CAIS Sensor: Distributed Sensors Network in Brazilian NREN LACSEC - - PowerPoint PPT Presentation

cais sensor distributed sensors network in brazilian nren
SMART_READER_LITE
LIVE PREVIEW

CAIS Sensor: Distributed Sensors Network in Brazilian NREN LACSEC - - PowerPoint PPT Presentation

Dec 17, 2023 242 likes •472 views

CAIS Sensor: Distributed Sensors Network in Brazilian NREN LACSEC LACNIC27 Regarding RNP Brazilian National Research and Education Network (RNP). Created in 1989. Implementing the first Latin American fiber network in 2005.

slide-1
SLIDE 1

CAIS Sensor: Distributed Sensors Network in Brazilian NREN

LACSEC

LACNIC27

slide-2
SLIDE 2

Regarding RNP

  • Brazilian National Research

and Education Network (RNP).

  • Created in 1989.
  • Implementing the first Latin

American fiber network in 2005.

slide-3
SLIDE 3

Regarding CAIS

  • Coordination CSIRT of Brazilian

research and education network since 1997.

  • CAIS works in detection, resolution and

prevention of network security incidents.

Security Vulnerability Management Security Incident Handling

CSIRT Development

Security Awareness

slide-4
SLIDE 4

Rede Ipê, Brazilian academic network

  • backbone. Built-in capacity of 347 Gbps

* dados de 2015

Interconnects 1.911 units of RNP's Customers (Universities, Federal Institutes, Research Organizations). Highly diversified environment, regarding networks, technologies and maturity of customers’ security teams. Difficulties for efficient detection.

Motivations to create a CAIS Sensor network

slide-5
SLIDE 5

CAIS Sensor Requirements

slide-6
SLIDE 6

What is the CAIS Sensor?

slide-7
SLIDE 7

How does CAIS Sensor analyze traffic?

slide-8
SLIDE 8

How does CAIS Sensor work?

Sensor (Suricata)

Master Server Engine (Suricata) Engine (Suricata) Engine (Suricata) + + Query

slide-9
SLIDE 9

What does Master Server do?

  • Sensor’s system updates

management

  • Sensor management
  • Statistics of malicious

activities detected

  • Information about sensor’s

“health”

  • System general

administration Master

Engines(Suricata)

slide-10
SLIDE 10

Regarding Engines(Suricata)

  • Friendly user interface
  • Plug and play
  • Less technical knowledge required
  • Low maintenance and support
  • Send detections by email
  • Send statistics and status data
  • Update requests

Engines(Suricata)

slide-11
SLIDE 11

The CAIS Sensor(Screenshots)

Main menu Quick access tasks Quick Information dashboard

slide-12
SLIDE 12

The CAIS Sensor(Screenshots)

slide-13
SLIDE 13

Engine(Screenshots) – Installation Menu

  • Restart Services.
  • Network interface configuration.
  • Select network pickup interface.
  • Use license configuration.
slide-14
SLIDE 14

27 RNP Points of Presence 17 Customers 44 Sensors Installed

CAIS Sensor Implementation

slide-15
SLIDE 15

Statistics – Average Analyzed Traffic

slide-16
SLIDE 16

Statistics

91% 9% Incoming Outgoing

Malicious activity flow Most attacked ports

slide-17
SLIDE 17

Statistics - Main types of malicious activity detected

DDoS Attempts(protocol xdmcp) 702.345 DDoS Attack (protocol NTP) 535.204 Malwares 236.985 DDoS Attack (protocol SNMP) 102.478

slide-18
SLIDE 18

Statistics – Types of detected events

slide-19
SLIDE 19

Statistics - Botnets

nicaze.net Zeus XcodeGhost Feodo DealPly PCRat/Gh0st Palevo Bladabindi/njrat Beacon Kelihos

slide-20
SLIDE 20

Next Steps

  • Optimize reports
  • Integrate with other sources (URLs blacklist,

IPs blacklist, others)

  • Increase number of sensors in educational institutions

and RNP customers

  • Finalize and expand the partnership model
slide-21
SLIDE 21

Questions ?

slide-22
SLIDE 22

Thanks!

RNP – Brazilian Educational and Research Network

CAIS – RNP Incident Security Response Team

Yuri Alexandro

Security Analyst yuri.ferreira@rnp.br

Rildo Souza

Security Analyst rildo.souza@rnp.br