soaring into netsec
play

SOARing into Netsec With Carl Bolterstein Name | Title | Date - PowerPoint PPT Presentation

May 16, 2023 •253 likes •524 views

SOARing into Netsec With Carl Bolterstein Name | Title | Date Objectives - Introduction to Bricata - Current methodologies of Network Hunting and Traffic Analysis - Shortfalls of the current methods - Introduction to SOAR - Completing

  1. SOARing into Netsec With Carl Bolterstein Name | Title | Date

  2. Objectives - Introduction to Bricata - Current methodologies of Network Hunting and Traffic Analysis - Shortfalls of the current methods - Introduction to SOAR - Completing the loop on automated response – The Auto-Tagger - Data Enrichment and what it means in your environment | 2 | Enhancing Network Security through Automation and Enrichment

  3. The Bricata Solution Post-Detection Actions Unparalleled Full-Spectrum True Threat Hunting Threat Detection Network Visibility Bricata optimizes detection Bricata empowers you to Bricata stops threats on the Bricata lets you see and minimizes false positives thoroughly investigate network and generates everything that transpires on by employing multiple threat detected threats and to required inputs to your your network via high-fidelity detection engines hunt unknown threats that downstream remediation metadata and SmartPCAP concurrently didn’t generate an alert tools 3 | Enhancing Network Security through 3 Automation and Enrichment

  4. Current Methods of Analyzing Network Traffic • In enterprise environments, the ground truth of the environment is in the data. • Whether this data has come in the form of logs to network flows to full packet capture, it can provide value for security analysts. • We will focus on the network flow and full packet capture data in our workflows today. | 4 | Enhancing Network Security through Automation and Enrichment

  5. Alert and Data Sources Where does it all come from? | 5 | Enhancing Network Security through Automation and Enrichment

  6. Signature Driven Alerts • Signature based detection systems have been with us for many many years • They provide detection for threats based on criteria matching in the traffic | 6 | Enhancing Network Security through Automation and Enrichment

  7. Anomaly-based IDS • Rather than relying on known-bad indicators of compromise such as signatures, heuristics search for potentially bad behaviors in the environment based on the data present. • This allows the environment to baseline known-good traffic and attempt to find deviations from the baseline. | 7 | Enhancing Network Security through Automation and Enrichment

  8. Network Metadata Collection • Network Metadata was built on the concept that more information needed to be present for effective analysis beyond standard 5-tuple flow information • Efficient, at scale collection and inspection of traffic is essential to this concept to provide the most value to security tools attempting to search for bad behaviors in a network | 8 | Enhancing Network Security through Automation and Enrichment

  9. Packet Capture • Full or selective packet capture enables security organizations to dig into the traffic on the network as deep as possible • Enables the ability to search payload information in traffic compared to just collecting metadata information | 9 | Enhancing Network Security through Automation and Enrichment

  10. Shortfalls • With every detection or collection method, there are unavoidable shortfalls | 10 | Enhancing Network Security through Automation and Enrichment

  11. Shortfall of Signatures • Requires the signature to match exactly to a behavior that is previously known or found in the data manually • Limited detection capability of traffic that has encrypted payloads • Signatures are easily defeated by mutating or obfuscating malware | 11 | Enhancing Network Security through Automation and Enrichment

  12. Shortfalls of Heuristics • Prone to false positives out of the box due to the nature of determining a baseline against data the model is not aware of • Computationally intensive workflow to build meaningful detections against the data • Speed of detecting anomalous behavior is typically much slower than signature or deterministic detection methods as more data is required to be collected first | 12 | Enhancing Network Security through Automation and Enrichment

  13. Network Metadata Shortfalls • Volume of network metadata can quickly reach such a high level; it may start to diminish in value due to storage and computational costs • Not all analytics take advantage of all metadata fields available • The double-edged effect that while analysts have more data available, the human time needed to analyze or hunt inside this data grows too • As networks grow in complexity and size, metadata systems are required to grow along with them in order to provide seamless visibility which can be easily overlooked due to cost | 13 | Enhancing Network Security through Automation and Enrichment

  14. Packet Capture Shortfalls • Storing vast quantities of packet capture on ever-growing network sizes can quickly spiral into a costly endeavor • Pure cloud or hybrid cloud environments are not typically architected with traffic flowing in a concentrated manor through the edge of the network which can leads to gaps or no coverage of certain traffic • Requires storing everything regardless of value on most typical packet capture systems • Human analysis of raw PCAP consumes vast amounts of time due to the volumes present | 14 | Enhancing Network Security through Automation and Enrichment

  15. Analyzing all the Things • Whether you are working from an alert in your system or hunting through metadata.. The thought process is the same; • You want to determine if the behavior observed is bad or not, and what to do about it | 15 | Enhancing Network Security through Automation and Enrichment

  16. Alert Triage • Analyzing alerts that come into your environment are usually handled by a workflow • This workflow may include items such as; • Hostname lookup in an IPAM or directory system • IP whois, reverse dns lookup • Endpoint interrogation with tools such as OSQuery • Log analysis from endpoints such as AV or EVTX output • Restrict access • System Isolation • Malicious file removed or quarantined | 16 | Enhancing Network Security through Automation and Enrichment

  17. Data Enrichment in Cyber Security • Data enrichment is an important key process in cyber security to help in providing the best value out of your environment • These enrichments not only allow your analysts to make better decisions, but they can be leveraged in SOAR playbooks • This can take many forms such as; • IP and Domain intelligence • Hostname resolution • DHCP mapping • Tactics, Techniques and Procedures (TTP) matching • MD5 lookup | 17 | Enhancing Network Security through Automation and Enrichment

  18. Expanding the Hunt in Metadata • After reacting to an individual system you can pivot out further to check for similar behaviors on the network • This may include searching for destination IP addresses or DNS requests on a wider scope than the original endpoint • Allows an analyst to build an enhanced picture of the activities surrounding an alert, rather than just reacting to the alert details | 18 | Enhancing Network Security through Automation and Enrichment

  19. Bringing us into the future • But how you ask do we bring ourselves into the future? • I follow a simple mantra; automate everything I must do more than once • This not only has the effect of making me more efficient, but allows for me to move past error prone manual workflows and concentrate on making my system do more by itself in an accurate, repeatable fashion • Leveraging this in the security space brings us to Security Orchestration, Automation and Response | 19 | Enhancing Network Security through Automation and Enrichment

  20. Security Orchestration, Automation and Response • The concept of SOAR is new to the cyber security space, but it brings with it many welcomed ideas to help with the shortfalls plaguing security teams everywhere • With the ability to automate tasks typically carried out manually this brings not only speed and efficiency, but wider integration with typically disparate systems to provide the best outcome from triaging alerts | 20 | Enhancing Network Security through Automation and Enrichment

  21. Automation Use Case: The Auto-Tagger • Starting with a simple premise, I decided to build out a playbook in Phantom to provide me with further context around alerts by tagging various ip addresses back in my Bricata system • This not only is a task that I didn’t want to do manually, but provided me with the ability to lookup this IP address during the execution to change the tag if it matched a threat list • This lookup traditionally was done manually through different lists spread across a wide number of different systems containing piles of IPs | 21 | Enhancing Network Security through Automation and Enrichment

  22. Auto-Tagger Playbook • Flow of my playbook Tag 1 Bricata Splunk IP Tag Splunk Tag 2 Alert Phantom Lookup Alert Phantom Syslog Phantom API Get API Post App Output Playbook Request Tag 3 Python IF/Then Logic | 22 | Enhancing Network Security through Automation and Enrichment

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Packet Analysis UB NetSec - Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by an Alumni:

Packet Analysis UB NetSec - Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by an Alumni:

Packet Analysis UB NetSec - Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by an Alumni: Chris Crawford - he does a lot of Packet Analysis stuff - really smart! - @bashasaurusrex is TA Taught Differently SCRUM - five meetings

876 views • 29 slides
Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by: Chris Crawford (DoD) - @zachtenenbaum and @srini are TAs What is Packet Analysis? - Packet Analysis is the capture and interpretation of the

814 views • 22 slides
2018 SGC Awards Banquet The Seattle Glider Council, local soaring clubs, pilots and soaring

2018 SGC Awards Banquet The Seattle Glider Council, local soaring clubs, pilots and soaring

2018 SGC Awards Banquet The Seattle Glider Council, local soaring clubs, pilots and soaring enthusiasts hereby salute as an expression of appreciation for the dedication and effort given to our sport . Ron Clark Issued to: 2018 OLC Champion for

488 views • 22 slides
Technical Soaring , the International Journal of OSTIV (International Scientific and Technical

Technical Soaring , the International Journal of OSTIV (International Scientific and Technical

Technical Soaring , the International Journal of OSTIV (International Scientific and Technical Organization for Soaring) Prof. Emeritus Dr. Edward (Ward) Hindman, Editor The City College of New York, City of New York, NY USA

402 views • 36 slides
On the Minimum Induced Drag of Wings Albion H. Bowers NASA Dryden Flight Research Center Soaring

On the Minimum Induced Drag of Wings Albion H. Bowers NASA Dryden Flight Research Center Soaring

On the Minimum Induced Drag of Wings Albion H. Bowers NASA Dryden Flight Research Center Soaring Society of America Antelope Valley Soaring Club Victorville, CA January 21, 2006 Introduction The History of Spanload

557 views • 28 slides
ChicagoLand Glider Council Soaring Weather and Data Analysis Soaring Weather and Data Analysis

ChicagoLand Glider Council Soaring Weather and Data Analysis Soaring Weather and Data Analysis

ChicagoLand Glider Council Soaring Weather and Data Analysis Soaring Weather and Data Analysis Greg Chisholm Greg Chisholm December 19, 2000 December 19, 2000 ChicagoLand Glider Council Al McDonald Photo Weather Data and Analysis 1

312 views • 29 slides
CUSD428 Cyber Security CUSD428 NetSec Team Ben Bayle Ben Yochem Marco Robles CTO System

CUSD428 Cyber Security CUSD428 NetSec Team Ben Bayle Ben Yochem Marco Robles CTO System

CUSD428 Cyber Security CUSD428 NetSec Team Ben Bayle Ben Yochem Marco Robles CTO System Analyst System Analyst We have combined 40+ years of experience in the field with certifications in Security, Network, Server, Storage, and

162 views • 15 slides
Limits to Open Class Performance? Al Bowers Experimental Soaring Assoc 02 Sep 07 Dedicated to

Limits to Open Class Performance? Al Bowers Experimental Soaring Assoc 02 Sep 07 Dedicated to

https://ntrs.nasa.gov/search.jsp?R=20070035868 2018-04-22T15:14:46+00:00Z Limits to Open Class Performance? Al Bowers Experimental Soaring Assoc 02 Sep 07 Dedicated to the memory of Dr Paul MacCready It seems that perfection is attained Not

264 views • 22 slides
The Fab 5 that Sent Graduation Rates Soaring ! East Greenbush Central School District James

The Fab 5 that Sent Graduation Rates Soaring ! East Greenbush Central School District James

The Fab 5 that Sent Graduation Rates Soaring ! East Greenbush Central School District James McHugh, Assistant Superintendent Helen Squillace, Principal ESSA Accountability Accountability Determinations Schools in Good Standing

579 views • 31 slides
Skyline Soaring Club Discus CS Assembly 18 Nov 2017 Discus CS Assembly Checklist Attach

Skyline Soaring Club Discus CS Assembly 18 Nov 2017 Discus CS Assembly Checklist Attach

Skyline Soaring Club Discus CS Assembly 18 Nov 2017 Discus CS Assembly Checklist Attach Horizontal Stabilizer Setup Prep Clean and lubricate all fittings Trailer in location where assembly will not block other aircraft Insert aft

383 views • 11 slides
Group revenues of MNOK 2,360 in Q1 2012 Slide: 2 Seasonally slow Q1 affected by soaring oil

Group revenues of MNOK 2,360 in Q1 2012 Slide: 2 Seasonally slow Q1 affected by soaring oil

Double digit revenue growth in Q1 Group revenues of MNOK 2,360 in Q1 2012 Slide: 2 Seasonally slow Q1 affected by soaring oil price EBITDAR MNOK - 252 (-230) EBITDA MNOK - 497 (-430) EBIT MNOK - 575 (-495) .

408 views • 9 slides
Benefits of Active Classrooms Martha Harris, Fizika Cyrus Weinberger, Soaring Heights PK-8

Benefits of Active Classrooms Martha Harris, Fizika Cyrus Weinberger, Soaring Heights PK-8

Principals Perspectives on the Benefits of Active Classrooms Martha Harris, Fizika Cyrus Weinberger, Soaring Heights PK-8 Tuesday, January 7 12pm PT / 1pm MT / 2pm CT / 3pm ET Active Classrooms Webinar Series December 2019 February 2020

581 views • 36 slides
Dream Achievers Soaring Eagles GD Design Studio, LLC www.gdDesignStudio.com

Dream Achievers Soaring Eagles GD Design Studio, LLC www.gdDesignStudio.com

DESIGN STUDIO R GRAPHIC/WEB DESIGN & MARKETING Presentation Proposal for: Dream Achievers Soaring Eagles GD Design Studio, LLC www.gdDesignStudio.com info@gdDesignStudio.com 1.800.789.8732 Logo GD Design Studio,

509 views • 3 slides
Soaring economic growth for the sake of environmental degradation? Evidence using

Soaring economic growth for the sake of environmental degradation? Evidence using

Soaring economic growth for the sake of environmental degradation? Evidence using second-generation panel methods Lars Sorge and Anne Neumann Vienna, 05 September 2017 Lars Sorge and Anne Neumann Vienna, 05 September 2017 1 / 27 Motivation

378 views • 27 slides
Learning How to Soar Learning How to Soar Terrence Sejnowski Salk Institute UCSD Bird

Learning How to Soar Learning How to Soar Terrence Sejnowski Salk Institute UCSD Bird

Learning How to Soar Learning How to Soar Terrence Sejnowski Salk Institute UCSD Bird Migration Bird Migration Migration Ecology of Birds, Ian Newton Thermal Soaring Thermal Soaring Rayleigh-Bnard Convection Rayleigh-Bnard Convection

604 views • 33 slides
ACP CP Statement o of Ne Need (on b behalf o of the B BGA) A) Gl Gliding 22 UK gliding

ACP CP Statement o of Ne Need (on b behalf o of the B BGA) A) Gl Gliding 22 UK gliding

ACP CP Statement o of Ne Need (on b behalf o of the B BGA) A) Gl Gliding 22 UK gliding world champions since 1952, the most recent in 2017 While joyriding and local soaring are facets, a major aspect of clubs work is to

459 views • 11 slides
Natural Language Processing for historical language varieties Cristina S anchez Marco Gjvik

Natural Language Processing for historical language varieties Cristina S anchez Marco Gjvik

Natural Language Processing for historical language varieties Cristina S anchez Marco Gjvik University College MTL lectures April 3 2013 April 3 2013 C. S anchez Marco, GUC NLP for historical language varieties 1 / 28 NLP and its

446 views • 28 slides
Off to a Cold Start a few observations November 2013 Ralph Grishman New

Off to a Cold Start a few observations November 2013 Ralph Grishman New

cold start NYU Off to a Cold Start a few observations November 2013 Ralph Grishman New York University Cold Start > Slot Filling + EnEty Linking

156 views • 15 slides
Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com

Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com

Corpus Bootstrapping with NLTK by Jacob Perkins Jacob Perkins http://www.weotta.com http://streamhacker.com http://text-processing.com https://github.com/japerk/nltk-trainer @japerk Problem you want to do NLProc many proven supervised

901 views • 31 slides
Part-of-Speech Tagging Part-of-Speech Tagging Berlin Chen 2005 References: 1. Speech and

Part-of-Speech Tagging Part-of-Speech Tagging Berlin Chen 2005 References: 1. Speech and

Part-of-Speech Tagging Part-of-Speech Tagging Berlin Chen 2005 References: 1. Speech and Language Processing , chapter 8 2. Foundations of Statistical Natural Language Processing , chapter 10 NLP-Berlin Chen 1 Review Tagging

1k views • 54 slides
KYOTO: Open platform for mining facts Asian-European project funded by the EU, Taiwan and NICT

KYOTO: Open platform for mining facts Asian-European project funded by the EU, Taiwan and NICT

KYOTO: Open platform for mining facts Asian-European project funded by the EU, Taiwan and NICT (Japan) Piek Vossen, VU University Amsterdam 2 nd KYOTO Workshop, 25-28 th January 2011, Gifu 2 Project goals and target groups Open and free

435 views • 22 slides
Co Computat atio iona nal l Analy lysi sis s of f His istoric rical l Texts ts Rac

Co Computat atio iona nal l Analy lysi sis s of f His istoric rical l Texts ts Rac

Co Computat atio iona nal l Analy lysi sis s of f His istoric rical l Texts ts Rac achele ele Sprugn gnol oli sprugn ugnol oli@ i@fbk bk.eu .eu htt ttp:/ p://dh.fb /dh.fbk.e .eu https ps:// ://tw twitter itter.co

265 views • 10 slides
Machine T ranslation between Languages with Significant Word Reordering and Rich T arget-side

Machine T ranslation between Languages with Significant Word Reordering and Rich T arget-side

Machine T ranslation between Languages with Significant Word Reordering and Rich T arget-side Morphology Machine Translation between Languages with Significant Word Reordering and Rich T arget-side Morphology th Week of Doctoral Students,

461 views • 17 slides
Gangs in North Carolina North Carolina Gang Investigators Association www.ncgangcops.org

Gangs in North Carolina North Carolina Gang Investigators Association www.ncgangcops.org

Gangs in North Carolina North Carolina Gang Investigators Association www.ncgangcops.org DISCLAIMER Presentations are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and

626 views • 47 slides

More recommend