Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacklu2011 tricaud

735 views

Published on

Slides of my hack.lu talk

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Hacklu2011 tricaud

  1. 1. How Visualization Makes IT Possible? Sebastien Tricaud Picviz Labs CTO Honeynet Project
  2. 2. About Me• Founder & CTO of Picviz Labs (www.picviz.com)• Honeynet Project CTO• Twitter @tricaud• 15 years of various IDS implementations• Contributor of Prelude IDS, OSSEC, Sancp, Linux PAM, …
  3. 3. CURRENT SITUATION
  4. 4. Securing a classical infrastructure• Anti-virus• Web Application Firewall (blocking of course non-trivial JS tricks)• Intrusion Detection (& Prevention) Systems• Firewall• Security Information Event Manager (SIEM)
  5. 5. Results from this security• Known stuff are (maybe) blocked
  6. 6. Conclusion• Securing this infrastructure has not laid off security teams• Worse, some media entertainment companies had to hire a CSO
  7. 7. Practical Security of hundred Machines• Is your NTP really synchronized?• Logs are sent to a centralized database Log eater
  8. 8. AmazingDatabase !Log eater
  9. 9. AmazingDatabase !
  10. 10. AmazingDatabase !
  11. 11. EASY FIX: AmazingDatabase ! START YOUR CERT !
  12. 12. Facebook amazing infrastructure! 2010: > 60 000 web servers About 10% of Internet traffic is for them
  13. 13. Our Current Problem• (buzzword) APT: Advanced Persistent Threats• Unknown attacks remain unknown until they are known• Slow Response Time• Limited Metrics (is a top 10 enough to handle thousand machine?)• We have found only one way to handle the signal/noise ratio (signatures)
  14. 14. FIND ATTACKS
  15. 15. (some of the) Tools Used• Bandwidth trigger• OSSEC• Netflow• Wireshark• Honeypot• Grep (ahah)• …
  16. 16. Google Summer of Code: Wireviz
  17. 17. Google Summer of Code: WireBrowse
  18. 18. Google Summer of Code: WireShnork
  19. 19. Google Summer of Code• The wireshark improvements was amazing.• Thank you Jakub Zawadzki & Guillaume Arcas!• It is one among 12 other great projects (http://honeynet.org/gsoc/slots)• Thank you Google!
  20. 20. Tools issues• They hardly interact with each other• They are often limited• At least they work well, so they are used• No one does better
  21. 21. Scenario: we want the .ru TLD from our proxy logs• Easy: $ grep ".ru" squid.log
  22. 22. Scenario: we want the .ru TLD from our proxy logs• Easy: $ grep ".ru" squid.log[...] "[28/Feb/2011:00:13:02 +0100]" XXXX GEThttp://pixel.quantserve.com/pixel;r=1869975797;fpan=0;fpa=P0-1991180462-1298650127845;ns=1;url=http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F3346%2F3 [...][...] "[28/Feb/2011:00:14:32 +0100]" xgbj352 GEThttp://eco.rue89.com/2011/02/25/oui-les-militaires-meritent-leur-reduction-de-75-a-la-sncf-192164?page=0 HTTP/1.1 5001120 500 505 TCP_NC_MISS 567 12 1103 10.33.37. […]
  23. 23. Scenario: we want the .ru TLD from our proxy logs• Solution:grep –e with regex:http(s)?://[a-zA-Z0-9-:.]+.(ru)/[...] "[28/Aug/2011:02:13:50 +0100]" XXXX GEThttp://www.ritb.ru/XXXX [...][...] "[28/Aug/2011:02:13:50 +0100]" XXXX GEThttp://nx.ritb.ru/XXXX [...][...] "[28/Aug/2011:02:13:49 +0100]" XXXX GEThttp://tas.mb.ran.ru/XXXX [...]
  24. 24. Scenario: we want the .ru TLD from our proxy logs• Solution? NO• It will still mess up[...] "[28/Feb/2011:02:02:08 +0100]" XXXX GEThttp://www.facebook.com/plugins/like.php?href=http://slon.ru/articles/XXXX […]
  25. 25. Scenario: we want the .ru TLD from our proxy logs
  26. 26. Pie Charts
  27. 27. Histograms
  28. 28. Treemaps
  29. 29. SIEM
  30. 30. Log Management
  31. 31. SERIOUS VISUALIZATION
  32. 32. Serious Visualization • Handling large scale incidents • Make you close to your data • As many events as logs may have • As many dimensions as logs may have
  33. 33. There is only Parallel Coordinates
  34. 34. From a log to a picture
  35. 35. Adding a new input• Demo time: input SQUID logs
  36. 36. Find attacks on your Apache logs• Demo time (again!)
  37. 37. Find behaviors• Demo time
  38. 38. Find OpenVPN tunnels• Demo time! yeah!
  39. 39. Conclusion• Usual Visualization is often a failure when it comes to practice• There is still hard work to do• Parallel Coordinates enables you large scale analysis• Finding the unknown goal is reached• The better you know your logs, the easiest it will be
  40. 40. Questions?

×