Security Analytics in Action
Josh Sokol & Walter Johnson
Josh Sokol ! OWASP Foundation Global Board Member ! Creator of SimpleRisk (simplerisk.org) ! Information Security Program Owner, National Instruments
Twitter: @joshsokol Blog: http://www.webadminblog.com
Walter Johnson ! Security Analyst, National Instruments ! LASCON Graphics Guy ! Likes long walks on the beach and candlelight dinners ! Former Yakuza Assassin
Twitter: @sirmodok
Visibility (or lack thereof) ! Am I under attack? ! Which systems are they attacking? ! What kind of attacks are they using? ! Who is attacking me? ! Were they successful?
" We need to create an ecosystem of security tools that work together to answer these questions and more. " We need tools that are able to talk to each other in order to leverage siloed data for mutual gain. " We need a platform to enable the analysis of and reporting on threats in our environment in near real-‐time.
We need Security Analytics!
Firewall
IPS
NAC
Malware Ana
lysis
Vulne
rability Mgm
t
# Tools Working in Silos
# Proprietary Protocols
# “Greedy” Platforms
# Duplication of Functionality
$ Open API $ Open DB $ Data Export
$ Events $ Alerts $ SNMP $ Syslog
Exploitation – Parasitism. The leech gains food and nutrients, but the host gains nothing from having a leech suck its blood.
You can assemble an arsenal of best-‐in-‐breed tools that work together. Even smaller purchases can have a large impact.
Question Data Do I trust the source? Reputation Data
How am I being attacked? Attack Data
What attacks are my systems vulnerable to? Vulnerability Data
What versions of O/S and software am I running? Asset Data
Who is using my systems? Identity Data
Who should have access to what? Data Classification
Who do I trust and who trusts me? Trust Hierarchy
Do I have access? Authentication Data
What can I access? Authorization Data
What has been tested? QA Data
Is data crossing between two trust levels? Trust Boundaries
! Common feature for modern routers and switches. ! Provides a lot of data for a reasonable amount of storage.
! Data can help make many security decisions easier.
! “Security Flaws in Universal Plug and Play” whitepaper by HD Moore
! Over 23 million IPs are vulnerable to remote code execution through a single UDP packet.
! Affects Simple Service Discovery Protocol (SSDP) which runs on UDP/1900.
Question: Are people actively scanning my network in order to exploit this flaw?
! Source address is external to my network. ! Destination address is on my network. ! Connection uses UDP (protocol 17) on port 1900.
! A pattern search of our NetFlow data over the past 24 hours returned 539 results in 1 minute and 38 seconds.
! Source address is on my network. ! Destination address is external to my network. ! The destination IP is listed on the Malware Domain List.
! Most of the pattern matches returned showed one MDL IP with multiple internal hosts connecting to it.
! Then there was this…
! Source address is on my network. ! Destination address is external to my network. ! Destination is associated with a malware event from one of our Malware Prevention appliances (scoped to 1hr).
! A pattern search of our NetFlow and MPS data over the past hour returned 134 results in 2 minutes and 4 seconds.
! Create a list of unused IP addresses on your network. ! Look for the internal systems making the most connections to those IPs.
! Source address is on my network. ! Destination address is external to my network. ! Connection is UDP port 53. ! Count the connections to destination IP addresses.
! Source address is on my network. ! Destination address is external to my network. ! Sum up the number of bytes sent and get the top 25.
! Source address is on my network. ! Destination address is on my network. ! Get the count of connections any IP makes to any other IP addresses.
! Source address is specified at runtime. ! Destination address is any IP. ! Show all ports and bytes of data sent to each.
! What is connecting to that IP address? ! What is that IP address connecting to? ! Do I have any alerts associated with that IP address? ! Is there any significant amount of data loss from that system?
! What is connecting to that IP address?
Dewan Communications
! What is that IP address connecting to?
AWS
hosted-‐by.ihc.ru
Feral Hosting? softlayer.com Dewan Communications
! Do I have any alerts associated with that IP address?
! Is there any significant amount of data loss from that system?
https://code.google.com/p/collective-‐intelligence-‐framework/
! Are there alerts associated with this host on my IPS or other monitoring devices? No.
! WAFSEC reputation data…
! McAfee Threat Intelligence data…
! This looks like a false positive to me.
! Should I accept packets from random IP X? $ Reputation Data $ Attack Data $ Vulnerability Data $ Asset Data $ Trust Boundaries
! Should I allow random person X to download a file Y? $ Data Classification $ Reputation Data $ Authentication Data $ Authorization Data $ Trust Boundaries
! Block an IP address with a Firewall or IPS system. ! Create WAF rules based on attack data. ! Ban a system from communicating on your network. ! Require additional authentication. ! Attack back?
-‐ Greg Hoglund, Founder and Former CEO of HBGary from CNBC “Companies Battle Cyberattacks Using ‘Hack Back’ 6/4/2013
! Many companies suffer from a lack of visibility into critical security threats.
! Security analytics allow us to see and react to threats. ! Ideal tools are those with both provider and consumer capabilities.
! Combining tool data together gives us the context that we can use to make informed decisions.
! Network flow data is the “glue” that ties the events together and helps to illustrate the attack progression.
Josh Sokol Twitter: @joshsokol Blog: http://www.webadminblog.com Walter Johnson Twitter: @sirmodok
Recommended
