s a v a n t
play

S A V A N T Security Analytics & Visualisation for Advanced - PowerPoint PPT Presentation

Jun 23, 2023 •562 likes •1.17k views

S A V A N T Security Analytics & Visualisation for Advanced Network Threats Paul D. Hood & Kristian Kocher OxCERT OxCERT Paul D. Hood Security Operations Lead Kristian Kocher UNIX Security Systems Administrator

  1. S A V A N T Security Analytics & Visualisation for Advanced Network Threats Paul D. Hood & Kristian Kocher OxCERT

  2. OxCERT Paul D. Hood Security Operations Lead Kristian Kocher UNIX Security Systems Administrator paul.hood@it.ox.ac.uk kristian.kocher@it.ox.ac.uk

  4. S A V A N T The ElasticSIEM

  5. SAVANT NSM Trends As network speeds increase, NSM data balloons to multi-GB per day 40Gbps 10Gbps 2.5Gbps 2018 (?) 2008 2002 We are at 40GB+ NetFlow per day

  6. SAVANT NSM Trends Traditional logging methods aggregate data into large compressed archive files Traditional search techniques rely on decompression on the CLI (ie, zgrep )

  7. SAVANT NSM Trends

  8. SAVANT NSM Trends This method scales very poorly as data size continues to increase

  9. SAVANT NSM Trends Individual analyses are taking longer Number of sources are expanding Analyst time is a precious resource We are losing this war

  10. SAVANT NSM Trends Aggregated and parallelised search has emerged as the only viable option

  11. Our solution

  12. SAVANT The Stack SAVANT is built on a stack of interlocking software components E lasticSearch L ogstash K ibana Each performs a vital function

  13. SAVANT The Stack ELASTICSEARCH is a high-speed indexing engine, able to store and retrieve data as JSON objects Anything can be indexed

  14. SAVANT The Stack LOGSTASH is a flexible log shipping and storage application. Logstash translates log entries from near-any source into a JSON object for storage in ElasticSearch

  15. SAVANT The Stack KIBANA is the front-end, forming the user interface and search functionality Kibana can visualize huge quantities of data at extreme speed, thanks to Python Lucene

  16. SAVANT The Stack The three components allow: • JSON data objects • Resilient storage • Search, retrieval, analytics

  17. SAVANT NetFlow nBox Logstash Elastic Elastic Elastic Kibana Search

  18. SAVANT NSM/logs/alerts NSM FileBeat Logstash Elastic Elastic Elastic Kibana Search

  19. SAVANT Protocols (DNS) PacketBeat Elastic Elastic Elastic Kibana Search

  20. Proof of Concept

  21. SAVANT PoC Hardware is required to handle each major functional stage; Tool Server / Appliance Data Node Replica Node Search Node

  22. SAVANT PoC

  23. SAVANT PoC

  24. SAVANT PoC Insights In general, when building a cluster of this magnitude it will require; • Data nodes: High I/O, multiple cores, 32GB+ of RAM , RAID-1 • Search nodes: maximum CPU and RAM, system on SSD storage • Replica nodes: can be practically anything, but better hardware contributes more to search metrics

  25. SAVANT PoC Insights There are a few ‘gotchas’ which persist when building these clusters: Each ElasticSearch node can have a maximum of 31GB RAM due to JVM pointer compression limitations BUT… Assigning the full 31GB causes huge ‘stop the world’ garbage collection

  26. SAVANT PoC Insights 0.3Tbit/sec NetFlow is a big ask… Build your own Logstash codec Snapshotting takes time and resource… Schedule for low-usage hours GeoIP is not terribly performant…. Only enable it for logs/alerts, not NetFlow…

  27. SAVANT Design Metrics Online, searchable data 30-60 days Snapshotted archives 6-12 months Search performance target <60 secs

  28. Scaling

  29. SAVANT Evolved Scaling 4 fibre taps 40Gb/s line rate ~320Gb/s total

  30. SAVANT Evolved Scaling Very few (FLOSS/cheap) analysis tools can handle 40G+ line rates The best we can do is ~10G … We have a theoretical 0.3TBit/sec to fully monitor and analyse… L

  31. SAVANT Evolved Scaling 40Gb + 40Gb + 40Gb + 40Gb 10Gbps output streams

  32. SAVANT Evolved Scaling 40Gb + 40Gb + 40Gb + 40Gb Tool Servers/Appliances

  33. SAVANT Evolved Scaling 40Gb + 40Gb + 40Gb + 40Gb NetFlow NSM Protocols

  34. SAVANT Evolved Scaling Effectively we can compartmentalise capability into ~10G units (Rx/Tx) A 40G-capable cluster is composed of the same fundamentals as a 10G Following this scaling principle, we can scale this tech to 100G line rates

  35. The SIEM

  37. SAVANT Aggregation

  38. SAVANT Aggregation…

  39. SAVANT The SIEM Single unified interface Fully aggregated Multi-TB index search capacity

  40. SAVANT The SIEM External intelligence Internal investigations Arbitrary IoC sources

  41. SAVANT The SIEM

  42. Case Studies

  43. Use Case 1 –Threat Hunting

  44. Use Case 1 –Threat Hunting

  45. Use Case 1 –Threat Hunting

  46. Use Case 1 –Threat Hunting

  47. Use Case 1 –Threat Hunting

  48. Use Case 1 –Threat Hunting Total Investigation time: 3 minutes

  49. Use Case 2 – Host Identification

  50. Use Case 2 – Host Identification

  51. Use Case 2 – Host Identification

  52. Use Case 3 – Strategic NSM

  53. Use Case 4 – Deep Analysis

  54. Use Case 4 – Deep Analysis

  55. Use Case 4 – Deep Analysis Total Investigation time: 2 minutes

  56. Use Case 5 – All of the above

  57. Thank Y ou!

  58. https://www.infosec.ox.ac.uk/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Some Problems in the Numerical Analysis of Elastic Waves Tom Hagstrom Southern Methodist

Some Problems in the Numerical Analysis of Elastic Waves Tom Hagstrom Southern Methodist

Some Problems in the Numerical Analysis of Elastic Waves Tom Hagstrom Southern Methodist University Collaborators: Daniel Appel o, University of Colorado Daniel Baffet, Basel Jeff Banks, RPI Jacobo Bielak, Carnegie Mellon Dan Givoli,

473 views • 24 slides
Curvature-Exploiting Acceleration of Elastic Net Computation Vien V. Mai and Mikael Johansson KTH

Curvature-Exploiting Acceleration of Elastic Net Computation Vien V. Mai and Mikael Johansson KTH

Curvature-Exploiting Acceleration of Elastic Net Computation Vien V. Mai and Mikael Johansson KTH - Royal Institute of Technology The elastic net problem Workhorse in ML and modern statistics 1 2 + 2 2 n Ax b 2 2 x

268 views • 8 slides
Importance sampling algorithms for first passage time probabilities in the infinite server queue

Importance sampling algorithms for first passage time probabilities in the infinite server queue

Importance sampling algorithms for first passage time probabilities in the infinite server queue Ad Ridder Department of Econometrics Vrije Universiteit Amsterdam aridder@feweb.vu.nl http://staff.feweb.vu.nl/aridder/ RESIM Rennes September

490 views • 25 slides
The Interplay of Information Theory, Probability, and Statistics Andrew Barron Yale University,

The Interplay of Information Theory, Probability, and Statistics Andrew Barron Yale University,

The Interplay of Information Theory, Probability, and Statistics Andrew Barron Yale University, Department of Statistics Presentation at Purdue University, February 26, 2007 Outline Information Theory Quantities and Tools * Entropy,

456 views • 45 slides
Monte Carlo simulations of a solenoid spectrometer for Project P2 D. Becker, K. Gerz, T.

Monte Carlo simulations of a solenoid spectrometer for Project P2 D. Becker, K. Gerz, T.

IEB-Workshop, June 17-19 2015, Ithaca, NY, USA Monte Carlo simulations of a solenoid spectrometer for Project P2 D. Becker, K. Gerz, T. Jennewein, S. Baunack, K. S. Kumar, F. E. Maas Institute for Nuclear Physics, JGU Mainz Outline

411 views • 38 slides
Elking your PostgreSQL Database Infrastructure Infrastructure at your Service. About me Arnaud

Elking your PostgreSQL Database Infrastructure Infrastructure at your Service. About me Arnaud

Infrastructure at your Service. Elking your PostgreSQL Database Infrastructure Infrastructure at your Service. About me Arnaud Berbier Senior Consultant +41 79 128 91 45 arnaud.berbier@dbi-services.com Page 2 Elking your PostgreSQL Database

411 views • 19 slides
ElastiCluster Automated provisioning of computational clusters in the cloud Riccardo Murri

ElastiCluster Automated provisioning of computational clusters in the cloud Riccardo Murri

ElastiCluster Automated provisioning of computational clusters in the cloud Riccardo Murri &lt;riccardo.murri@gmail.com&gt; (with contributions from Antonio Messina, Nicolas Br, Sergio Maffioletti, and Sigve Haug) HEPiX Spring 2017 What is

551 views • 21 slides
Know more about your Ceph Cluster with ELK Stack Cameron Seader Technology Strategist

Know more about your Ceph Cluster with ELK Stack Cameron Seader Technology Strategist

Know more about your Ceph Cluster with ELK Stack Cameron Seader Technology Strategist cs@suse.com 2 Ceph and Logging rsyslog, syslog-ng to forward logs to (Logstash / Fluentbit) Filebeat Ceph has Graylog (GELF) support store

758 views • 32 slides
Search and beyond with Elasticsearch Florian Loretan Wunder Group Horizons Track search

Search and beyond with Elasticsearch Florian Loretan Wunder Group Horizons Track search

Search and beyond with Elasticsearch Florian Loretan Wunder Group Horizons Track search Source: Flickr - Imad HADDAD Facets Frontend Search results Autocomplete Search queries Application Data manipulation Storage Indexing $ grep

890 views • 74 slides
Economics 2 Professor Christina Romer Spring 2017 Professor David Romer LECTURE 4 EXTENSIONS

Economics 2 Professor Christina Romer Spring 2017 Professor David Romer LECTURE 4 EXTENSIONS

Economics 2 Professor Christina Romer Spring 2017 Professor David Romer LECTURE 4 EXTENSIONS OF SUPPLY AND DEMAND ANALYSIS January 26, 2017 I. O VERVIEW II. R EVIEW OF THE S UPPLY AND D EMAND F RAMEWORK A. Two sides of the market (example:

418 views • 38 slides
Understanding Interstate Trade Patterns Hakan Yilmazkuday Journal of International Economics

Understanding Interstate Trade Patterns Hakan Yilmazkuday Journal of International Economics

Understanding Interstate Trade Patterns Hakan Yilmazkuday Journal of International Economics 2012; JIE Volume 86, Issue 1, 58166. Yilmazkuday (2012; JIE) Understanding Interstate Trade Patterns Volume 86, Issue 1, 58166. 1 / 4

183 views • 4 slides
Elasticity in Numerical Semigroup Rings and Power Series Rings Paul Baginski Fairfield

Elasticity in Numerical Semigroup Rings and Power Series Rings Paul Baginski Fairfield

Background Irreducibles K finite K infinite Elasticity in Numerical Semigroup Rings and Power Series Rings Paul Baginski Fairfield University INdAM International Meeting on Numerical Semigroups Cortona, Italy September 11, 2014 Paul

702 views • 44 slides
A Finite Volume Approach to Multiscale Elasticity Paul Delgado NSF Fellow (HRD-1139929)

A Finite Volume Approach to Multiscale Elasticity Paul Delgado NSF Fellow (HRD-1139929)

A Finite Volume Approach to Multiscale Elasticity Paul Delgado NSF Fellow (HRD-1139929) Doctoral Candidate - Computational Science University of Texas at El Paso November 1, 2014 A Finite Volume Approach to Multiscale Elasticity

737 views • 36 slides
d i E Elasticity of Demand a l l u d Dr. Abdulla Eid b A College of Science . r D

d i E Elasticity of Demand a l l u d Dr. Abdulla Eid b A College of Science . r D

Section 12.3 d i E Elasticity of Demand a l l u d Dr. Abdulla Eid b A College of Science . r D MATHS 104: Mathematics for Business II Dr. Abdulla Eid (University of Bahrain) Elasticity of Demand 1 / 11 Recall From Economics

402 views • 11 slides
ECO 317 Economics of Uncertainty Fall Term 2009 Notes for lectures 7. Consumption and

ECO 317 Economics of Uncertainty Fall Term 2009 Notes for lectures 7. Consumption and

ECO 317 Economics of Uncertainty Fall Term 2009 Notes for lectures 7. Consumption and Saving The Basic Two-Period Model Here we consider a risk-averse expected utility maximizer who has a two-period time- horizon, labeled Period 1 (this

677 views • 4 slides
Risk and Ambiguity in Models of Business Cycles Dave Backus, Axelle Ferriere, and Stan Zin

Risk and Ambiguity in Models of Business Cycles Dave Backus, Axelle Ferriere, and Stan Zin

Risk and Ambiguity in Models of Business Cycles Dave Backus, Axelle Ferriere, and Stan Zin Carnegie-Rochester-NYU Conference April 18, 2014 This version: April 20, 2014 Backus, Ferriere, &amp; Zin (NYU) Risk &amp; Ambiguity The Great

747 views • 37 slides
model with two types of agents and shift in behaviour Pasquale Commendatore (University of Naples

model with two types of agents and shift in behaviour Pasquale Commendatore (University of Naples

An overlapping generations model with two types of agents and shift in behaviour Pasquale Commendatore (University of Naples Federico II, Italy) Ingrid Kubin (Vienna University of Economics and BA, Austria) Iryna Sushko (NASU and Kyiv School

533 views • 38 slides
Law of Supply Bellringer Chapter 5 Lesson 1 What is Supply? Be Bell llrin inger According

Law of Supply Bellringer Chapter 5 Lesson 1 What is Supply? Be Bell llrin inger According

Lesson 1: The Chapter 5 Supply Law of Supply Bellringer Chapter 5 Lesson 1 What is Supply? Be Bell llrin inger According to the Law of Supply, is the relationship between price and quantity supplied direct or indirect? There is a

322 views • 19 slides
A Nonlinear Trust-Region Framework for PDE-Constrained Optimization Using Adaptive Model

A Nonlinear Trust-Region Framework for PDE-Constrained Optimization Using Adaptive Model

Introduction Optimization via Adaptive Model Reduction Large-Scale, Constrained Optimization Conclusion A Nonlinear Trust-Region Framework for PDE-Constrained Optimization Using Adaptive Model Reduction Matthew J. Zahr Institute for

336 views • 33 slides
Optimal trading strategies Optimal trading strategies with limit orders: with limit orders: a

Optimal trading strategies Optimal trading strategies with limit orders: with limit orders: a

Optimal trading strategies Optimal trading strategies with limit orders: with limit orders: a stochastic stochastic programming programming approach approach a Rossella Agliardi Agliardi Rossella University of of Bologna (Italy)

492 views • 30 slides
Exasc scale Scientifi fic c Co Computing The Road Ahead Kemal A. Delic Martin Antony

Exasc scale Scientifi fic c Co Computing The Road Ahead Kemal A. Delic Martin Antony

Exasc scale Scientifi fic c Co Computing The Road Ahead Kemal A. Delic Martin Antony Walker Advanced Analysis Academy 22. 27. Oktober 2017, Dagstuhl Seminar 17431 Performance Portability in Extreme Scale Computing: Metrics,

344 views • 7 slides
Cities and Climate Change UNU-WIDER Conference 2012 Climate Change and Development Policy

Cities and Climate Change UNU-WIDER Conference 2012 Climate Change and Development Policy

Cities and Climate Change UNU-WIDER Conference 2012 Climate Change and Development Policy Greening Cities in Developing Countries Marcus Lee Urban Development Unit, The World Bank www.worldbank.org/urban THE WORLD BANK Urbanization continues

738 views • 25 slides
A Discipline for Software A Discipline for Software Engineering Engineering (Humphrey, 1995)

A Discipline for Software A Discipline for Software Engineering Engineering (Humphrey, 1995)

A Discipline for Software A Discipline for Software Engineering Engineering (Humphrey, 1995) (Humphrey, 1995) Introduction AU INSY 560, Singapore 1997, Dan Turk Humphrey Preface - slide 1 Outline Outline I Software Development: Craft or

193 views • 15 slides
LEADING ONLINE MARKETPLACES IN EMERGING MARKETS ASX SMALL AND MID-CAP CONFERENCE 2020 | SEPTEMBER

LEADING ONLINE MARKETPLACES IN EMERGING MARKETS ASX SMALL AND MID-CAP CONFERENCE 2020 | SEPTEMBER

LEADING ONLINE MARKETPLACES IN EMERGING MARKETS ASX SMALL AND MID-CAP CONFERENCE 2020 | SEPTEMBER 2020 FDVS MISSION Become the leading global operator of online #1 property portal Pakistan Leading general marketplace #1 property portal

267 views • 16 slides

More recommend