DevEX - reference for building teams, processes, and platforms
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf 2014
1. Managing Network Security with
Puppet
1
Presented by:
Mike Pananen – Vigilant LLC.
Chris Nyhuis – Vigilant LLC.
9/26/2014
Puppet Conf
Sept 24th, 2014
Know More. Secure More
2. 2
Mike Pananen
mpananen@vigilantnow.com
Twitter: @panaman13
• Master of Puppets at
Vigilant
• Worked with Puppet since
2011
• Built Global NSM Sensor
grids 500+ Sensors.
Know More. Secure More
3. 3
Chris Nyhuis
cnyhuis@vigilantnow.com
Twitter: @vigilance_one
• Owner of Vigilant Technology Solutions
an IT Cyber Security Firm based in
Cincinnati.
• In Security and IT Industry 17 Years
• Cyber Security Instructor at Advanced
Technical Intelligence Center (Dayton)
• Passionate about Orphan Care
Know More. Secure More
4. 4
Agenda • Understanding the Problem
• How attacks have changed and the
Security industry hasn’t
• Why NSM is important
• Lower your Security Operations
Costs with Puppet
Know More. Secure More
5. 5
Understanding the Problem:
The Compliance and Security Myth
Compliance
• PCI
• HIPPAA
• IRS Regulations
• Controls
• Policy
• Visibility
• Process Security
to learn from
attacks
• Ability to adapt defenses
• Real-Time action
required
Know More. Secure More
6. 6
Understanding the Problem
The Compliance and Security Myth
Compliance
• Vulnerability
• PCI/HIPPAA
• IRS Regulations
• Controls
• Policy
Security
• Visibility
• Process to learn from
attacks
• Ability to adapt defenses
• Real-Time action
required
Know More. Secure More
7. 7
What do these companies have in common?
Neiman Marcus HealthNet
Know More. Secure More
8. 130,000,000
8
What do these companies have in common?
They were all compliant…
HealthNet Heartland
52,000,000
145,000,000
70,000,000
94,000,000
1,500,000
92,000,000
3,900,000
24,000,000
Know More. Secure More
9. 9
Ponemon’s Cost of Data Breach Study:
Global Study, sponsored by IBM.
Studied 314 companies spanning 10
countries..
• Average total cost of a Data Breach increased
by 15%
• Average of $3.5 million
• Cost per record is $145.00
• Your Reputation is priceless
Know More. Secure More
10. 10
Take Away #1
Security is not the same as Compliance – Security is a
balance of Control and Visibility
Know More. Secure More
11. 11
Understanding the Problem:
The threats have changed
Before
• Random Small Attacks
• Attackers were more
randomly skilled
• I’m too small - Big
targets were the focus
Today
• Highly designed organized
attacks
• Attackers are skilled - APT
• Attacks are coming through
supply chain
Know More. Secure More
12. 12
Take Away #2
SMB is the new gateway – Protect your reputation you may
be the path
Know More. Secure More
13. 13
Understanding the Problem:
Threat protection has changed
Before
• Signatures - The
Herd Mentality
Protection
Today
• Attacks are more
targeted
Know More. Secure More
14. That is why… • 54% of malware typically evades anti-virus detection
• Less than 2% of breaches are detected in the first 24
14
hours, less than 46% in the first 30 days
• 60% of breaches have data exfiltrated in first 24 hours
• A Trustwave study considered 450 global data breach
investigations, as well as thousands of penetration
tests and scans. It found that the average time
between an initial breach and detection was 210 days.
In 2011 it was 90 Days.
• Over 92% of breaches are discovered by a third party
or customer
Know More. Secure More
15. 15
And because of
that…
Symantec's senior vice president Brian Dye
declared last quarter to the Wall Street Journal
that antivirus "is dead."
Know More. Secure More
16. 16
Understanding the Problem:
The threat protection has changed
Before
• Signatures - The Herd
Mentality Protection
• Automated Alerting
• UTM / Trad Firewalls on
perimeter 100% Secure
Today
• Attacks are more targeted
• Combination of Automation
and People
• Anomaly Detection -They
are in, find them quick
Know More. Secure More
17. 17
Take Away #3
Signature Based Detection is a layer, it should be a layer of your
protection just not your only one.
Know More. Secure More
18. 18
NSM vs IDS
IDS - “Possible Bad thing Detected – 10.0.9.5”
NSM – “Possible Bad thing Detected – 10.0.9.5” ->
Intel hit – badguydomain.com ->
HTTP – 10.0.9.5 visited http://badguydomain.com/badstuff on port 80 ->
Session tracked 10.0.9.5 using FTP on IP 58.14.0.69 ->
Packet capture – Detailed Map of incident including files ->
Trace what else that IP talked to on your network ->
Analyze badguy files ->
Create new signatures/intelligence if needed to detect actor
Know More. Secure More
20. 20
Take Away #4
NSM Gives you the full picture
Know More. Secure More
21. 21
Lower Your Costs - Use tools to
Catch them early
Know More. Secure More
22. 22
NSM tools
OPEN SOURCE TECHNOLOGY
IDS
FLOW
HTTP
PCAP
Know More. Secure More
23. 23
NSM - IDS Tools
Snort
http://www.snort.org
Suricata
http://suricata-ids.org
Bro
http://www.bro.org
Know More. Secure More
24. 24
Rules
Write your own, download free or purchased rules
Emerging Threats
http://www.emergingthreats.org
ETOpen, ETPro
Snort Community Rules
https://www.snort.org/downloads
Vulnerability Research Team
https://www.snort.org/vrt
Know More. Secure More
26. 26
BRO
Swiss army knife in your NSM tool box
Notice Framework - Network anomaly and and scripted alerts
Intel Framework - Network Intelligence detection, ip, domain, email, etc
conn.log
1410156004.036451 C3SZcg4BiqLox95C6f 172.16.30.90 56978 10.10.20.60 8140 tcp ssl0.287418 4045
6226 SF T 0 ShADadfF 13 4729 13 6910 (empty) - -
http.log
1410576714.203766 CcyC7F3M9pCMaEauR 10.0.20.3 50495 192.0.72.2 80 1 GET thechive.files.wordpress.com
/2012/10/porn-stars-before-makeup-after-with-without-13.jpg?w=500&h=326 - Mozilla/4.0 (compatible;) 0 0 304 Not
Modified - - - (empty) - - - - - - - - - FQY9eR3W1hezAV1yRhtext/plain
smtp.log
1411473791.484895 C5Ulst3pXPGQ9Twt8h 10.0.4.5 57378 21.8.8411925 1 yaawfquh5.visime.eu
<WonderHose@visime.eu> <billgates@microsoft.com> Tue, 23 Sep 2014 05:03:10 -0700 "Wonder
<57691741739649757694320462663@yaawfquh5.visime.eu> - This hose contracts when the water stops!
Other logs: dns, smtp, dhcp, dpd, intel, notice, ssl, ssh, software ……….
Know More. Secure More
27. 27
Free Intel Sources
(atomic indicators)
http://www.malwaredomains.com
Bad Domain Names
https://zeustracker.abuse.ch
IP List and Domain Names
http://www.emergingthreats.com
IP List
Know More. Secure More
28. 28
Deploy Bro with Puppet
https://forge.puppetlabs.com/panaman/bro
class { 'bro':
int => 'bond0',
}
Know More. Secure More
29. 29
PCAP
FULL PACKET CAPTURE
netsniff-ng
http://netsniff-ng.org
daemonlogger
http://sourceforge.net/projects/daemonlogger/
tcpdump
http://www.tcpdump.org
Know More. Secure More
31. 31
Take Away #5
Puppet can deploy new configs, signatures and inteligence
to your sensors quickly. Speed is important in NSM
Know More. Secure More
32. 32
Network Tap
http://www.networkinstruments.com/products/ntaps/index.php
http://dual-comm.com
http://www.netoptics.com/products/network-taps
http://www.gigamon.com/network-tap
Know More. Secure More
33. Tap Placement - True source and true destination.
Know More. Secure More 33
34. 34
Take Away #6
Correct TAP Placement is as important and the right tools.
Know More. Secure More
35. 35
Log Management
ElasticSearch
http://www.elasticsearch.org
Splunk
http://www.splunk.com
Elsa
https://code.google.com/p/enterprise-log-search-and-archive/
Know More. Secure More
38. 38
Six Take Aways
1. Security is not the same as Compliance
2. SMB is the new gateway – Protect your reputation you
may be the path
3. Signature Based Detection is a layer, it should be a layer
of your protection just not your only one.
4. NSM Gives you the full picture
5. Speed is key - Deploy Rules immediately with Puppet.
6. Correct TAP Placement is as important and the right tools.
Know More. Secure More
39. 39
Puppet Conf 2014 - Questions
Mike Pananen
mpananen@vigilantnow.com
Twitter @panaman13
Chris Nyhuis
cnyhuis@vigilantnow.com
Twitter @vigilance_one
Know More. Secure More