Using Layer 7 Metadata to Augment Flow Analysis Tim Ray Security - - PowerPoint PPT Presentation

using layer 7 metadata to augment flow analysis
SMART_READER_LITE
LIVE PREVIEW

Using Layer 7 Metadata to Augment Flow Analysis Tim Ray Security - - PowerPoint PPT Presentation

Dec 10, 2022 286 likes •441 views

Using Layer 7 Metadata to Augment Flow Analysis Tim Ray Security Analyst Overview Who are we? What are we doing? What can you get out of this? Questions and Answers 2 21CT 12 year old firm headquartered in Austin, TX with

slide-1
SLIDE 1

Using Layer 7 Metadata to Augment Flow Analysis

Tim Ray Security Analyst

slide-2
SLIDE 2

Overview

  • Who are we?
  • What are we doing?
  • What can you get out of this?
  • Questions and Answers

2

slide-3
SLIDE 3

21CT

  • 12 year old firm headquartered

in Austin, TX with offices in Washington D.C. and San Antonio, TX

  • Experienced DoD and military

vendor

  • LYNXeon is our flagship product
  • Partner with CERT to use YAF in
  • ur products
  • We have a really nice break

room.

3

slide-4
SLIDE 4

Tim Ray

  • Began in the IT field in 1995
  • Security training and CISSP in 2007
  • Worked in financial sector, for an MSSP and the State of Texas,

Department of Information Resources as a security analyst

  • Plays with cars

4

slide-5
SLIDE 5

Where are we now?

  • Analyst logs into SIEM and starts to sort out false positive results.
  • Analyst finds actionable event from signature based source.
  • Analyst investigates event and brings in flow and pcap
  • Analyst validates alert and reports to stakeholders/fixers

5

slide-6
SLIDE 6

The Way it Ought To Be

  • Analyst initiates proactive analysis using flow + layer 7.
  • Analyst finds suspicious traffic.
  • Analyst validates the event using flow and other sources.
  • Analyst calls in the alert to stakeholders/fixers.

6

slide-7
SLIDE 7

PCAP, Flow and Goldilocks

  • PCAP is widely understood and trusted
  • Flow is less understood and less utilized
  • Both have advantages and disadvantages
  • There is a happy medium which is Just Right!
  • But I’m much more comfortable with cars, so…

Proprietary 7

slide-8
SLIDE 8

Full Packet Capture

  • Versatile and complete
  • Widely available
  • Bulky = short search horizon
  • Hard to search

8

slide-9
SLIDE 9

Custom Flow Analysis Toolset

  • Every install is unique
  • Easy to store
  • Minimalist
  • Often open source

9

slide-10
SLIDE 10

Flow+Layer 7 Metadata

  • Versatile
  • Easy to store
  • Customizable (which apps do you want)
  • Fast to search

10

slide-11
SLIDE 11

Layer 7 Metadata

  • YAF inspects but does not store the payload.
  • The metadata collected is different for each application.
  • DNS

– Query Response – Qname – Qrtype – TTL

  • HTTP

– Referrer – Host – Browser

  • Enough to enrich the flow experience without slowing down

the system.

11

slide-12
SLIDE 12

Why is it worth doing?

  • More detail than in pure flows
  • The right amount of data:

http://www.peopleofwalmart.com is enough information

  • You get an additional axis of analysis

12

slide-13
SLIDE 13

Examples

  • Visiting a URL that is

blacklisted

  • Apps running on wrong

port

  • Visiting a fast-flux domain

(check TTL)

  • DNS requests for odd

URLs

  • New application active on

a known IP address

  • False positive elimination

13

False Positive

slide-14
SLIDE 14

Why Do We Need This?

  • If analysts continue to depend on signature based

systems, we lose the long fight

  • If analysts continue to use JUST flow, it’s not enough
  • We need a lightweight but extensible way of looking at

network traffic

14

slide-15
SLIDE 15

Questions?

15

tray@21technologies.com Twitter: securitytim