changing network detection
play

Changing Network Detection Using Bro and Distributed Computing - PowerPoint PPT Presentation

Mar 06, 2024 •375 likes •665 views

Changing Network Detection Using Bro and Distributed Computing Concepts Mike Reeves @TOoSmOotH Who are you and why are you talking to me? 16 years in InfoSec, 19 years total IT Work at FireEye Huge Bro fan Lots of

  1. Changing Network Detection Using Bro and Distributed Computing Concepts Mike Reeves @TOoSmOotH

  2. “Who are you and why are you talking to me?” • 16 years in InfoSec, 19 years total IT • Work at FireEye • Huge Bro fan • Lots of experience in large sensor deployments • Heavily into RC stuff.. FPV, Autonomous flight etc • Security Onion contributor - Onion Salt

  3. Story Time

  4. Pyramid of Pain *TM David Bianco

  5. In Your Base Interwebs 3rd Outbound Lateral VPN DMZ Access Movement Party

  6. They know you better than you know yourself • You will always have critical data at the edge • They know the typical value prop of network detection/prevention is to centralize • So you will get hit where you are the weakest

  7. Network Detection is Awesome • Packets don’t lie for the most part • You can snag malware pre-detonation • Quick way to get some sort of detection to hosts on your network with minimal disruption • Host based stuff only works on things you have it installed on

  8. Big Trouble in Little China • Asynchronous Routing • Encryption • The “bad guys” are smart and will avoid you • MPLS • WAN Optimization • Network Detection and the evolution of networking are in direct conflict

  9. A”stink”ronous Routing • Thanks BGP! • The reality is you are going to hit this no matter what you do • You should be doing asynchronous routing to improve network performance - just sucks for people trying to do detection

  10. Encryption • You are screwed for the most part • Use SSL termination devices and put your sensors behind those • There are commercial MITM products you can get some stuff out of • Still screwed though

  11. MPLS • Network teams want to use MPLS the right way • There is a lot of “hub and spoke” configurations still to centralize traffic for detection needs • This ends up costing more money Site 1 Site 2 Site 3

  12. WAN Optimization • Cool concept and can save money • Jacks up your detection capabilities since it only sends part of the traffic once its been accelerated • Requires a sensor on the unoptimized side

  13. I have told you everything that sucks. What should we do? Time to flip detection on its head!

  14. No more whiz bangery • Choke points and the evolution of networking are in direct conflict • If indicators are good enough for your sensors its good enough for everything • Flexibility is the most important part of an effective detection strategy • There is no “shiny and chrome” fix

  15. How do we fix this? • Go where the users are.. That is what the bad guys do • Networks are distributed - so should your detection • This means lots of Bro devices in lots of places • Let’s steal some concepts from distributed computing

  16. Introducing the double decker couch • We use sensors for their resources.. like worker nodes in a HPC • Workers can be rebuilt within minutes • Should be able to run on whatever hardware is around • The entire grid should be managed as a single device

  17. How do we do this? By making our Bro sensors dumb! • Pull off as much as possible • No more atomic indicators on sensors • Sensors are there to provide data to the backend • Use low power devices

  18. Master Minion Architecture Master of Github Masters Minion Minion Minion Master Master Master Minion Minion Minion Minion Minion Minion Minion Minion Minion

  19. Minions work for their Masters • Minions check in on a predetermined timeframe to ensure all things are like they are supposed to be • This allows us to have a single config for thousands of devices

  20. Demo Time

  21. That’s neat.. But how do I detect stuff • Break things into a service based architecture • This makes scaling these services possible • Forces data to be centralized instead of devices • Puts the horsepower to detect lots of evil where its easy to scale vs sensors have finite resources • Still need “deep packet inspection” to run on the sensors

  22. Pub-sub to the rescue + • Ship bro logs from the sensors into some sort of Pub-Sub architecture. ex. REDIS, RabbitMQ • Make subscribers process the log files looking for your indicators • Expensive rules mean more work not lost packets

  23. Sample Architecture Rules Log Rabbit Index Database Ingest MQ Archive Fanout

  24. You mean I can use logs too? • Atomic indicators work great on all kinds of different logs • IP Adresses: bro_conn, firewall logs, proxy logs, webserver logs,host logs • URI/URL: bro_http, proxy logs, web server logs • Domains: bro_dns, dns logs, proxy logs, host logs

  25. ESM Enterprise Security Monitoring • David Bianco BSides Augusta 2013 • https://www.youtube.com/watch?v=gA65N- RSWQ0 • @DavidJBianco

  26. What did we improve? • MPLS can be used as intended. No more hub and spoke • Asynchronous routing is no longer as much of an issue since we are closer to the users • Ability to get traffic before it is optimized • Gives you more eyes in more places to detect lateral movement

  27. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Changing Cold Regions Network: Sub-theme B3 Diagnosis of Local Past Changes

The Changing Cold Regions Network: Sub-theme B3 Diagnosis of Local Past Changes

The Changing Cold Regions Network: Sub-theme B3 Diagnosis of Local Past Changes www.usask.ca/water www.ccrnetwork.ca | Detection and diagnosis of change Attribution of the causes of Earth system change, and understanding the interaction

201 views • 17 slides
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats

476 views • 26 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
Making Object Detection Work in Medical Imaging Idan Bassuk Segmentation Detection

Making Object Detection Work in Medical Imaging Idan Bassuk Segmentation Detection

Making Object Detection Work in Medical Imaging Idan Bassuk Segmentation Detection Classification 4 5 Mature technology 6 Mature, Accurate and Fast 7 Changing the world, one killer app at a time 8 Changing the world, one killer app at

570 views • 39 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
2020 NETWORK CHANGE AD VAN C IN G TOWAR D IN TEGR ATED C AR E WHY IS THE NETWORK CHANGING? We

2020 NETWORK CHANGE AD VAN C IN G TOWAR D IN TEGR ATED C AR E WHY IS THE NETWORK CHANGING? We

2020 NETWORK CHANGE AD VAN C IN G TOWAR D IN TEGR ATED C AR E WHY IS THE NETWORK CHANGING? We are committed to providing affordable health care coverage that will promote better health outcomes for The Ohio State University faculty, staff, and

541 views • 5 slides
Criminal Network Formation and Optimal Detection Policy: The Role of Cascade of Detection Liuchun

Criminal Network Formation and Optimal Detection Policy: The Role of Cascade of Detection Liuchun

Criminal Network Formation and Optimal Detection Policy: The Role of Cascade of Detection Liuchun Deng 1 and Yufeng Sun 2 Johns Hopkins University Chinese University of Hong Kong Deng & Sun (JHU & CUHK) Criminal Network 2/27/2016 1 /

633 views • 30 slides
Global Network Interference Detection over the RIPE Atlas Network Adventures in Pervasive

Global Network Interference Detection over the RIPE Atlas Network Adventures in Pervasive

Global Network Interference Detection over the RIPE Atlas Network Adventures in Pervasive Measurement Collin Anderson, Philipp Winter and Roya USENIX FOCI, August 2014 Once Upon a Time Starting from the Dark Ages For Now We See Through

488 views • 31 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Community Detection in Social Networks Lei Tang Properties of Complex Network Power Law

Community Detection in Social Networks Lei Tang Properties of Complex Network Power Law

Community Detection in Social Networks Lei Tang Properties of Complex Network Power Law Community Structure Small World Why Community Detection? Communities in a citation network might represent related papers on a single topic;

288 views • 24 slides
Tra ffi c anomaly detection using a distributed measurement network Razvan Oprea Supervisor:

Tra ffi c anomaly detection using a distributed measurement network Razvan Oprea Supervisor:

Tra ffi c anomaly detection using a distributed measurement network Razvan Oprea Supervisor: Emile Aben (RIPE NCC) System and Network Engineering February 8, 2012 Razvan Oprea Tra ffi c anomaly detection - distributed measurement network

698 views • 20 slides
Detection & Eradication About RedIRIS Spanish Academic & Research Network

Detection & Eradication About RedIRIS Spanish Academic & Research Network

Detection & Eradication About RedIRIS Spanish Academic & Research Network Interconnect 250 Universities & Research centers Part of goverment company, red.es IRIS-CERT, CSIRT inside RedIRIS Botnet Detection 1. By

716 views • 48 slides
Changing Places/Changing Faces 1 Running Head: CHANGING PLACES/CHANGES FACES Changing

Changing Places/Changing Faces 1 Running Head: CHANGING PLACES/CHANGES FACES Changing

Changing Places/Changing Faces 1 Running Head: CHANGING PLACES/CHANGES FACES Changing Places/Changing Faces: Immigrant Youth and Identity Development Elham Bagheri & Jay M. Greenfeld, M.A. University of Iowa Changing Places/Changing

401 views • 11 slides
Spectral Methods for Network Community Detection and Graph Partitioning M. E. J. Newman

Spectral Methods for Network Community Detection and Graph Partitioning M. E. J. Newman

Spectral Methods for Network Community Detection and Graph Partitioning M. E. J. Newman Department of Physics, University of Michigan Presenters: Yunqi Guo Xueyin Yu Yuanqi Li 1 Outline: Community Detection Modularity Maximization

1.04k views • 56 slides
Problems and methods for attribute detection of social network users Anton Korshunov Institute

Problems and methods for attribute detection of social network users Anton Korshunov Institute

Problems and methods for attribute detection of social network users Anton Korshunov Institute for System Programming of Russian Academy of Sciences RCDL-2013 Contents Network Level: User Community Detection 1 User Level: Demographic

628 views • 41 slides
BenchCouncil AIBench --- A Datacenter AI Benchmark Suite Wanling Gao, Fei Tang, Jianfeng Zhan

BenchCouncil AIBench --- A Datacenter AI Benchmark Suite Wanling Gao, Fei Tang, Jianfeng Zhan

BenchCouncil AIBench --- A Datacenter AI Benchmark Suite Wanling Gao, Fei Tang, Jianfeng Zhan http://www.benchcouncil.org/AIBench/index.html INSTITUTE O BenchCouncil OF C Bench19, Denver, Colorado, USA COMPUTING T TECHNOLOGY Why

1k views • 61 slides
New opportunities in optical testing given by photochromic materials Giorgio Pariani, Martino

New opportunities in optical testing given by photochromic materials Giorgio Pariani, Martino

New opportunities in optical testing given by photochromic materials Giorgio Pariani, Martino Quintavalla, Rossella Castagna, Letizia Colella, Chiara Bertarelli, Frederic Zamkotsian, Andrea Bianco Photochromic materials F Change of: F 3 -

832 views • 17 slides
Scientific Programming: Part B Lecture 2 Luca Bianco - Academic Year 2019-20

Scientific Programming: Part B Lecture 2 Luca Bianco - Academic Year 2019-20

Scientific Programming: Part B Lecture 2 Luca Bianco - Academic Year 2019-20 luca.bianco@fmach.it [credits: thanks to Prof. Alberto Montresor] Introduction Complexity The complexity of an algorithm can be defined as a function mapping the

884 views • 45 slides
Scientific Programming Lecture A05 - Designing programs Andrea Passerini Universit degli Studi

Scientific Programming Lecture A05 - Designing programs Andrea Passerini Universit degli Studi

Scientific Programming Lecture A05 - Designing programs Andrea Passerini Universit degli Studi di Trento 2019/10/22 Acknowledgments: Alberto Montresor, Stefano Teso This work is licensed under a Creative Commons Attribution-ShareAlike 4.0

554 views • 36 slides
Chart 1 U.S. Personal Saving Rate and Household Debt (consumer plus mortgage) as a % of

Chart 1 U.S. Personal Saving Rate and Household Debt (consumer plus mortgage) as a % of

Chart 1 U.S. Personal Saving Rate and Household Debt (consumer plus mortgage) as a % of Disposable Personal Income Last Points 4Q 2015- Saving Rate, 5.4%; HH Debt, 104.7% 16% 140% 130% 14% 120% 12% 110% 10% 100% 90% 8% 80% 6% 70%

769 views • 48 slides
STELLA: A Domain Specific Language for Stencil Computations Carlos Osuna, Center for Climate

STELLA: A Domain Specific Language for Stencil Computations Carlos Osuna, Center for Climate

STELLA: A Domain Specific Language for Stencil Computations Carlos Osuna, Center for Climate Systems Modeling, ETH Zurich Tobias Gysi, Department of Computer Science, ETH Zurich Oliver Fuhrer, Federal Office of Meteorology and Climatology,

609 views • 45 slides
Women on Boards in Italy Magda Bianco, Angela Ciavarella, Rossella Signoretti Banca dItalia,

Women on Boards in Italy Magda Bianco, Angela Ciavarella, Rossella Signoretti Banca dItalia,

Women on Boards in Italy Magda Bianco, Angela Ciavarella, Rossella Signoretti Banca dItalia, Consob Workshop on Diversity in Boards De Nederlandsche Bank Amsterdam, 19 December 2013 Outline 1. Literature and motivation 2. Women and the

475 views • 25 slides
On Model Checking Techniques for Randomized Distributed Systems Christel Baier Technische

On Model Checking Techniques for Randomized Distributed Systems Christel Baier Technische

On Model Checking Techniques for Randomized Distributed Systems Christel Baier Technische Universit at Dresden joint work with Nathalie Bertrand Frank Ciesinski Marcus Gr oer 1 / 161 Probability elsewhere int-01 randomized

1.65k views • 161 slides

More recommend