This document summarizes research into security vulnerabilities in industrial robot controllers. The researchers analyzed the attack surface and potential robot-specific attacks against an industrial robot controller. They identified 5 robot-specific attacks, including control loop alteration, tampering with calibration parameters, and tampering with production logic. As a case study, the researchers analyzed vulnerabilities in a particular controller running Windows CE and were able to fully exploit it to demonstrate proof-of-concept attacks violating accuracy, safety, and integrity requirements. The document concludes that future challenges include securing collaborative robots and addressing vulnerabilities introduced by increased connectivity and programmability in Industry 4.0 trends.
This document discusses physical security considerations for protecting computing facilities and information assets. It covers key physical access controls like walls, fences, locks, ID badges, alarms and electronic monitoring. Critical environment factors are also addressed, such as fire safety and ensuring proper temperature, humidity and power. The roles of general management, IT and information security professionals in implementing physical security measures are defined. Maintaining secure computer rooms and wiring closets is emphasized, as logical access controls can be easily defeated without strong accompanying physical security.
This document discusses the design of security architecture and contingency planning. It covers spheres of security and levels of controls that make up a security framework. Defense in depth through multiple layers of controls is described. The importance of security education, training, and awareness programs is emphasized to reduce accidental breaches and build security knowledge. Contingency plans like incident response, disaster recovery, and business continuity plans aim to restore operations during and after incidents. The contingency planning process involves impact analysis, preventive controls, recovery strategies, plan development, testing and more.
This document discusses intrusion detection and prevention systems (IDPS). It defines the key concepts of intrusion detection, prevention, reaction, and correction. There are two main types of IDPS: network-based systems which monitor network traffic for attacks, and host-based systems which monitor activity on individual hosts. The document outlines the advantages and disadvantages of both approaches. It also describes different models of network-based IDPS including wireless and network behavior analysis systems.
This document discusses intrusion detection and prevention systems (IDPS), honeypots, and security scanning and analysis tools. It describes how IDPS effectiveness is measured, different types of IDPS, and how honeypots, honeynets, and padded cell systems work. Finally, it outlines various scanning and analysis tools like port scanners, firewall analyzers, OS detectors, vulnerability scanners, packet sniffers, and wireless security tools that can be used both by attackers and defenders.
Ise viii-information and network security [10 is835]-solutionVivek Maurya
This document contains the question paper solution from VTU for the course Information and Network Security 10IS835. It discusses various topics in system security policies, including:
- How managerial guidelines and technical specifications can be used in system-specific security policies.
- Who is responsible for policy management and how policies are managed.
- The different approaches for creating and managing issue-specific security policies.
- The major steps and components of contingency planning, including the business impact analysis.
- Pipkin's three categories of incident indicators and the ISO/IEC 270xx standard for information security management.
- The importance of incident response planning and testing security response plans.
- The
The document discusses recovering from a malware attack that has affected an organization's IT and OT networks. It outlines key aspects of recovery including recovery planning, communications, and technical functionality restoration. Recovery planning requires having a detailed plan for various scenarios. Communications involve informing internal stakeholders, customers, and media. Technical recovery priorities restoration of critical systems and services while ensuring the threat is addressed. The recovery process is complex and requires coordination across teams.
This document summarizes research into security vulnerabilities in industrial robot controllers. The researchers analyzed the attack surface and potential robot-specific attacks against an industrial robot controller. They identified 5 robot-specific attacks, including control loop alteration, tampering with calibration parameters, and tampering with production logic. As a case study, the researchers analyzed vulnerabilities in a particular controller running Windows CE and were able to fully exploit it to demonstrate proof-of-concept attacks violating accuracy, safety, and integrity requirements. The document concludes that future challenges include securing collaborative robots and addressing vulnerabilities introduced by increased connectivity and programmability in Industry 4.0 trends.
This document discusses physical security considerations for protecting computing facilities and information assets. It covers key physical access controls like walls, fences, locks, ID badges, alarms and electronic monitoring. Critical environment factors are also addressed, such as fire safety and ensuring proper temperature, humidity and power. The roles of general management, IT and information security professionals in implementing physical security measures are defined. Maintaining secure computer rooms and wiring closets is emphasized, as logical access controls can be easily defeated without strong accompanying physical security.
This document discusses the design of security architecture and contingency planning. It covers spheres of security and levels of controls that make up a security framework. Defense in depth through multiple layers of controls is described. The importance of security education, training, and awareness programs is emphasized to reduce accidental breaches and build security knowledge. Contingency plans like incident response, disaster recovery, and business continuity plans aim to restore operations during and after incidents. The contingency planning process involves impact analysis, preventive controls, recovery strategies, plan development, testing and more.
This document discusses intrusion detection and prevention systems (IDPS). It defines the key concepts of intrusion detection, prevention, reaction, and correction. There are two main types of IDPS: network-based systems which monitor network traffic for attacks, and host-based systems which monitor activity on individual hosts. The document outlines the advantages and disadvantages of both approaches. It also describes different models of network-based IDPS including wireless and network behavior analysis systems.
This document discusses intrusion detection and prevention systems (IDPS), honeypots, and security scanning and analysis tools. It describes how IDPS effectiveness is measured, different types of IDPS, and how honeypots, honeynets, and padded cell systems work. Finally, it outlines various scanning and analysis tools like port scanners, firewall analyzers, OS detectors, vulnerability scanners, packet sniffers, and wireless security tools that can be used both by attackers and defenders.
Ise viii-information and network security [10 is835]-solutionVivek Maurya
This document contains the question paper solution from VTU for the course Information and Network Security 10IS835. It discusses various topics in system security policies, including:
- How managerial guidelines and technical specifications can be used in system-specific security policies.
- Who is responsible for policy management and how policies are managed.
- The different approaches for creating and managing issue-specific security policies.
- The major steps and components of contingency planning, including the business impact analysis.
- Pipkin's three categories of incident indicators and the ISO/IEC 270xx standard for information security management.
- The importance of incident response planning and testing security response plans.
- The
The document discusses recovering from a malware attack that has affected an organization's IT and OT networks. It outlines key aspects of recovery including recovery planning, communications, and technical functionality restoration. Recovery planning requires having a detailed plan for various scenarios. Communications involve informing internal stakeholders, customers, and media. Technical recovery priorities restoration of critical systems and services while ensuring the threat is addressed. The recovery process is complex and requires coordination across teams.
The document discusses principles of information security including legal, ethical and professional issues. It covers major national laws affecting information security practice, deterring unethical behavior, codes of ethics from professional organizations like ACM, (ISC)2, SANS, ISACA and ISSA. It also discusses key US federal agencies that deal with cybersecurity and their roles, including DHS, Secret Service, FBI and NSA.
The document discusses the implementation phase of a security project life cycle. It explains that an organization's security blueprint must be translated into a detailed project plan that addresses leadership, budget, timelines, staffing needs, and organizational considerations. An effective project plan uses a work breakdown structure and considers financial, priority, scheduling, procurement, and change management factors. The project manager plays a key role in planning, supervising, and wrapping up the project successfully.
The document provides an overview of presentations for chapters in a security guidebook. It states that the presentations cover the chapter objectives and list all objectives at the beginning. The presentations can be customized for class needs and include some figures from the chapters. It then provides an excerpt from Chapter 1 which discusses the challenges of securing information, defines key security concepts, and identifies common types of attackers and basic steps of an attack. It also outlines the five principles of defense: layering, limiting access, diversity, obscurity, and simplicity.
Information Security Aspects of the Public Safety Data Interoperability NetworkBlaz Ivanc
Major security incidents require cross-border cooperation with the national security authorities and other public safety agencies. The purpose of the REDIRNET (Emergency Responder Data Interoperability Network) consortium was to provide a true Europe-wide interoperability that is non-reliant on specific technology or proprietorial system. In a technical sense, the REDIRNET provides a communication solution for the exchange and sharing of information via voice, data, images, video, CCTV and remote sensors. In order to develop such capacity, it is necessary to ensure adequate security of the system and data protection.
The document summarizes the key topics from a presentation on understanding technology stakeholders' progress and challenges with cyber security. It discusses the historical context of internet development and the increasing cyber threats facing both private industry and national security. It outlines recommendations from a cyber security commission to establish comprehensive strategies through public-private partnerships and supply chain risk management. Longer-term, it calls for redesigning the internet and fundamentally changing the software industry model to prioritize reliability and security over creativity in order to better protect critical infrastructure and the economy.
All about Cyber Security - From the perspective of a MS studentApurv Singh Gautam
This seminar was delivered for Cyber Security certification students of Symbiosis Insitute of Technology. This includes why cybersecurity is important, how to make your profile stronger for MS, howto stand out from the crowd by doing rpojects, etc.
Enabling effective hunt teaming and incident responsejeffmcjunkin
This document provides an overview of enabling effective hunt teaming and incident response with limited resources. It defines hunt teaming as proactively assuming compromise, finding compromised hosts, determining how they were compromised through forensics, and implementing preventative and detective controls. Incident response is defined as reactively noticing an incident, stopping any active threats, and learning from the incident to implement improved controls. The document discusses how most attacks actually occur based on data from breaches, and provides examples of low-cost tools and techniques that can be used for persistence and program execution tracking, centralized logging, and data exfiltration detection.
Modern SOCs face expanding attack surfaces, security talent shortages, and too many alerts from numerous tools. A modern SOC organizes teams by skills rather than levels, structures processes around threats instead of alerts, performs threat hunting, uses multiple visibility tools including logs and network data, and automates tasks through SOAR. It consumes and creates threat intelligence, elegantly uses third-party services, and does not treat incidents as rare or center itself around a single tool like a SIEM. A modern SOC recommends handling alerts but recognizing that is not the entire role, making analysts and engineers collaborate, hiring skills over levels, automating routines, and keeping fuzzy tasks for humans while using third parties for some tasks.
The extent and impact of recent security breaches is showing that current security approaches are just not working. But what can we do to protect our business? We have been advocating monitoring for a long time as a way to detect subtle, advanced attacks that are still making it through our defenses. However, products have failed to deliver on this promise.
Current solutions don't scale in both data volume and analytical insights. In this presentation we will explore what security monitoring is. Specifically, we are going to explore the question of how to visualize a billion log records. A number of security visualization examples will illustrate some of the challenges with big data visualization. They will also help illustrate how data mining and user experience design help us get a handle on the security visualization challenges - enabling us to gain deep insight for a number of security use-cases.
All Hope is Not LostNetwork Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
Do you think it requires an advanced degree to initiate an advanced security attack? Think again. Tool kits are readily available for immediate download that guide those with even just basic computer skills through the steps to initiate complex network attacks. But all hope is not lost. One of the best defenses is readily available in the market today – network recorders with network forensics – and when combined with the appropriate visibility fabric architecture, these solutions defend against attacks on even the fastest networks available today.
Join WildPackets and Gigamon as we explore the current state of network attacks, network vulnerabilities, and the solutions available to combat the most aggressive, and the most subtle, attacks.
Network monitoring and SIEM solutions are critical for cybersecurity. Network monitoring provides administrators real-time visibility into network performance and health. It helps identify issues early, optimize efficiency, and detect security threats faster. SIEM solutions take this further by collecting and analyzing log data from all digital assets in one place. This gives insights to investigate suspicious activity and strengthen security. Key SIEM tools include Splunk, IBM QRadar, and LogRhythm, with each having their own pros and cons for threat detection, response, and management capabilities.
Enterprise Security Monitoring, And Log Management.Boni Yeamin
In today's presentation, we'll explore Security Onion, a powerful open-source platform designed to fortify your network security. Security Onion, much like its namesake vegetable, peels back the layers of your network traffic, enabling you to identify and address potential threats. We'll delve into its functionalities, core components, and the advantages it brings to your cybersecurity posture.
Network security monitoring with open source toolsterriert
The document discusses implementing network security monitoring using open source tools. It begins with an introduction to network security monitoring (NSM) and its goal of collecting and analyzing different types of network data to detect and respond to intrusions. It then discusses recommended platforms and operating systems for NSM, such as various free/open BSD systems. Next, it covers ways to capture network traffic, including using hubs, taps, inline devices, or SPAN ports. It proceeds to describe the four types of data collected in NSM - full content, session, event, and statistical data. For each, it provides examples of open source tools and compares them to commercial options. Finally, it discusses the open source tool Sguil, which implements
This document provides an overview of network security for a course, including discussing cryptography algorithms and protocols, network security applications and tools, system security issues, and standards for internet security. The course will cover topics such as encryption, digital signatures, key exchange, and network security protocols and applications. Students will complete homework assignments, projects implementing cryptography and a secure messaging system, and exams.
This document provides an overview of network security for a course, including discussing cryptography algorithms and protocols, network security applications and tools, system security issues, and standards for internet security. The course will cover topics such as encryption, digital signatures, key exchange, and network security protocols and applications. Students will complete homework assignments, projects implementing cryptography and a secure messaging system, and exams.
This document provides an overview of network security for a course, including discussing cryptography algorithms and protocols, network security applications and tools, system security issues, and standards for internet security. The course will cover topics such as encryption, digital signatures, key exchange, and network security protocols and applications. Students will complete homework assignments, projects implementing cryptography and a secure messaging system, and exams.
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
This document discusses security analytics and hunting maturity. It defines hunting as a proactive approach to identifying incidents by actively looking for patterns, intelligence or hunches, rather than waiting for notifications. It describes the "SIEM gap" where SIEM tools are designed for known threats and lack the tools and flexibility for human analysis and hunting of unknown threats. It outlines techniques used in security analytics like event clustering, association analysis, and visualization to help analyze large datasets and discover unknown threats. The document argues security analytics provides the data access, analysis techniques and workflows to help close the SIEM gap and improve an organization's hunting maturity over time.
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
This document discusses network reliability monitoring as a complement to network security monitoring (NSM) and security information and event management (SIEM) for industrial control systems. It notes that while NSM works well for monitoring traffic crossing between zones in ICS networks, it is less effective in lower level zones where most traffic remains internal. Network reliability monitoring provides an alternative by developing profiles of normal network traffic and scanning for deviations that could indicate issues. While complex algorithms are not needed, it requires strong protocol knowledge and root cause analysis can be difficult. Examples are given showing network reliability metrics and how man-in-the-middle attacks did not significantly impact traffic.
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
Dr. Anton Chuvakin discusses how security operations centers (SOCs) have evolved and modernized. He outlines three forces driving the need for modern SOCs: expanding attack surfaces, security talent shortages, and an overload of alerts. Key aspects of a modern SOC include organizing teams by skills rather than levels, structuring processes around threats instead of alerts, conducting threat hunting, using multiple data sources for visibility beyond just logs, and leveraging automation and third-party services. Modern SOCs also focus on detection engineering through content versioning, quality assurance of detections, reuse of detection content, and metrics to improve coverage. Chuvakin recommends that SOCs handle alerts but not focus solely on them, automate routines to free
John Walker gave a presentation at the Global APT Defense Summit in New York on responding to and surviving malware activity and network attacks. He discussed 11 key points for an effective security incident response, including indicating anomalies, using cyber intelligence to discover unknown threats, acquiring forensic artifacts, making timely decisions to mitigate impacts, following standards and guidelines, clear communications, maintaining tools and training, dealing with external stakeholders, conducting a post-incident review, and learning lessons. The presentation emphasized the importance of an evolved security operations capability and cross-team coordination to effectively engage security incidents.
The tops for collecting network based evidenceyou think that your.pdfnoelbuddy
The tops for collecting network based evidence:
you think that your organization’s system has been attacked, or maybe an insider is emailing
your organization’s trade secrets to a friend at a rival corporation. What should you do? The
single most helpful network-based incident response activity is to deploy computer systems that
do nothing but intercept or collect network communications. Capturing network communications
is a critical and necessary step when investigating alleged crimes or abuses.
In this chapter, we will demonstrate how to capture network traffic the ugly and bare-metal way,
with software such as tcpdump and WinDump. We will discuss how to assemble a robust,
secure, network-monitoring system and conduct full-content monitoring of network traffic.
Catching the traffic is only a portion of the work; extracting meaningful results is the other
challenge. After you have collected the raw data that composes your network-based evidence,
you must analyze that data. The analysis of network-based evidence includes reconstructing the
network activity, performing low-level protocol analysis, and interpreting the network activity.
We will introduce the tools that you can use to analyze the data .If a law enforcement officer
suspects an individual of a crime such as minor drug dealing, the suspect is usually placed under
surveillance to confirm suspicions, accumulate evidence, and identify co-conspirators. The same
approach works with suspected crimes against computer networks. Network monitoring is not
intended to prevent attacks. Instead, it allows investigators to accomplish a number of tasks
Network monitoring can include several different types of data collection: event monitoring,
trap-and-trace monitoring, and full-content monitoring. When responding to computer security
incidents, you will likely rely on collecting full-content data with tools such as tcpdump.
However, there may be occasions when you will intercept solely the transactional data with a
trap-and-trace. Event monitoring is based on rules or thresholds employed on the network-
monitoring platform. Events are simply alerts that something occurred on your network.
Traditional events are generated by a network IDS, but events can also be created by network
health monitoring software like MRTG (Multi Router Traffic Grapher) or NTOP.
Noncontent monitoring records the session or transaction data summarizing the network activity.
Law enforcement refers to such noncontent monitoring as a pen register or a trap-and-trace. It
typically includes the protocol, IP addresses, and ports used by a network communication.
Additional data may include flags seen during the conversation (if TCP is used), counts of bytes
of information sent by each side, and counts of packets sent by each side.
Session data does not care about the content of a conversation. Here is a sample of session data,
generated by tcptrace.
Full-content monitoring yields data that includes the raw packets collected fr.
The document discusses principles of information security including legal, ethical and professional issues. It covers major national laws affecting information security practice, deterring unethical behavior, codes of ethics from professional organizations like ACM, (ISC)2, SANS, ISACA and ISSA. It also discusses key US federal agencies that deal with cybersecurity and their roles, including DHS, Secret Service, FBI and NSA.
The document discusses the implementation phase of a security project life cycle. It explains that an organization's security blueprint must be translated into a detailed project plan that addresses leadership, budget, timelines, staffing needs, and organizational considerations. An effective project plan uses a work breakdown structure and considers financial, priority, scheduling, procurement, and change management factors. The project manager plays a key role in planning, supervising, and wrapping up the project successfully.
The document provides an overview of presentations for chapters in a security guidebook. It states that the presentations cover the chapter objectives and list all objectives at the beginning. The presentations can be customized for class needs and include some figures from the chapters. It then provides an excerpt from Chapter 1 which discusses the challenges of securing information, defines key security concepts, and identifies common types of attackers and basic steps of an attack. It also outlines the five principles of defense: layering, limiting access, diversity, obscurity, and simplicity.
Information Security Aspects of the Public Safety Data Interoperability NetworkBlaz Ivanc
Major security incidents require cross-border cooperation with the national security authorities and other public safety agencies. The purpose of the REDIRNET (Emergency Responder Data Interoperability Network) consortium was to provide a true Europe-wide interoperability that is non-reliant on specific technology or proprietorial system. In a technical sense, the REDIRNET provides a communication solution for the exchange and sharing of information via voice, data, images, video, CCTV and remote sensors. In order to develop such capacity, it is necessary to ensure adequate security of the system and data protection.
The document summarizes the key topics from a presentation on understanding technology stakeholders' progress and challenges with cyber security. It discusses the historical context of internet development and the increasing cyber threats facing both private industry and national security. It outlines recommendations from a cyber security commission to establish comprehensive strategies through public-private partnerships and supply chain risk management. Longer-term, it calls for redesigning the internet and fundamentally changing the software industry model to prioritize reliability and security over creativity in order to better protect critical infrastructure and the economy.
All about Cyber Security - From the perspective of a MS studentApurv Singh Gautam
This seminar was delivered for Cyber Security certification students of Symbiosis Insitute of Technology. This includes why cybersecurity is important, how to make your profile stronger for MS, howto stand out from the crowd by doing rpojects, etc.
Enabling effective hunt teaming and incident responsejeffmcjunkin
This document provides an overview of enabling effective hunt teaming and incident response with limited resources. It defines hunt teaming as proactively assuming compromise, finding compromised hosts, determining how they were compromised through forensics, and implementing preventative and detective controls. Incident response is defined as reactively noticing an incident, stopping any active threats, and learning from the incident to implement improved controls. The document discusses how most attacks actually occur based on data from breaches, and provides examples of low-cost tools and techniques that can be used for persistence and program execution tracking, centralized logging, and data exfiltration detection.
Modern SOCs face expanding attack surfaces, security talent shortages, and too many alerts from numerous tools. A modern SOC organizes teams by skills rather than levels, structures processes around threats instead of alerts, performs threat hunting, uses multiple visibility tools including logs and network data, and automates tasks through SOAR. It consumes and creates threat intelligence, elegantly uses third-party services, and does not treat incidents as rare or center itself around a single tool like a SIEM. A modern SOC recommends handling alerts but recognizing that is not the entire role, making analysts and engineers collaborate, hiring skills over levels, automating routines, and keeping fuzzy tasks for humans while using third parties for some tasks.
The extent and impact of recent security breaches is showing that current security approaches are just not working. But what can we do to protect our business? We have been advocating monitoring for a long time as a way to detect subtle, advanced attacks that are still making it through our defenses. However, products have failed to deliver on this promise.
Current solutions don't scale in both data volume and analytical insights. In this presentation we will explore what security monitoring is. Specifically, we are going to explore the question of how to visualize a billion log records. A number of security visualization examples will illustrate some of the challenges with big data visualization. They will also help illustrate how data mining and user experience design help us get a handle on the security visualization challenges - enabling us to gain deep insight for a number of security use-cases.
All Hope is Not LostNetwork Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
Do you think it requires an advanced degree to initiate an advanced security attack? Think again. Tool kits are readily available for immediate download that guide those with even just basic computer skills through the steps to initiate complex network attacks. But all hope is not lost. One of the best defenses is readily available in the market today – network recorders with network forensics – and when combined with the appropriate visibility fabric architecture, these solutions defend against attacks on even the fastest networks available today.
Join WildPackets and Gigamon as we explore the current state of network attacks, network vulnerabilities, and the solutions available to combat the most aggressive, and the most subtle, attacks.
Network monitoring and SIEM solutions are critical for cybersecurity. Network monitoring provides administrators real-time visibility into network performance and health. It helps identify issues early, optimize efficiency, and detect security threats faster. SIEM solutions take this further by collecting and analyzing log data from all digital assets in one place. This gives insights to investigate suspicious activity and strengthen security. Key SIEM tools include Splunk, IBM QRadar, and LogRhythm, with each having their own pros and cons for threat detection, response, and management capabilities.
Enterprise Security Monitoring, And Log Management.Boni Yeamin
In today's presentation, we'll explore Security Onion, a powerful open-source platform designed to fortify your network security. Security Onion, much like its namesake vegetable, peels back the layers of your network traffic, enabling you to identify and address potential threats. We'll delve into its functionalities, core components, and the advantages it brings to your cybersecurity posture.
Network security monitoring with open source toolsterriert
The document discusses implementing network security monitoring using open source tools. It begins with an introduction to network security monitoring (NSM) and its goal of collecting and analyzing different types of network data to detect and respond to intrusions. It then discusses recommended platforms and operating systems for NSM, such as various free/open BSD systems. Next, it covers ways to capture network traffic, including using hubs, taps, inline devices, or SPAN ports. It proceeds to describe the four types of data collected in NSM - full content, session, event, and statistical data. For each, it provides examples of open source tools and compares them to commercial options. Finally, it discusses the open source tool Sguil, which implements
This document provides an overview of network security for a course, including discussing cryptography algorithms and protocols, network security applications and tools, system security issues, and standards for internet security. The course will cover topics such as encryption, digital signatures, key exchange, and network security protocols and applications. Students will complete homework assignments, projects implementing cryptography and a secure messaging system, and exams.
This document provides an overview of network security for a course, including discussing cryptography algorithms and protocols, network security applications and tools, system security issues, and standards for internet security. The course will cover topics such as encryption, digital signatures, key exchange, and network security protocols and applications. Students will complete homework assignments, projects implementing cryptography and a secure messaging system, and exams.
This document provides an overview of network security for a course, including discussing cryptography algorithms and protocols, network security applications and tools, system security issues, and standards for internet security. The course will cover topics such as encryption, digital signatures, key exchange, and network security protocols and applications. Students will complete homework assignments, projects implementing cryptography and a secure messaging system, and exams.
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
This document discusses security analytics and hunting maturity. It defines hunting as a proactive approach to identifying incidents by actively looking for patterns, intelligence or hunches, rather than waiting for notifications. It describes the "SIEM gap" where SIEM tools are designed for known threats and lack the tools and flexibility for human analysis and hunting of unknown threats. It outlines techniques used in security analytics like event clustering, association analysis, and visualization to help analyze large datasets and discover unknown threats. The document argues security analytics provides the data access, analysis techniques and workflows to help close the SIEM gap and improve an organization's hunting maturity over time.
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
This document discusses network reliability monitoring as a complement to network security monitoring (NSM) and security information and event management (SIEM) for industrial control systems. It notes that while NSM works well for monitoring traffic crossing between zones in ICS networks, it is less effective in lower level zones where most traffic remains internal. Network reliability monitoring provides an alternative by developing profiles of normal network traffic and scanning for deviations that could indicate issues. While complex algorithms are not needed, it requires strong protocol knowledge and root cause analysis can be difficult. Examples are given showing network reliability metrics and how man-in-the-middle attacks did not significantly impact traffic.
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
Dr. Anton Chuvakin discusses how security operations centers (SOCs) have evolved and modernized. He outlines three forces driving the need for modern SOCs: expanding attack surfaces, security talent shortages, and an overload of alerts. Key aspects of a modern SOC include organizing teams by skills rather than levels, structuring processes around threats instead of alerts, conducting threat hunting, using multiple data sources for visibility beyond just logs, and leveraging automation and third-party services. Modern SOCs also focus on detection engineering through content versioning, quality assurance of detections, reuse of detection content, and metrics to improve coverage. Chuvakin recommends that SOCs handle alerts but not focus solely on them, automate routines to free
John Walker gave a presentation at the Global APT Defense Summit in New York on responding to and surviving malware activity and network attacks. He discussed 11 key points for an effective security incident response, including indicating anomalies, using cyber intelligence to discover unknown threats, acquiring forensic artifacts, making timely decisions to mitigate impacts, following standards and guidelines, clear communications, maintaining tools and training, dealing with external stakeholders, conducting a post-incident review, and learning lessons. The presentation emphasized the importance of an evolved security operations capability and cross-team coordination to effectively engage security incidents.
The tops for collecting network based evidenceyou think that your.pdfnoelbuddy
The tops for collecting network based evidence:
you think that your organization’s system has been attacked, or maybe an insider is emailing
your organization’s trade secrets to a friend at a rival corporation. What should you do? The
single most helpful network-based incident response activity is to deploy computer systems that
do nothing but intercept or collect network communications. Capturing network communications
is a critical and necessary step when investigating alleged crimes or abuses.
In this chapter, we will demonstrate how to capture network traffic the ugly and bare-metal way,
with software such as tcpdump and WinDump. We will discuss how to assemble a robust,
secure, network-monitoring system and conduct full-content monitoring of network traffic.
Catching the traffic is only a portion of the work; extracting meaningful results is the other
challenge. After you have collected the raw data that composes your network-based evidence,
you must analyze that data. The analysis of network-based evidence includes reconstructing the
network activity, performing low-level protocol analysis, and interpreting the network activity.
We will introduce the tools that you can use to analyze the data .If a law enforcement officer
suspects an individual of a crime such as minor drug dealing, the suspect is usually placed under
surveillance to confirm suspicions, accumulate evidence, and identify co-conspirators. The same
approach works with suspected crimes against computer networks. Network monitoring is not
intended to prevent attacks. Instead, it allows investigators to accomplish a number of tasks
Network monitoring can include several different types of data collection: event monitoring,
trap-and-trace monitoring, and full-content monitoring. When responding to computer security
incidents, you will likely rely on collecting full-content data with tools such as tcpdump.
However, there may be occasions when you will intercept solely the transactional data with a
trap-and-trace. Event monitoring is based on rules or thresholds employed on the network-
monitoring platform. Events are simply alerts that something occurred on your network.
Traditional events are generated by a network IDS, but events can also be created by network
health monitoring software like MRTG (Multi Router Traffic Grapher) or NTOP.
Noncontent monitoring records the session or transaction data summarizing the network activity.
Law enforcement refers to such noncontent monitoring as a pen register or a trap-and-trace. It
typically includes the protocol, IP addresses, and ports used by a network communication.
Additional data may include flags seen during the conversation (if TCP is used), counts of bytes
of information sent by each side, and counts of packets sent by each side.
Session data does not care about the content of a conversation. Here is a sample of session data,
generated by tcptrace.
Full-content monitoring yields data that includes the raw packets collected fr.
Security Onion includes best-of-breed free and open tools including Suricata, Zeek, Wazuh, the Elastic Stack and many others. We created and maintain Security
Enterprise Security and User Behavior AnalyticsSplunk
Splunk Enterprise Security 4.5 provides security information and event management (SIEM) and a security intelligence platform. It includes features like adaptive response to extend analytics-driven decisions and automation, and glass tables to enhance visual analytics. Glass tables allow security teams to create custom visualizations that reflect their workflows and gain visibility across their security ecosystem. The update also includes improvements to detection, investigation, and response times through automation and correlation searches.
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
This session will review Splunk’s two premium solutions - Splunk Enterprise Security (ES) is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams.
This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.
To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”
After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.
The 3 core takeaways for the audience are:
1.) Where security practices have gone wrong so far.
2.) What new technologies will cause a paradigm shift in how security is applied at scale.
3.) How security will look like in 5-10 years.
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...BAINIDA
This document discusses using big data analytics to enhance security. It begins by defining big data analytics and describing security trends like the evolution from intrusion detection systems to security information and event management (SIEM) to next-generation SIEM using big data analytics. An example of an advanced persistent threat is provided. The document then discusses integrating security analytics with open source tools like SQRRL and Prelert. Finally, it covers how to apply these concepts by determining what security-related data can be collected and two options for implementing big data analytics in a security program.
Similar to Network Security Monitoring - Theory and Practice (20)
This document discusses techniques that malware authors use to frustrate malware analysts, including inserting breakpoints, manipulating timing functions, exploiting Windows internals like debug flags and objects, anti-dumping methods, VM detection, and debugger-specific tricks. The author also announces a public malware repository and API called VXCage for sharing samples.
Indicators of compromise: From malware analysis to eradicationMichael Boman
This document discusses detecting and analyzing indicators of compromise from a malware infection. It describes collecting data from firewalls, IDS/IPS, proxies, DNS logs, and system logs to detect suspicious activity. Once a potential malware sample is acquired, static and dynamic analysis techniques are used to analyze its behavior and identify indicators that can be used to detect infected machines, like created files, registry keys, and network traffic. These indicators are expressed using tools like Yara rules and Snort signatures to enable detection of the compromise across an environment.
44CON 2014: Using hadoop for malware, network, forensics and log analysisMichael Boman
The number of new malware samples are over a hundred thousand a day, network speeds are measured in multiple of ten gigabits per second, computer systems have terabytes of storage and the log files are just piling up. By using Hadoop you can tackle these problems in a whole different way, and “Too Much Data to Process” will be a thing of the past.
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
Greg Hoglund explained at BlackHat 2010 that the development environments that malware authors use leaves traces in the code which can be used to attribute malware to a individual or a group of individuals. Not with the precision of name, date of birth and address but with evidence that a arrested suspects computer can be analysed and compared with the "tool marks" on the collected malware sample.
44CON 2013 - Controlling a PC using ArduinoMichael Boman
Slides from the workshop "Controlling a PC using Arduino" conducted at 44CON 2013 in London. It goes through hardware and software used to remotely control a PC (power/reset). Future developments will be including a telnet/rs232 and environment variables.
Malware Analysis on a Shoestring BudgetMichael Boman
How can you build a infrastructure using mainly free and open source software to analyze potential malicious code. How you can leverage free public services together with in-house systems to compete against expensive commercial solutions which makes it cost-prohibible for many researchers.
Malware analysis as a hobby (Owasp Göteborg)Michael Boman
This document discusses Michael Boman's hobby of analyzing malware samples. It describes how he initially analyzed samples manually in a virtual environment but found it time consuming. He then created the Malware Analysis Research Toolkit (MART) project to automate the process. MART uses tools like Cuckoo Sandbox to analyze samples in virtual machines. It also includes components for sample acquisition, analysis, reporting, and data mining. The document discusses challenges with virtual machine analysis and ways to iterate the automation, such as doing brief static analysis on samples. It provides an overview of the hardware used in Boman's malware lab and discusses next steps for the project.
The document notes that manually analyzing malware can be time consuming and boring. MART was created to automate parts of the process such as sample acquisition, analysis using tools like Cuckoo Sandbox, and reporting. This reduces the time spent by malware analysts and allows them to focus on more complex samples. The system also aims to address limitations of virtual machine-based analysis by integrating additional techniques. Overall, MART streamlines malware analysis as a hobby while cutting costs compared to paying for commercial solutions.
Malware analysis as a hobby - the short story (lightning talk)Michael Boman
Michael Boman created the Malware Analyst Research Toolkit (MART) project to automate malware analysis as a hobby. MART uses public and private malware collections, Cuckoo Sandbox for analysis, and VirusTotal for additional results. It stores findings in MongoDB and provides a GUI for analysts. The initial investment was around €1,320 for a computer and license, but ongoing costs after the first year are only around €590 as the system automates most of the workflow. Future goals include expanding automated analysis to additional platforms like Android, OSX, and iOS.
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...Michael Boman
This short workshop will teach attendees how to easily and quickly find vulnerabilities in Windows applications by using some easy to use tools. I will detail step by step some simple techniques that can be used by experts and non experts. While the techniques are simple the results can be great. Learning these easy and fast techniques will allow attendees to do quick audits on Windows applications to determine how secure they are. I will show how to spot vulnerabilities with just a couple of clicks or with very simple and short debugging sessions. The techniques I will be showing are the same that allowed me to find dozen of vulnerabilities in Windows applications, I'm sure that after the workshop attendees will be able to do the same.
OWASP AppSec Research 2010 - The State of SSL in the WorldMichael Boman
The document discusses the results of a large scale scan of HTTPS servers to analyze SSL/TLS configuration trends. Over 500,000 servers were scanned, including the Alexa Top 10,000 and Fortune 500 domains. Key findings included that Fortune 500 domains were more likely to enable HTTPS and use secure configurations compared to popular domains. Factors like industry sector did not strongly correlate with security level, but domains providing internet-facing services tended to use HTTPS more securely. Further investigation of the Swedish market was planned.
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Michael Boman
This document summarizes threats to privacy when using wireless networks and provides technical solutions for keeping private data secure. It discusses attacks like data interception and man-in-the-middle attacks that can be used by individuals, corporations, and governments. The document recommends using SSL-enabled websites, VPN tunnels, and TOR networks to protect data and privacy. It also suggests using personal firewalls, antivirus software, and anti-spyware programs.
This document discusses threats to privacy when using wireless networks, such as data interception and man-in-the-middle attacks. It recommends using SSL-enabled websites, VPN tunnels, and TOR networks to protect private data from individuals, corporations, and governments. Basic protections like personal firewalls, antivirus software, and anti-spyware are also advised. The presentation covers technical solutions for keeping wireless data private and maintaining anonymity online.
This document provides an introduction to Linux security. It covers turning off unnecessary servers and services, limiting access to needed servers using IPTables, updating the system regularly, and reading Linux log files. The document recommends keeping daemons and services disabled or bound to localhost when possible, using tools like netstat, IPTables, and log checking utilities to monitor open ports and system activity. It concludes with a question and answer section and recommends additional security resources.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/how-axelera-ai-uses-digital-compute-in-memory-to-deliver-fast-and-energy-efficient-computer-vision-a-presentation-from-axelera-ai/
Bram Verhoef, Head of Machine Learning at Axelera AI, presents the “How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-efficient Computer Vision” tutorial at the May 2024 Embedded Vision Summit.
As artificial intelligence inference transitions from cloud environments to edge locations, computer vision applications achieve heightened responsiveness, reliability and privacy. This migration, however, introduces the challenge of operating within the stringent confines of resource constraints typical at the edge, including small form factors, low energy budgets and diminished memory and computational capacities. Axelera AI addresses these challenges through an innovative approach of performing digital computations within memory itself. This technique facilitates the realization of high-performance, energy-efficient and cost-effective computer vision capabilities at the thin and thick edge, extending the frontier of what is achievable with current technologies.
In this presentation, Verhoef unveils his company’s pioneering chip technology and demonstrates its capacity to deliver exceptional frames-per-second performance across a range of standard computer vision networks typical of applications in security, surveillance and the industrial sector. This shows that advanced computer vision can be accessible and efficient, even at the very edge of our technological ecosystem.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
1. Network Security Monitoring – Theory and Practice
Network Security Monitoring
Theory and Practice
Michael Boman
IT Security Researcher and Developer
proxy@11a.nu | http://proxy.11a.nu
2. Network Security Monitoring – Theory and Practice
About Me
● Born in Sweden, been working in Singapore for
the last 6 years
● Spent the last 5 years specializing in IT Security
● Currently working for KPMG Singapore
3. Network Security Monitoring – Theory and Practice
Agenda
● Network Security Monitoring (NSM) Theory
● Network Security Monitoring (NSM) Practice
4. Network Security Monitoring – Theory and Practice
Assumptions
● Some intruders are smarter than you
● Intruders are unpredictable
● Prevention eventually fails
5. Network Security Monitoring – Theory and Practice
Limitations of
Alert Based Approach
1)IDS generates an alert when a packet is matched
2)Analyst's interface displays the offending packet
3)Analyst trying to make decision regarding if the
event is a false positive or if the incident response
team needs to be informed
4)Usually no other information is easily available
to the analyst to make a more informed
judgement (if any was collected in the first place)
6. Network Security Monitoring – Theory and Practice
History of NSM
● 1980 – “Computer Security Threat Monitoring and
Surveillance” (James P. Anderson)
● 1990 – “A Network Security Monitor” (L. Todd
Heberlein et al.)
● 2002 – “Network Security Monitoring” (Bamm Visscher
& Richard Bejtlich)
– Defined NSM as “the collection, analysis and
escalation of indications and warnings (I&W) to
detect and respond to intrusions”
8. Network Security Monitoring – Theory and Practice
NSM Data Types
● Alert data
● Statistical
● Session
● Full content
Less
More
Storage requirement
9. Network Security Monitoring – Theory and Practice
Data Collection
● Collect as much data you legally and technically
can
10. Network Security Monitoring – Theory and Practice
Data Collection
● Sometimes you can't collect everything, but
consider this:
– Data sampling is better than nothing
– Traffic analysis is better than nothing
11. Network Security Monitoring – Theory and Practice
NSM's role in Incident Response
● What else did the intruder potentially
compromise?
● What tools did he download?
● Who else do we need to inform?
12. Network Security Monitoring – Theory and Practice
NSM in practice - Sguil
● Sguil is an open source project whose tag line is
“For Analysts - By Analysts”
● Written in TCL/TK by Bamm Visscher, with
many contributors (including myself)
● Sensor / Server / Client architecture
13. Network Security Monitoring – Theory and Practice
History of Sguil
● SPREG – Proprietary in-house ancestor of Sguil
developed in Perl/TK, around 2000-2001
● Sguil development started late 2002
● First public release was 0.2, May 2003
● Current version is 0.6.1
16. Network Security Monitoring – Theory and Practice
Future of Sguil
● PADS (Passive Asset Detection System)
Integration
● SnortSAM Integration
● Snort rule management
17. Network Security Monitoring – Theory and Practice
NSM in the Real World
● Who is using it
– Fortune 500 Companies
– US Government Labs
– Universities
– MSSPs
18. Network Security Monitoring – Theory and Practice
NSM in the Real World
● Real life success stories
– Charles Tomlin used Sguil to track down a recent
compromise
● http://www.ecs.soton.ac.uk/~cet/2006-01-01.html
19. Network Security Monitoring – Theory and Practice
NSM in the Real World
● NSM Products / Projects
– Apparently Sguil is the only public available product /
project that utilizes NSM methodology
20. Network Security Monitoring – Theory and Practice
What NSM is Not
● NSM Is Not Device Management
● NSM Is Not Security Event Management
● NSM Is Not Network-Based Forensics
● NSM Is Not Intrusion Prevention
21. Network Security Monitoring – Theory and Practice
Books
● The Tao of Network Security Monitoring:
Beyond Intrusion Detection
– By Richard Bejtlich
– Publisher: Addison-Wesley; ISBN: 0321246772
● Extrusion Detection: Security Monitoring for
Internal Intrusions
– By Richard Bejtlich
– Publisher: Addison-Wesley; ISBN 0321349962
22. Network Security Monitoring – Theory and Practice
Thank You
Questions?
There is no secure end-state
– only eternal vigilance
My Website is at http://proxy.11a.nu
Sguil can be downloaded at http://www.sguil.net