Esw06 Boman

8/17/2019 Esw06 Boman

1/22

Network Security Monitoring – Theory and Practice

Network Security MonitoringTheory and Practice

Michael BomanIT Security Researcher and Developer proxy!!a"nu # http$%%proxy"!!a"nu

8/17/2019 Esw06 Boman

2/22


&'out Me

● Born in Sweden( 'een working in Singapore )orthe last * years

●

Spent the last + years speciali,ing in IT Security● -urrently working )or .PM/ Singapore

8/17/2019 Esw06 Boman

3/22


&genda

● Network Security Monitoring 0NSM1 Theory

● Network Security Monitoring 0NSM1 Practice

8/17/2019 Esw06 Boman

4/22 Network Security Monitoring – Theory and Practice

&ssumptions

● Some intruders are smarter than you

● Intruders are unpredicta'le

● Prevention eventually )ails

8/17/2019 Esw06 Boman


2imitations o)

&lert Based &pproach!1IDS generates an alert when a packet is matched

31&nalyst4s inter)ace displays the o))ending packet

51&nalyst trying to make decision regarding i) theevent is a )alse positive or i) the incident responseteam needs to 'e in)ormed

617sually no other in)ormation is easily availa'leto the analyst to make a more in)ormed 8udgement 0i) any was collected in the )irst place1

8/17/2019 Esw06 Boman


9istory o) NSM

● !:;< = >-omputer Security Threat Monitoring andSurveillance? 0@ames P" &nderson1

● !::< = >& Network Security Monitor? 02" Todd

9e'erlein et al"1

● 3the collection( analysis andescalation o) indications and warnings 0IC1 todetect and respond to intrusions?

8/17/2019 Esw06 Boman


Chat is NSM

● -ollection

● &nalysis

● Escalation

8/17/2019 Esw06 Boman


NSM Data Types

● &lert data

● Statistical

● Session● Full content

2ess

More

Storage reGuirement

8/17/2019 Esw06 Boman


Data -ollection

● -ollect as much data you legally and technicallycan

8/17/2019 Esw06 Boman


Data -ollection

● Sometimes you can4t collect everything( 'utconsider this$

–

Data sampling is 'etter than nothing – Tra))ic analysis is 'etter than nothing

8/17/2019 Esw06 Boman

11/22


NSM4s role in Incident Response

● Chat else did the intruder potentiallycompromise

●

Chat tools did he download● Cho else do we need to in)orm

8/17/2019 Esw06 Boman

12/22


NSM in practice H Sguil

● Sguil is an open source pro8ect whose tag line is>For &nalysts H By &nalysts?

●

Critten in T-2%T. 'y Bamm Aisscher( withmany contri'utors 0including mysel)1

● Sensor % Server % -lient architecture

8/17/2019 Esw06 Boman

13/22


9istory o) Sguil

● SPRE/ = Proprietary inHhouse ancestor o) Sguildeveloped in Perl%T.( around 3

8/17/2019 Esw06 Boman

14/22


Sguil &nalyst -onsole

8/17/2019 Esw06 Boman

15/22

8/17/2019 Esw06 Boman

16/22


Future o) Sguil

● P&DS 0Passive &sset Detection System1Integration

●

SnortS&M Integration● Snort rule management

8/17/2019 Esw06 Boman

17/22


NSM in the Real Corld

● Cho is using it

– Fortune +

8/17/2019 Esw06 Boman

18/22



● Real li)e success stories

– -harles Tomlin used Sguil to track down a recentcompromise

● http$%%www"ecs"soton"ac"uk%cet%3

8/17/2019 Esw06 Boman

19/22



● NSM Products % Pro8ects

– &pparently Sguil is the only pu'lic availa'le product % pro8ect that utili,es NSM methodology

8/17/2019 Esw06 Boman

20/22


Chat NSM is Not

● NSM Is Not Device Management

● NSM Is Not Security Event Management

● NSM Is Not NetworkHBased Forensics● NSM Is Not Intrusion Prevention

8/17/2019 Esw06 Boman

21/22


Books

● The Tao o) Network Security Monitoring$Beyond Intrusion Detection

– By Richard Be8tlich

– Pu'lisher$ &ddisonHCesleyJ ISBN$

8/17/2019 Esw06 Boman

22/22


Thank Lou

uestionsThere is no secure end-state

– only eternal vigilance

My Ce'site is at http$%%proxy"!!a"nu

Sguil can 'e downloaded at http$%%www"sguil"net

Documents

Esw06 Boman