Safer Pass the salt 2020 Together. Open Source Collaborative Dynamic Security engine Crowd Sec VC deck v3.1 Rev : 28/11/2019
Why “Cyber defense collaboration is the space race of our generation.” Williams David
Not solved, for a reason Money APPS Cloud & Shadow Time IT 3
The next generation solution Decoupled Crowd intel Real Time detection & sharing remediation Reputation Behavior assessment assessment 4
Crowd is the remedy to large scale hacking We use this, because it’s free, real time, fed Our parents used this. by community and gives traffic insights. Our goal is to become, “the Waze of Firewalls” 5
Building the detection Network with Open Source
Crowdsec analyses behavior, not IP:port Internet 10.0.0.0/24 Legitimate traffic 12.33.42.155 Bruteforce 80/TCP Port scan 53/UDP Web crawlers 22/TCP Exploits 123.42.56.218 XSS/SQLi 21/TCP ... Firewall Crowdsec 7
Crowdsec is as simple as 1,2,3,4 Behavior scenarii Collect data React the way Share your where you detect hack you want, where sightings and get want... attempts you want informed BAD IP Block Captcha Yours Ours Logs Community BAD IP Limit rights SIEM Party 2FA/MFA Community or speed 2 3 4 1 8
DEMO TIME 9
Detecting & enforce Internet On Premise Cloudified, SaaS & Hosted Information System Logs Logs Logs BAD IP Runs wherever you need it: BAD IP 10
Blockers : Protection at any level - Relies on local DB fed by API - Reusable libraries for integration in most components. - Counter-measure is defined by plugin : ban, slow, captcha ... Simple design allows integration at any level of the stack. 11
Open Source licensing Open Source Free (to use, copy, modify) Free of charge Can be embedded No usage limit Must name author Core MIT License. Configurations Blockers stay their Core contributors stays their authors authors properties abandon rights properties 12
Crowdsec Non elitist security
Easy setup DevOPS in their Developers Sysadmins IT engineers on an deployment through a on servers infrastructure environment Library or direct API call Operational install in less Heavily assisted setup, no 14 14 than 5 minutes technical entry barrier
CrowdSec Up to date Inference bad IP list Engine Timestamp Offending IP Target type Attack type Logs & signals from daemons, softwares, Enrich Acquire Heuristics Upload signal frameworks, CrowdSec Aggregate Rulesets Apply action 3rd party languages, Normalize Analysis Store event Local data Cloudtrail, SIEMS, IDS, Firewall... 15 Coded in GO, runs on all major OS Engineered for Cloud, Kubs, VMs
Configuration Hub One place to find community scenarios. One click to enable them. 16
Visualisation One command to access reporting. Relying on metabase. 17
Technical takeaways : Crowdsec Written in golang, community driven Observability, for users and OPs Lightweight and declarative for versatile deployment 18
Crowd fed decisions Stronger together
One stone, ten birds ? Aggressive traffic is qualified, discarded & notified to our database 20
The secret sauce: Consensus Canaries Honeypot Predictive.Alg Crowd Crowd Crowd Sec Sec Sec TR1 TR1 TR1 TR1 TR2 TR2 TR2 21
You will generate False Positives We broadcast “canaries”, IP whitelists of trustable actors (ie so that you won’t ruin your SEO by banning Google by mistake) If a scenario (community or Crowdsec one) kicks a whitelisted IP, it is marked as potentially triggering FP. Those IP addresses are crowdsourced as well, on our Github project, and curated by our staff, to diversify sources If a previously trusted actor changes behavior, we’ll notice it by having reliable scenarii being triggered by those, now evil, canaries 22
Only the crowd can defeat mass scale hacking... Thank you Crowdsec.net github.com/crowdsecurity/crowdsec
Recommend
More recommend
