SlideShare a Scribd company logo

Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf 2014

Download as PPTX, PDF
Puppet
Puppet

Managing Network Security Monitoring at Large Scale with Puppet - Michael Pananen & Chris Nyhuis, Vigilant Technology Services

Technology
1 of 39
Managing Network Security with Puppet 1 Presented by: Mike Pananen – Vigilant LLC. Chris Nyhuis – Vigilant LLC. 9/26/2014 Puppet Conf Sept 24th, 2014 Know More. Secure More
2 Mike Pananen mpananen@vigilantnow.com Twitter: @panaman13 • Master of Puppets at Vigilant • Worked with Puppet since 2011 • Built Global NSM Sensor grids 500+ Sensors. Know More. Secure More
3 Chris Nyhuis cnyhuis@vigilantnow.com Twitter: @vigilance_one • Owner of Vigilant Technology Solutions an IT Cyber Security Firm based in Cincinnati. • In Security and IT Industry 17 Years • Cyber Security Instructor at Advanced Technical Intelligence Center (Dayton) • Passionate about Orphan Care Know More. Secure More
4 Agenda • Understanding the Problem • How attacks have changed and the Security industry hasn’t • Why NSM is important • Lower your Security Operations Costs with Puppet Know More. Secure More
5 Understanding the Problem: The Compliance and Security Myth Compliance • PCI • HIPPAA • IRS Regulations • Controls • Policy • Visibility • Process Security to learn from attacks • Ability to adapt defenses • Real-Time action required Know More. Secure More
6 Understanding the Problem The Compliance and Security Myth Compliance • Vulnerability • PCI/HIPPAA • IRS Regulations • Controls • Policy Security • Visibility • Process to learn from attacks • Ability to adapt defenses • Real-Time action required Know More. Secure More
7 What do these companies have in common? Neiman Marcus HealthNet Know More. Secure More
130,000,000 8 What do these companies have in common? They were all compliant… HealthNet Heartland 52,000,000 145,000,000 70,000,000 94,000,000 1,500,000 92,000,000 3,900,000 24,000,000 Know More. Secure More
9 Ponemon’s Cost of Data Breach Study: Global Study, sponsored by IBM. Studied 314 companies spanning 10 countries.. • Average total cost of a Data Breach increased by 15% • Average of $3.5 million • Cost per record is $145.00 • Your Reputation is priceless Know More. Secure More
10 Take Away #1 Security is not the same as Compliance – Security is a balance of Control and Visibility Know More. Secure More
11 Understanding the Problem: The threats have changed Before • Random Small Attacks • Attackers were more randomly skilled • I’m too small - Big targets were the focus Today • Highly designed organized attacks • Attackers are skilled - APT • Attacks are coming through supply chain Know More. Secure More
12 Take Away #2 SMB is the new gateway – Protect your reputation you may be the path Know More. Secure More
13 Understanding the Problem: Threat protection has changed Before • Signatures - The Herd Mentality Protection Today • Attacks are more targeted Know More. Secure More
That is why… • 54% of malware typically evades anti-virus detection • Less than 2% of breaches are detected in the first 24 14 hours, less than 46% in the first 30 days • 60% of breaches have data exfiltrated in first 24 hours • A Trustwave study considered 450 global data breach investigations, as well as thousands of penetration tests and scans. It found that the average time between an initial breach and detection was 210 days. In 2011 it was 90 Days. • Over 92% of breaches are discovered by a third party or customer Know More. Secure More
15 And because of that… Symantec's senior vice president Brian Dye declared last quarter to the Wall Street Journal that antivirus "is dead." Know More. Secure More
16 Understanding the Problem: The threat protection has changed Before • Signatures - The Herd Mentality Protection • Automated Alerting • UTM / Trad Firewalls on perimeter 100% Secure Today • Attacks are more targeted • Combination of Automation and People • Anomaly Detection -They are in, find them quick Know More. Secure More
17 Take Away #3 Signature Based Detection is a layer, it should be a layer of your protection just not your only one. Know More. Secure More
18 NSM vs IDS IDS - “Possible Bad thing Detected – 10.0.9.5” NSM – “Possible Bad thing Detected – 10.0.9.5” -> Intel hit – badguydomain.com -> HTTP – 10.0.9.5 visited http://badguydomain.com/badstuff on port 80 -> Session tracked 10.0.9.5 using FTP on IP 58.14.0.69 -> Packet capture – Detailed Map of incident including files -> Trace what else that IP talked to on your network -> Analyze badguy files -> Create new signatures/intelligence if needed to detect actor Know More. Secure More
19 Advanced Network Security Monitoring Know More. Secure More
20 Take Away #4 NSM Gives you the full picture Know More. Secure More
21 Lower Your Costs - Use tools to Catch them early Know More. Secure More
22 NSM tools OPEN SOURCE TECHNOLOGY IDS FLOW HTTP PCAP Know More. Secure More
23 NSM - IDS Tools Snort http://www.snort.org Suricata http://suricata-ids.org Bro http://www.bro.org Know More. Secure More
24 Rules Write your own, download free or purchased rules Emerging Threats http://www.emergingthreats.org ETOpen, ETPro Snort Community Rules https://www.snort.org/downloads Vulnerability Research Team https://www.snort.org/vrt Know More. Secure More
25 package { ‘snort’: ensure => present, }-> file { ‘/etc/snort/rules: ensure => directory, owner => ‘snort’, group => ‘snort’, mode => '0660', recurse => true, purge => true, force => true, show_diff => false, source => ‘puppet:///modules/snort/rules', notify => Service[‘snort’], }-> file { ‘/etc/snort/snort.conf’: ensure => present, owner => ‘snort’, group => ‘snort’, mode => ‘0660’, source => ‘puppet:///modules/snort/snort.conf', notify => Service[‘snort’], }-> service { ‘snort’: ensure => running enable => true, } Deploy Snort with Puppet Know More. Secure More
26 BRO Swiss army knife in your NSM tool box Notice Framework - Network anomaly and and scripted alerts Intel Framework - Network Intelligence detection, ip, domain, email, etc conn.log 1410156004.036451 C3SZcg4BiqLox95C6f 172.16.30.90 56978 10.10.20.60 8140 tcp ssl0.287418 4045 6226 SF T 0 ShADadfF 13 4729 13 6910 (empty) - - http.log 1410576714.203766 CcyC7F3M9pCMaEauR 10.0.20.3 50495 192.0.72.2 80 1 GET thechive.files.wordpress.com /2012/10/porn-stars-before-makeup-after-with-without-13.jpg?w=500&h=326 - Mozilla/4.0 (compatible;) 0 0 304 Not Modified - - - (empty) - - - - - - - - - FQY9eR3W1hezAV1yRhtext/plain smtp.log 1411473791.484895 C5Ulst3pXPGQ9Twt8h 10.0.4.5 57378 21.8.8411925 1 yaawfquh5.visime.eu <WonderHose@visime.eu> <billgates@microsoft.com> Tue, 23 Sep 2014 05:03:10 -0700 "Wonder <57691741739649757694320462663@yaawfquh5.visime.eu> - This hose contracts when the water stops! Other logs: dns, smtp, dhcp, dpd, intel, notice, ssl, ssh, software ………. Know More. Secure More
27 Free Intel Sources (atomic indicators) http://www.malwaredomains.com Bad Domain Names https://zeustracker.abuse.ch IP List and Domain Names http://www.emergingthreats.com IP List Know More. Secure More
28 Deploy Bro with Puppet https://forge.puppetlabs.com/panaman/bro class { 'bro': int => 'bond0', } Know More. Secure More
29 PCAP FULL PACKET CAPTURE netsniff-ng http://netsniff-ng.org daemonlogger http://sourceforge.net/projects/daemonlogger/ tcpdump http://www.tcpdump.org Know More. Secure More
30 /usr/sbin/netsniff-ng -i bond0 -s -J -F 500MiB -o /nsm/pcap/$(date "+%Y-%m-%d") Know More. Secure More
31 Take Away #5 Puppet can deploy new configs, signatures and inteligence to your sensors quickly. Speed is important in NSM Know More. Secure More
32 Network Tap http://www.networkinstruments.com/products/ntaps/index.php http://dual-comm.com http://www.netoptics.com/products/network-taps http://www.gigamon.com/network-tap Know More. Secure More
Tap Placement - True source and true destination. Know More. Secure More 33
34 Take Away #6 Correct TAP Placement is as important and the right tools. Know More. Secure More
35 Log Management ElasticSearch http://www.elasticsearch.org Splunk http://www.splunk.com Elsa https://code.google.com/p/enterprise-log-search-and-archive/ Know More. Secure More
Know More. Secure More 36
Know More. Secure More 37
38 Six Take Aways 1. Security is not the same as Compliance 2. SMB is the new gateway – Protect your reputation you may be the path 3. Signature Based Detection is a layer, it should be a layer of your protection just not your only one. 4. NSM Gives you the full picture 5. Speed is key - Deploy Rules immediately with Puppet. 6. Correct TAP Placement is as important and the right tools. Know More. Secure More
39 Puppet Conf 2014 - Questions Mike Pananen mpananen@vigilantnow.com Twitter @panaman13 Chris Nyhuis cnyhuis@vigilantnow.com Twitter @vigilance_one Know More. Secure More

Recommended

Network seurity
Network seurityNetwork seurity
Network seurityNaqash Rasheed
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingGreg Foss
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseGreg Foss
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 

Recommended

Network seurity
Network seurityNetwork seurity
Network seurityNaqash Rasheed
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingGreg Foss
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseGreg Foss
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
stackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPIstackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPIGaurav "GP" Pal
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Global ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgGlobal ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgChristopher R. Ward
 
Global Ransomware Client Alert
Global Ransomware Client AlertGlobal Ransomware Client Alert
Global Ransomware Client AlertRobyn Melnyk
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 costSecurity Bootcamp
 
Keeping web servers safe and profitable with Imunify360
Keeping web servers safe and profitable with Imunify360Keeping web servers safe and profitable with Imunify360
Keeping web servers safe and profitable with Imunify360CloudLinux
 
Global Ransomware Attacks
Global Ransomware AttacksGlobal Ransomware Attacks
Global Ransomware AttacksEmily Brown
 
Elastix securing, preventing, monitoring
Elastix securing, preventing, monitoringElastix securing, preventing, monitoring
Elastix securing, preventing, monitoringPaloSanto Solutions
 
Shamoon
ShamoonShamoon
ShamoonShakacon
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1wharpreet
 
Threat intelligence platform explained
Threat intelligence platform explainedThreat intelligence platform explained
Threat intelligence platform explainedMindy Kam
 
Offensive Security basics part 2
Offensive Security basics part 2Offensive Security basics part 2
Offensive Security basics part 2wharpreet
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot ProjectManikyala Rao
 
Intelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefenseIntelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefensePriyanka Aash
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and DefenseErik Iker
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
NetworkWorld-SafeBreach
NetworkWorld-SafeBreachNetworkWorld-SafeBreach
NetworkWorld-SafeBreachDan Kunkel
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
 

More Related Content

What's hot

Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
stackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPIstackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPIGaurav "GP" Pal
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Global ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgGlobal ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgChristopher R. Ward
 
Global Ransomware Client Alert
Global Ransomware Client AlertGlobal Ransomware Client Alert
Global Ransomware Client AlertRobyn Melnyk
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 costSecurity Bootcamp
 
Keeping web servers safe and profitable with Imunify360
Keeping web servers safe and profitable with Imunify360Keeping web servers safe and profitable with Imunify360
Keeping web servers safe and profitable with Imunify360CloudLinux
 
Global Ransomware Attacks
Global Ransomware AttacksGlobal Ransomware Attacks
Global Ransomware AttacksEmily Brown
 
Elastix securing, preventing, monitoring
Elastix securing, preventing, monitoringElastix securing, preventing, monitoring
Elastix securing, preventing, monitoringPaloSanto Solutions
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1wharpreet
 
Threat intelligence platform explained
Threat intelligence platform explainedThreat intelligence platform explained
Threat intelligence platform explainedMindy Kam
 
Offensive Security basics part 2
Offensive Security basics part 2Offensive Security basics part 2
Offensive Security basics part 2wharpreet
 
Intelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefenseIntelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefensePriyanka Aash
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and DefenseErik Iker
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
NetworkWorld-SafeBreach
NetworkWorld-SafeBreachNetworkWorld-SafeBreach
NetworkWorld-SafeBreachDan Kunkel
 

What's hot (20)

Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
stackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPIstackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPI
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Global ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgGlobal ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sg
 
Global Ransomware Client Alert
Global Ransomware Client AlertGlobal Ransomware Client Alert
Global Ransomware Client Alert
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Keeping web servers safe and profitable with Imunify360
Keeping web servers safe and profitable with Imunify360Keeping web servers safe and profitable with Imunify360
Keeping web servers safe and profitable with Imunify360
 
Global Ransomware Attacks
Global Ransomware AttacksGlobal Ransomware Attacks
Global Ransomware Attacks
 
Elastix securing, preventing, monitoring
Elastix securing, preventing, monitoringElastix securing, preventing, monitoring
Elastix securing, preventing, monitoring
 
Shamoon
ShamoonShamoon
Shamoon
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking Competition
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1
 
Threat intelligence platform explained
Threat intelligence platform explainedThreat intelligence platform explained
Threat intelligence platform explained
 
Offensive Security basics part 2
Offensive Security basics part 2Offensive Security basics part 2
Offensive Security basics part 2
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
Intelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefenseIntelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber Defense
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantages
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cns
 
NetworkWorld-SafeBreach
NetworkWorld-SafeBreachNetworkWorld-SafeBreach
NetworkWorld-SafeBreach
 

Similar to Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf 2014

Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
WatchGuard - Security event juni 2016
WatchGuard - Security event juni 2016WatchGuard - Security event juni 2016
WatchGuard - Security event juni 2016Marketing Team
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Mnx solutions cybersecurity presentation monroe mi
Mnx solutions cybersecurity presentation monroe miMnx solutions cybersecurity presentation monroe mi
Mnx solutions cybersecurity presentation monroe minwilkens
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
Check-Computer-Networks-to-Ensure-Safe-Operation-Johua-2nd.pptx
Check-Computer-Networks-to-Ensure-Safe-Operation-Johua-2nd.pptxCheck-Computer-Networks-to-Ensure-Safe-Operation-Johua-2nd.pptx
Check-Computer-Networks-to-Ensure-Safe-Operation-Johua-2nd.pptxkris harden
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
Security protection On banking systems using ethical hacking.
Security protection On banking systems using ethical hacking.Security protection On banking systems using ethical hacking.
Security protection On banking systems using ethical hacking.Rishabh Gupta
 

Similar to Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf 2014 (20)

Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applications
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
WatchGuard - Security event juni 2016
WatchGuard - Security event juni 2016WatchGuard - Security event juni 2016
WatchGuard - Security event juni 2016
 
Cybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutCybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking About
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Mnx solutions cybersecurity presentation monroe mi
Mnx solutions cybersecurity presentation monroe miMnx solutions cybersecurity presentation monroe mi
Mnx solutions cybersecurity presentation monroe mi
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield Cloud Security 101
Stackfield Cloud Security 101
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Network Security
Network SecurityNetwork Security
Network Security
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Check-Computer-Networks-to-Ensure-Safe-Operation-Johua-2nd.pptx
Check-Computer-Networks-to-Ensure-Safe-Operation-Johua-2nd.pptxCheck-Computer-Networks-to-Ensure-Safe-Operation-Johua-2nd.pptx
Check-Computer-Networks-to-Ensure-Safe-Operation-Johua-2nd.pptx
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
Security protection On banking systems using ethical hacking.
Security protection On banking systems using ethical hacking.Security protection On banking systems using ethical hacking.
Security protection On banking systems using ethical hacking.
 

More from Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyamlPuppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)Puppet
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscodePuppet
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twentiesPuppet
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codePuppet
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approachPuppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationPuppet
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliancePuppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowPuppet
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Puppet
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppetPuppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkPuppet
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping groundPuppet
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy SoftwarePuppet
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User GroupPuppet
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsPuppet
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyPuppet
 

More from Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Recently uploaded

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Recently uploaded (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf 2014

  • 1. Managing Network Security with Puppet 1 Presented by: Mike Pananen – Vigilant LLC. Chris Nyhuis – Vigilant LLC. 9/26/2014 Puppet Conf Sept 24th, 2014 Know More. Secure More
  • 2. 2 Mike Pananen mpananen@vigilantnow.com Twitter: @panaman13 • Master of Puppets at Vigilant • Worked with Puppet since 2011 • Built Global NSM Sensor grids 500+ Sensors. Know More. Secure More
  • 3. 3 Chris Nyhuis cnyhuis@vigilantnow.com Twitter: @vigilance_one • Owner of Vigilant Technology Solutions an IT Cyber Security Firm based in Cincinnati. • In Security and IT Industry 17 Years • Cyber Security Instructor at Advanced Technical Intelligence Center (Dayton) • Passionate about Orphan Care Know More. Secure More
  • 4. 4 Agenda • Understanding the Problem • How attacks have changed and the Security industry hasn’t • Why NSM is important • Lower your Security Operations Costs with Puppet Know More. Secure More
  • 5. 5 Understanding the Problem: The Compliance and Security Myth Compliance • PCI • HIPPAA • IRS Regulations • Controls • Policy • Visibility • Process Security to learn from attacks • Ability to adapt defenses • Real-Time action required Know More. Secure More
  • 6. 6 Understanding the Problem The Compliance and Security Myth Compliance • Vulnerability • PCI/HIPPAA • IRS Regulations • Controls • Policy Security • Visibility • Process to learn from attacks • Ability to adapt defenses • Real-Time action required Know More. Secure More
  • 7. 7 What do these companies have in common? Neiman Marcus HealthNet Know More. Secure More
  • 8. 130,000,000 8 What do these companies have in common? They were all compliant… HealthNet Heartland 52,000,000 145,000,000 70,000,000 94,000,000 1,500,000 92,000,000 3,900,000 24,000,000 Know More. Secure More
  • 9. 9 Ponemon’s Cost of Data Breach Study: Global Study, sponsored by IBM. Studied 314 companies spanning 10 countries.. • Average total cost of a Data Breach increased by 15% • Average of $3.5 million • Cost per record is $145.00 • Your Reputation is priceless Know More. Secure More
  • 10. 10 Take Away #1 Security is not the same as Compliance – Security is a balance of Control and Visibility Know More. Secure More
  • 11. 11 Understanding the Problem: The threats have changed Before • Random Small Attacks • Attackers were more randomly skilled • I’m too small - Big targets were the focus Today • Highly designed organized attacks • Attackers are skilled - APT • Attacks are coming through supply chain Know More. Secure More
  • 12. 12 Take Away #2 SMB is the new gateway – Protect your reputation you may be the path Know More. Secure More
  • 13. 13 Understanding the Problem: Threat protection has changed Before • Signatures - The Herd Mentality Protection Today • Attacks are more targeted Know More. Secure More
  • 14. That is why… • 54% of malware typically evades anti-virus detection • Less than 2% of breaches are detected in the first 24 14 hours, less than 46% in the first 30 days • 60% of breaches have data exfiltrated in first 24 hours • A Trustwave study considered 450 global data breach investigations, as well as thousands of penetration tests and scans. It found that the average time between an initial breach and detection was 210 days. In 2011 it was 90 Days. • Over 92% of breaches are discovered by a third party or customer Know More. Secure More
  • 15. 15 And because of that… Symantec's senior vice president Brian Dye declared last quarter to the Wall Street Journal that antivirus "is dead." Know More. Secure More
  • 16. 16 Understanding the Problem: The threat protection has changed Before • Signatures - The Herd Mentality Protection • Automated Alerting • UTM / Trad Firewalls on perimeter 100% Secure Today • Attacks are more targeted • Combination of Automation and People • Anomaly Detection -They are in, find them quick Know More. Secure More
  • 17. 17 Take Away #3 Signature Based Detection is a layer, it should be a layer of your protection just not your only one. Know More. Secure More
  • 18. 18 NSM vs IDS IDS - “Possible Bad thing Detected – 10.0.9.5” NSM – “Possible Bad thing Detected – 10.0.9.5” -> Intel hit – badguydomain.com -> HTTP – 10.0.9.5 visited http://badguydomain.com/badstuff on port 80 -> Session tracked 10.0.9.5 using FTP on IP 58.14.0.69 -> Packet capture – Detailed Map of incident including files -> Trace what else that IP talked to on your network -> Analyze badguy files -> Create new signatures/intelligence if needed to detect actor Know More. Secure More
  • 19. 19 Advanced Network Security Monitoring Know More. Secure More
  • 20. 20 Take Away #4 NSM Gives you the full picture Know More. Secure More
  • 21. 21 Lower Your Costs - Use tools to Catch them early Know More. Secure More
  • 22. 22 NSM tools OPEN SOURCE TECHNOLOGY IDS FLOW HTTP PCAP Know More. Secure More
  • 23. 23 NSM - IDS Tools Snort http://www.snort.org Suricata http://suricata-ids.org Bro http://www.bro.org Know More. Secure More
  • 24. 24 Rules Write your own, download free or purchased rules Emerging Threats http://www.emergingthreats.org ETOpen, ETPro Snort Community Rules https://www.snort.org/downloads Vulnerability Research Team https://www.snort.org/vrt Know More. Secure More
  • 25. 25 package { ‘snort’: ensure => present, }-> file { ‘/etc/snort/rules: ensure => directory, owner => ‘snort’, group => ‘snort’, mode => '0660', recurse => true, purge => true, force => true, show_diff => false, source => ‘puppet:///modules/snort/rules', notify => Service[‘snort’], }-> file { ‘/etc/snort/snort.conf’: ensure => present, owner => ‘snort’, group => ‘snort’, mode => ‘0660’, source => ‘puppet:///modules/snort/snort.conf', notify => Service[‘snort’], }-> service { ‘snort’: ensure => running enable => true, } Deploy Snort with Puppet Know More. Secure More
  • 26. 26 BRO Swiss army knife in your NSM tool box Notice Framework - Network anomaly and and scripted alerts Intel Framework - Network Intelligence detection, ip, domain, email, etc conn.log 1410156004.036451 C3SZcg4BiqLox95C6f 172.16.30.90 56978 10.10.20.60 8140 tcp ssl0.287418 4045 6226 SF T 0 ShADadfF 13 4729 13 6910 (empty) - - http.log 1410576714.203766 CcyC7F3M9pCMaEauR 10.0.20.3 50495 192.0.72.2 80 1 GET thechive.files.wordpress.com /2012/10/porn-stars-before-makeup-after-with-without-13.jpg?w=500&h=326 - Mozilla/4.0 (compatible;) 0 0 304 Not Modified - - - (empty) - - - - - - - - - FQY9eR3W1hezAV1yRhtext/plain smtp.log 1411473791.484895 C5Ulst3pXPGQ9Twt8h 10.0.4.5 57378 21.8.8411925 1 yaawfquh5.visime.eu <WonderHose@visime.eu> <billgates@microsoft.com> Tue, 23 Sep 2014 05:03:10 -0700 "Wonder <57691741739649757694320462663@yaawfquh5.visime.eu> - This hose contracts when the water stops! Other logs: dns, smtp, dhcp, dpd, intel, notice, ssl, ssh, software ………. Know More. Secure More
  • 27. 27 Free Intel Sources (atomic indicators) http://www.malwaredomains.com Bad Domain Names https://zeustracker.abuse.ch IP List and Domain Names http://www.emergingthreats.com IP List Know More. Secure More
  • 28. 28 Deploy Bro with Puppet https://forge.puppetlabs.com/panaman/bro class { 'bro': int => 'bond0', } Know More. Secure More
  • 29. 29 PCAP FULL PACKET CAPTURE netsniff-ng http://netsniff-ng.org daemonlogger http://sourceforge.net/projects/daemonlogger/ tcpdump http://www.tcpdump.org Know More. Secure More
  • 30. 30 /usr/sbin/netsniff-ng -i bond0 -s -J -F 500MiB -o /nsm/pcap/$(date "+%Y-%m-%d") Know More. Secure More
  • 31. 31 Take Away #5 Puppet can deploy new configs, signatures and inteligence to your sensors quickly. Speed is important in NSM Know More. Secure More
  • 32. 32 Network Tap http://www.networkinstruments.com/products/ntaps/index.php http://dual-comm.com http://www.netoptics.com/products/network-taps http://www.gigamon.com/network-tap Know More. Secure More
  • 33. Tap Placement - True source and true destination. Know More. Secure More 33
  • 34. 34 Take Away #6 Correct TAP Placement is as important and the right tools. Know More. Secure More
  • 35. 35 Log Management ElasticSearch http://www.elasticsearch.org Splunk http://www.splunk.com Elsa https://code.google.com/p/enterprise-log-search-and-archive/ Know More. Secure More
  • 36. Know More. Secure More 36
  • 37. Know More. Secure More 37
  • 38. 38 Six Take Aways 1. Security is not the same as Compliance 2. SMB is the new gateway – Protect your reputation you may be the path 3. Signature Based Detection is a layer, it should be a layer of your protection just not your only one. 4. NSM Gives you the full picture 5. Speed is key - Deploy Rules immediately with Puppet. 6. Correct TAP Placement is as important and the right tools. Know More. Secure More
  • 39. 39 Puppet Conf 2014 - Questions Mike Pananen mpananen@vigilantnow.com Twitter @panaman13 Chris Nyhuis cnyhuis@vigilantnow.com Twitter @vigilance_one Know More. Secure More