21. 21. ! Source address is on my network. ! Destination address is external to my network. ! Connection is UDP port 53. ! Count the connections to destination IP addresses.
  22. 22. ! Source address is on my network. ! Destination address is external to my network. ! Sum up the number of bytes sent and get the top 25.
  23. 23. ! Source address is on my network. ! Destination address is on my network. ! Get the count of connections any IP makes to any other IP addresses.
  24. 24. ! Source address is specified at runtime. ! Destination address is any IP. ! Show all ports and bytes of data sent to each.
  25. 25. ! What is connecting to that IP address? ! What is that IP address connecting to? ! Do I have any alerts associated with that IP address? ! Is there any significant amount of data loss from that system?
  26. 26. ! What is connecting to that IP address?
  27. 27. Dewan Communications Facebook
  28. 28. ! What is that IP address connecting to?
  29. 29. AWS hosted-­‐by.ihc.ru Feral Hosting? softlayer.com Dewan Communications
  30. 30. ! Do I have any alerts associated with that IP address?
  31. 31. ! Is there any significant amount of data loss from that system?
  32. 32. https://code.google.com/p/collective-­‐intelligence-­‐framework/
  33. 33. ! Are there alerts associated with this host on my IPS or other monitoring devices? No. ! WAFSEC reputation data… ! McAfee Threat Intelligence data… ! This looks like a false positive to me.
  34. 34. ! Should I accept packets from random IP X? $ Reputation Data $ Attack Data $ Vulnerability Data $ Asset Data $ Trust Boundaries ! Should I allow random person X to download a file Y? $ Data Classification $ Reputation Data $ Authentication Data $ Authorization Data $ Trust Boundaries
  35. 35. ! Block an IP address with a Firewall or IPS system. ! Create WAF rules based on attack data. ! Ban a system from communicating on your network. ! Require additional authentication. ! Attack back? -­‐ Greg Hoglund, Founder and Former CEO of HBGary from CNBC “Companies Battle Cyberattacks Using ‘Hack Back’ 6/4/2013
  36. 36. ! Many companies suffer from a lack of visibility into critical security threats. ! Security analytics allow us to see and react to threats. ! Ideal tools are those with both provider and consumer capabilities. ! Combining tool data together gives us the context that we can use to make informed decisions. ! Network flow data is the “glue” that ties the events together and helps to illustrate the attack progression.
  37. 37. Josh Sokol Twitter: @joshsokol Blog: http://www.webadminblog.com Walter Johnson Twitter: @sirmodok

×