View
648
Download
0
Category
Preview:
DESCRIPTION
Slides of my hack.lu talk
Citation preview
How Visualization Makes IT Possible?
Sebastien Tricaud
Picviz Labs CTO
Honeynet Project
About Me
• Founder & CTO of Picviz Labs (www.picviz.com)
• Honeynet Project CTO
• Twitter @tricaud
• 15 years of various IDS implementations
• Contributor of Prelude IDS, OSSEC, Sancp, Linux PAM, …
CURRENT SITUATION
Securing a classical infrastructure
• Anti-virus
• Web Application Firewall (blocking of course non-trivial JS tricks)
• Intrusion Detection (& Prevention) Systems
• Firewall
• Security Information Event Manager (SIEM)
Results from this security
• Known stuff are (maybe) blocked
Conclusion
• Securing this infrastructure has not laid off security teams
• Worse, some media entertainment companies had to hire a CSO
Practical Security of hundred Machines
• Is your NTP really synchronized?
• Logs are sent to a centralized database
Log eater
Log eater
Amazing Database !
Amazing Database !
Amazing Database !
Amazing Database !
EASY FIX:
START YOUR
CERT !
Facebook amazing infrastructure!
2010: > 60 000 web servers About 10% of Internet traffic is for them
Our Current Problem
• (buzzword) APT: Advanced Persistent Threats
• Unknown attacks remain unknown until they are known
• Slow Response Time
• Limited Metrics (is a top 10 enough to handle thousand machine?)
• We have found only one way to handle the signal/noise ratio (signatures)
FIND ATTACKS
(some of the) Tools Used
• Bandwidth trigger
• OSSEC
• Netflow
• Wireshark
• Honeypot
• Grep (ahah)
• …
Google Summer of Code: Wireviz
Google Summer of Code: WireBrowse
Google Summer of Code: WireShnork
Google Summer of Code
• The wireshark improvements was amazing.
• Thank you Jakub Zawadzki & Guillaume Arcas!
• It is one among 12 other great projects (http://honeynet.org/gsoc/slots)
• Thank you Google!
Tools issues
• They hardly interact with each other
• They are often limited
• At least they work well, so they are used
• No one does better
Scenario: we want the .ru TLD from our proxy logs
• Easy:
$ grep "\.ru" squid.log
Scenario: we want the .ru TLD from our proxy logs
[...] "[28/Feb/2011:00:13:02 +0100]" XXXX GET
http://pixel.quantserve.com/pixel;r=1869975797;fpan=0;fpa=P0-
1991180462-1298650127845;ns=1;url=http%3A%2F%2Foptimized-
by.rubiconproject.com%2Fa%2F3346%2F3 [...]
[...] "[28/Feb/2011:00:14:32 +0100]" xgbj352 GET
http://eco.rue89.com/2011/02/25/oui-les-militaires-meritent-
leur-reduction-de-75-a-la-sncf-192164?page=0 HTTP/1.1 500
1120 500 505 TCP_NC_MISS 567 12 1103 10.33.37. […]
• Easy:
$ grep "\.ru" squid.log
Scenario: we want the .ru TLD from our proxy logs
• Solution:
grep –e with regex:
'http(s)?\://[a-zA-Z0-9\-\:\.]+\.(ru)/'
[...] "[28/Aug/2011:02:13:50 +0100]" XXXX GET
http://www.ritb.ru/XXXX [...]
[...] "[28/Aug/2011:02:13:50 +0100]" XXXX GET
http://nx.ritb.ru/XXXX [...]
[...] "[28/Aug/2011:02:13:49 +0100]" XXXX GET
http://tas.mb.ran.ru/XXXX [...]
Scenario: we want the .ru TLD from our proxy logs
• Solution? NO
• It will still mess up
[...] "[28/Feb/2011:02:02:08 +0100]" XXXX GET
http://www.facebook.com/plugins/like.php?href=http:/
/slon.ru/articles/XXXX […]
Scenario: we want the .ru TLD from our proxy logs
Pie Charts
Histograms
Treemaps
SIEM
Log Management
SERIOUS VISUALIZATION
Serious Visualization
• Handling large scale incidents
• Make you close to your data
• As many events as logs may have
• As many dimensions as logs may have
There is only Parallel Coordinates
From a log to a picture
Adding a new input
• Demo time: input SQUID logs
Find attacks on your Apache logs
• Demo time (again!)
Find behaviors
• Demo time
Find OpenVPN tunnels
• Demo time! yeah!
Conclusion
• Usual Visualization is often a failure when it comes to practice
• There is still hard work to do
• Parallel Coordinates enables you large scale analysis
• Finding the unknown goal is reached
• The better you know your logs, the easiest it will be
Questions?
Recommended