Upload
parvez2z
View
217
Download
0
Embed Size (px)
Citation preview
8/17/2019 Esw06 Boman
1/22
Network Security Monitoring – Theory and Practice
Network Security MonitoringTheory and Practice
Michael BomanIT Security Researcher and Developer proxy!!a"nu # http$%%proxy"!!a"nu
8/17/2019 Esw06 Boman
2/22
Network Security Monitoring – Theory and Practice
&'out Me
● Born in Sweden( 'een working in Singapore )orthe last * years
●
Spent the last + years speciali,ing in IT Security● -urrently working )or .PM/ Singapore
8/17/2019 Esw06 Boman
3/22
Network Security Monitoring – Theory and Practice
&genda
● Network Security Monitoring 0NSM1 Theory
● Network Security Monitoring 0NSM1 Practice
8/17/2019 Esw06 Boman
4/22 Network Security Monitoring – Theory and Practice
&ssumptions
● Some intruders are smarter than you
● Intruders are unpredicta'le
● Prevention eventually )ails
8/17/2019 Esw06 Boman
5/22 Network Security Monitoring – Theory and Practice
2imitations o)
&lert Based &pproach!1IDS generates an alert when a packet is matched
31&nalyst4s inter)ace displays the o))ending packet
51&nalyst trying to make decision regarding i) theevent is a )alse positive or i) the incident responseteam needs to 'e in)ormed
617sually no other in)ormation is easily availa'leto the analyst to make a more in)ormed 8udgement 0i) any was collected in the )irst place1
8/17/2019 Esw06 Boman
6/22 Network Security Monitoring – Theory and Practice
9istory o) NSM
● !:;< = >-omputer Security Threat Monitoring andSurveillance? 0@ames P" &nderson1
● !::< = >& Network Security Monitor? 02" Todd
9e'erlein et al"1
● 3the collection( analysis andescalation o) indications and warnings 0IC1 todetect and respond to intrusions?
8/17/2019 Esw06 Boman
7/22 Network Security Monitoring – Theory and Practice
Chat is NSM
● -ollection
● &nalysis
● Escalation
8/17/2019 Esw06 Boman
8/22 Network Security Monitoring – Theory and Practice
NSM Data Types
● &lert data
● Statistical
● Session● Full content
2ess
More
Storage reGuirement
8/17/2019 Esw06 Boman
9/22 Network Security Monitoring – Theory and Practice
Data -ollection
● -ollect as much data you legally and technicallycan
8/17/2019 Esw06 Boman
10/22 Network Security Monitoring – Theory and Practice
Data -ollection
● Sometimes you can4t collect everything( 'utconsider this$
–
Data sampling is 'etter than nothing – Tra))ic analysis is 'etter than nothing
8/17/2019 Esw06 Boman
11/22
Network Security Monitoring – Theory and Practice
NSM4s role in Incident Response
● Chat else did the intruder potentiallycompromise
●
Chat tools did he download● Cho else do we need to in)orm
8/17/2019 Esw06 Boman
12/22
Network Security Monitoring – Theory and Practice
NSM in practice H Sguil
● Sguil is an open source pro8ect whose tag line is>For &nalysts H By &nalysts?
●
Critten in T-2%T. 'y Bamm Aisscher( withmany contri'utors 0including mysel)1
● Sensor % Server % -lient architecture
8/17/2019 Esw06 Boman
13/22
Network Security Monitoring – Theory and Practice
9istory o) Sguil
● SPRE/ = Proprietary inHhouse ancestor o) Sguildeveloped in Perl%T.( around 3
8/17/2019 Esw06 Boman
14/22
Network Security Monitoring – Theory and Practice
Sguil &nalyst -onsole
8/17/2019 Esw06 Boman
15/22
8/17/2019 Esw06 Boman
16/22
Network Security Monitoring – Theory and Practice
Future o) Sguil
● P&DS 0Passive &sset Detection System1Integration
●
SnortS&M Integration● Snort rule management
8/17/2019 Esw06 Boman
17/22
Network Security Monitoring – Theory and Practice
NSM in the Real Corld
● Cho is using it
– Fortune +
8/17/2019 Esw06 Boman
18/22
Network Security Monitoring – Theory and Practice
NSM in the Real Corld
● Real li)e success stories
– -harles Tomlin used Sguil to track down a recentcompromise
● http$%%www"ecs"soton"ac"uk%cet%3
8/17/2019 Esw06 Boman
19/22
Network Security Monitoring – Theory and Practice
NSM in the Real Corld
● NSM Products % Pro8ects
– &pparently Sguil is the only pu'lic availa'le product % pro8ect that utili,es NSM methodology
8/17/2019 Esw06 Boman
20/22
Network Security Monitoring – Theory and Practice
Chat NSM is Not
● NSM Is Not Device Management
● NSM Is Not Security Event Management
● NSM Is Not NetworkHBased Forensics● NSM Is Not Intrusion Prevention
8/17/2019 Esw06 Boman
21/22
Network Security Monitoring – Theory and Practice
Books
● The Tao o) Network Security Monitoring$Beyond Intrusion Detection
– By Richard Be8tlich
– Pu'lisher$ &ddisonHCesleyJ ISBN$
8/17/2019 Esw06 Boman
22/22
Network Security Monitoring – Theory and Practice
Thank Lou
uestionsThere is no secure end-state
– only eternal vigilance
My Ce'site is at http$%%proxy"!!a"nu
Sguil can 'e downloaded at http$%%www"sguil"net