the modern cybersecurity stack
play

The Modern Cybersecurity Stack Data-Driven Network Monitoring with - PowerPoint PPT Presentation

Feb 20, 2023 •150 likes •565 views

The Modern Cybersecurity Stack Data-Driven Network Monitoring with Bro Robin Sommer Corelight, Inc. / International Computer Science Institute / Lawrence Berkeley National Lab robin@icsi.berkeley.edu https://www.icir.org/robin Network

  1. The Modern Cybersecurity Stack Data-Driven Network Monitoring with Bro Robin Sommer Corelight, Inc. / International Computer Science Institute / Lawrence Berkeley National Lab robin@icsi.berkeley.edu https://www.icir.org/robin

  2. Network Security Monitoring with Bro Internet Border gateway Passive tap Bro Local Network 2

  3. The Bro Platform Open Source BSD License Analysis Traffic Intrusion Vulnerabilit. Traffic Compliance File Analysis Measure- Detection Mgmt Control Monitoring ment Platform Programming Language Standard Library Packet Processing Tap Network 3

  4. Bro’s been around for a while … It took two decades for Bro to become one of the most popular open-source network security tools. 1995 2016 1998 2006 Vern writes first line of code. Best Paper Award at USENIX Security 1st Bro Workshop, SC in Tampa, FL BroCon ’16, TACC, Austin, TX 4

  5. Bro Today “The best-kept secret in security” Tremendous deployment base Bro skills in high demand Amazon, Facebook, GE, Mozilla, Salesforce, Target. PepsiCo, Booz Allen Hamilton, Radian, USAA, John Hopkins, BAE, Yahoo, Department of Energy, Department of Defense, White House. GDIT, Raytheon. Most National Labs, many EDUs, many HPC facilities. (Source: monster.com) Industry funding Community $350,000 in 2016 180 attendees at BroCon‘16 Recognition 100 organizations at BroCon ‘16 6,500 Twitter followers InfoWorld Bossie Award 1,200 mailing list subscribers GitHub Security Showcase 1,800 stars on GitHub Mozilla Open-Source Award Downloads from 150 countries NSF Highlight to Congress 2016 5

  6. Why has Bro become popular? The legacy cyber security stack The modern cyber security stack Opaque, proprietary, Open-source, based on science, fueled by fear fueled by data & analytics 6

  7. Creating Visibility Rich, structured, real-time data for incident response, forensics, & analytics. Network Raw Log streams Traffic Bro Enterprise Analytics (Splunk, Kafka, Hadoop) This data is what draws people to using Bro. They have the analytics tools already, but they need high-quality input. 7

  8. Connection Logs conn.log Timestamp ts 1393099415.790834 Unique ID uid CSoqsg12YRTsWjYbZc Originator IP id.orig_h 2004:b9e5:6596:9876:[…] Originator Port id.orig_p 59258 Responder IP id.resp_h 2b02:178:2fde:bff:[…] Responder Port id.resp_p 80 IP Protocol proto tcp App-layer Protocol service http Duration duration 2.105488 Bytes by Originator orig_bytes 416 Bytes by Responder resp_bytes 858 TCP state conn_state SF Local Originator? local_orig F Gaps missed_bytes 0 State History history ShADafF Outer Tunnel Connection tunnel_parents Cneap78AnVWoA1yml 8

  9. Understand Your Network (1) Border Traffic Lawrence Berkeley National Lab (Today) 10GE upstream, 4,000 user, 12,000 hosts Total connections Successful connections Attempted connections 9

  10. HTTP http.log ts 1393099291.589208 uid CKFUW73bIADw0r9pl id.orig_h 2a07:f2c0:90:402:41e:c13:6cb:99c id.orig_p 54352 id.resp_h 2406:fe60:f47::aaeb:98c id.resp_p 80 method POST host com-services.pandonetworks.com uri /soapservices/services/SessionStart referrer - user_agent Mozilla/4.0 (Windows; U) Pando/2.6.0.8 status_code 200 username anonymous password - orig_mime_types application/xml resp_mime_types application/xml 10

  11. Understand Your Network (2) Top HTTP servers by IP addresses vs host headers a198-189-255-200.deploy.akamaitechnolgies.com ad.doubleclick.net a198-189-255-216.deploy.akamaitechnolgies.com ad.yieldmanager.com a198-189-255-217.deploy.akamaitechnolgies.com b.scorecardresearch.com a198-189-255-230.deploy.akamaitechnolgies.com clients1.google.com a198-189-255-225.deploy.akamaitechnolgies.com googleads.g.doubleclick.net a198-189-255-206.deploy.akamaitechnolgies.com graphics8.nytimes.com a198-189-255-201.deploy.akamaitechnolgies.com l.yimg.com a198-189-255-223.deploy.akamaitechnolgies.com liveupdate.symantecliveupdate.com 72.21.91.19 mt0.google.com a198-189-255-208.deploy.akamaitechnolgies.com pixel.quantserve.com a198-189-255-207.deploy.akamaitechnolgies.com platform.twitter.com nuq04s07-in-f27.1e100.net profile.ak.fbcdn.net a184-28-157-55.deploy.akamaitechnologies.com s0.2mdn.net a198-189-255-224.deploy.akamaitechnolgies.com safebrowsing-cache.google.com a198-189-255-209.deploy.akamaitechnolgies.com static.ak.fbcdn.net a198-189-255-222.deploy.akamaitechnolgies.com swcdn.apple.com a198-189-255-214.deploy.akamaitechnolgies.com upload.wikimedia.org nuq04s06-in-f27.1e100.net www.facebook.com upload-lb.pmtpa.wikimedia.org www.google-analytics.com nuq04s08-in-f27.1e100.net www.google.com 11

  12. Software software.log ts 1392796839.675867 host 10.209.100.2 host_p - software_type HTTP::BROWSER name DropboxDesktopClient version.major 2 version.minor 4 version.minor2 11 version.minor3 - version.addl Windows DropboxDesktopClient/2.4.11 unparsed_version (Windows; 8; i32; en_US; Trooper 5694-2047-1832-6291-8315) 12

  13. Understand Your Network (3) Top Software by Number of Hosts CaptiveNetworkSupport Firefox MSIE Safari DropboxDesktopClient ocspd GoogleUpdate Chrome Windows-Update-Agent Microsoft-CryptoAPI 13

  14. Files files.log ts 1392797643.447056 fuid FnungQ3TI19GahPJP2 tx_hosts 191.168.187.33 rx_hosts 10.1.29.110 conn_uids CbDgik2fjeKL5qzn55 source SMTP analyzers SHA1,MD5 mime_type application/x-dosexec filename Letter.exe duration 5.320822 local_orig T seen_bytes 39508 md5 93f7f5e7a2096927e06e[…]1085bfcfb sha1 daed94a5662a920041be[…]a433e501646ef6a03 14

  15. Understand your Malware http://www.team-cymru.org/MHR.html # cat files.log | bro-cut mime_type sha1 | awk '$1 ~ /x-dosexec/‘ application/x-dosexec 5fd2f37735953427e2f6c593d6ec7ae882c9ab54 application/x-dosexec 00c69013d34601c2174b72c9249a0063959da93a application/x-dosexec 0d801726d49377bfe989dcca7753a62549f1ddda […] # dig +short 733a48a9cb4[…]2a91e8d00.malware.hash.cymru.com TXT "1221154281 53" 15

  16. SSL & X.509 ssl.log ts 1392805957.927087 uid CEA05l2D7k0BD9Dda2 id.orig_h 2a07:f2c0:90:402:41e:c13:6cb:99c id.orig_p 40475 id.resp_h 2406:fe60:f47::aaeb:98c id.resp_p 443 version TLSv10 cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA server_name www.netflix.com CN=www.netflix.com,OU=Operations, subject O=Netflix, Inc.,L=Los Gatos, ST=CALIFORNIA,C=US CN=VeriSign Class 3 Secure Server CA, issuer_subject OU=VeriSign Trust Network,O=VeriSign, C=US not_valid_before 1389859200.000000 not_valid_after 1452931199.000000 client_subject - client_issuer_subject - cert_hash 197cab7c6c92a0b9ac5f37cfb0699268 validation_status ok 16

  17. Understand the (SSL) World The ICSI Certificate Notary Four years of passive data: 14M SSL certificates, 240B sessions https://notary.icsi.berkeley.edu 17

  18. All This Data is Invaluable For Incident Response If you’re compromised, you want to know: What happened? How did it happen? Is anybody else affected? Has it happened before?

  19. How did a bunch of academics get there? 19

  20. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 About 20 academic publications presenting Bro-related research. Initial Bro versions are Basic research at ICSI addressing an operational drives continuous innovation need at LBNL Feedback loop crucial for both sides Operational deployment Operational deployment in large-scale open-science networks Example: Processing performance

  21. Back in the days … Munich Scientific Network (2005) Total bytes 3 major universities, 1 GE upstream 80 Incoming bytes ~100,000 Users ~50,000 Hosts Total upstream bytes Incoming bytes 60 TBytes/month 40 20 0 1997 1998 1999 2000 2001 2002 2003 2004 2005 Data: Leibniz-Rechenzentrum, München 21

  22. And in 2014 … Munich Scientific Network (Today) (2014) Total bytes 3 major universities, 2x10GE upstream Incoming bytes ~100,000 Users 1500 ~65,000 Hosts Total upstream bytes Incoming bytes TBytes/month 1000 500 Oct 2005 0 1996 1998 2000 2002 2004 2006 2008 2010 2012 Data: Leibniz-Rechenzentrum, München 22

  23. LBNL in 2006 Internet 10G Border Gateway Bro Bro Conn Bro HTTP LAN Bro Scans Bro Other 23

  24. Bro Cluster Internet 10G Border Gateway 10G Load-balancer 1G 1G 1G 1G LAN Bro Bro Bro Bro Node Node Node Node Bro Cluster 24

  25. Bro Cluster Internet 10G Border Gateway 10G Load-balancer 1G 1G 1G 1G LAN NIC NIC NIC NIC Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Node Node Node Node Bro Cluster 25

  26. A Production Load-Balancer cFlow: 10GE line-rate, stand-alone load-balancer 10G Load-balancer 1G 1G 1G 1G 10 Gb/s in/out Web & CLI Filtering capabilities 26 26

  27. Today: 100G Bro Cluster at LBNL http://go.lbl.gov/100g 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
Designing stack agnostic, modern, secure architectures Eugene Pilyankevich, Chief Technical

Designing stack agnostic, modern, secure architectures Eugene Pilyankevich, Chief Technical

Designing stack agnostic, modern, secure architectures Eugene Pilyankevich, Chief Technical Officer, Cossack Labs #whoami / Speaker intro Infosec since mid-90s. Designed, supervised development of banking data processing, risk

1.43k views • 117 slides
Designing a Modern Swift Network Stack Philly CocoaHeads January 10, 2019 Hello My Client

Designing a Modern Swift Network Stack Philly CocoaHeads January 10, 2019 Hello My Client

Designing a Modern Swift Network Stack Philly CocoaHeads January 10, 2019 Hello My Client Story Core Data Company API App APIClient + MapModelManager 2000 lines each Problems Cumbersome to Add and Refactor Code Lack of

932 views • 69 slides
MEAN Stack Jay Urbain, PhD h6p://expressjs.com/

MEAN Stack Jay Urbain, PhD h6p://expressjs.com/

MEAN Stack Jay Urbain, PhD h6p://expressjs.com/ Requirements for a modern web app Low latency, fast response Ime Minimize page reloads

518 views • 30 slides
The Role of Cybersecurity in Modern Societies Prof. Mario Marchese DITEN University of Genoa

The Role of Cybersecurity in Modern Societies Prof. Mario Marchese DITEN University of Genoa

The Role of Cybersecurity in Modern Societies Prof. Mario Marchese DITEN University of Genoa mario.marchese@unige.it mario.marchese@unige.it 1 The Need of Security and Resilience Physical security Cybersecurity Fault

597 views • 21 slides
Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping etc. Implementations of stacks using array linked list The Stack ADT A stack is a list with the restriction that insertions and

566 views • 44 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer science. The stack is an abstract data type that has two main operations. These are push which adds an element to the top of the stack and pop which

754 views • 8 slides
Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types Bag List Stack 3 Stack 34 A data structure representing a stack of things Objects can be pushed onto the stack or popped from the stack

1.62k views • 116 slides
1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

Elementary Data Structures Stacks, Queues, Vectors, Lists & Sequences Trees The Stack ADT (2.1.1) The Stack ADT stores arbitrary objects Insertions and deletions Auxiliary stack follow the last-in first-out operations: scheme

473 views • 13 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

1.06k views • 37 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

679 views • 19 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call Stack higher %rsp holds lowest stack address addresses (address of "top" element) Topics stack grows Procedures toward lower

76 views • 5 slides
Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate strings of entries of any (arbitrary) type in LIFO (last-in-first-out) order A kind of dual to Queue Remember, "first" and

450 views • 33 slides
Day 4 Google Analytics Goals Google Webmaster Tools Microsoft Webmaster Tools Goals

Day 4 Google Analytics Goals Google Webmaster Tools Microsoft Webmaster Tools Goals

Day 4 Google Analytics Goals Google Webmaster Tools Microsoft Webmaster Tools Goals help track how many visit a specific page how many stay on your site for a minimum amount of time how many have triggered an event

685 views • 24 slides
Cloud Computing Jay Urbain, Ph.D. Credits: Michael Ambrust, et. al., Above the Clouds: A Berkley

Cloud Computing Jay Urbain, Ph.D. Credits: Michael Ambrust, et. al., Above the Clouds: A Berkley

Cloud Computing Jay Urbain, Ph.D. Credits: Michael Ambrust, et. al., Above the Clouds: A Berkley View of Cloud Computing . Hamilton, J. Cost of Power in Large-Scale Data Centers. November, 2008.

1.09k views • 47 slides
Prototyping Vinay Dabholkar Warm-up quiz What is a stable need as Bezos says?

Prototyping Vinay Dabholkar Warm-up quiz What is a stable need as Bezos says?

Prototyping Vinay Dabholkar Warm-up quiz What is a stable need as Bezos says? Whats the use of a metaphor in a challenge? What was the metaphor in GE CT scan machine enhancement? Whose problem Elon Musk is solving in

309 views • 20 slides
rt ttt

rt ttt

rt ttt Prt ss rts

587 views • 48 slides
Mahdi Roozbahani Lecturer, Computational Science & Engineering, Georgia Tech Founder of

Mahdi Roozbahani Lecturer, Computational Science & Engineering, Georgia Tech Founder of

http://poloclub.gatech.edu/cse6242 CSE6242: Data & Visual Analytics Text Analytics (Text Mining) Duen Horng (Polo) Chau Associate Professor, College of Computing Associate Director, MS Analytics Georgia Tech Mahdi Roozbahani Lecturer,

818 views • 52 slides
CSE 258 Lecture 9 Web Mining and Recommender Systems T ext Mining Administrivia Midterms

CSE 258 Lecture 9 Web Mining and Recommender Systems T ext Mining Administrivia Midterms

CSE 258 Lecture 9 Web Mining and Recommender Systems T ext Mining Administrivia Midterms will be in class next Wednesday Well do prep on Monday Prediction tasks involving text What kind of quantities can we model, and what

908 views • 51 slides
Introduction to Machine Learning: Classification and The Noisy Channel Model CMSC 473/673 UMBC

Introduction to Machine Learning: Classification and The Noisy Channel Model CMSC 473/673 UMBC

Introduction to Machine Learning: Classification and The Noisy Channel Model CMSC 473/673 UMBC Some slides adapted from 3SLP Outline Classification Why incorporate uncertainty Classification with Bayes Rule Example: Email Classifier

1.68k views • 89 slides
Russia vs. Telegram technical notes on the battle Leonid Evdokimov 35c3, Leipzig, 29 Dec 2018

Russia vs. Telegram technical notes on the battle Leonid Evdokimov 35c3, Leipzig, 29 Dec 2018

Russia vs. Telegram technical notes on the battle Leonid Evdokimov 35c3, Leipzig, 29 Dec 2018 darkk.net.ru/35c3 $ whoami Internet measurement fanatic NOT a Telegram team member One of the millions of Telegram users 2007 May 23: court order

822 views • 48 slides

More recommend