1. Security
Analytics
in
Action
Josh
Sokol
&
Walter
Johnson

2. Josh
Sokol
! OWASP
Foundation
Global
Board
Member
! Creator
of
SimpleRisk
(simplerisk.org)
! Information
Security
Program
Owner,
National
Instruments
Twitter:
@joshsokol
Blog:
http://www.webadminblog.com

3. Walter
Johnson
! Security
Analyst,
National
Instruments
! LASCON
Graphics
Guy
! Likes
long
walks
on
the
beach
and
candlelight
dinners
! Former
Yakuza
Assassin
Twitter:
@sirmodok

4. Visibility
(or
lack
thereof)
! Am
I
under
attack?
! Which
systems
are
they
attacking?
! What
kind
of
attacks
are
they
using?
! Who
is
attacking
me?
! Were
they
successful?

5. " We
need
to
create
an
ecosystem
of
security
tools
that
work
together
to
answer
these
questions
and
more.
" We
need
tools
that
are
able
to
talk
to
each
other
in
order
to
leverage
siloed
data
for
mutual
gain.
" We
need
a
platform
to
enable
the
analysis
of
and
reporting
on
threats
in
our
environment
in
near
real-­‐
time.
We
need
Security
Analytics!

6. Firewall
IPS
NAC
Malware
Analysis
Vulnerability
Mgmt
# Tools
Working
in
Silos
# Proprietary
Protocols
# “Greedy”
Platforms
# Duplication
of
Functionality

7. $ Open
API
$ Open
DB
$ Data
Export

8. $ Events
$ Alerts
$ SNMP
$ Syslog

9. Exploitation
–
Parasitism.
The
leech
gains
food
and
nutrients,
but
the
host
gains
nothing
from
having
a
leech
suck
its
blood.

10. You
can
assemble
an
arsenal
of
best-­‐
in-­‐breed
tools
that
work
together.
Even
smaller
purchases
can
have
a
large
impact.

11. Question
Data
Do
I
trust
the
source?
Reputation
Data
How
am
I
being
attacked?
Attack
Data
What
attacks
are
my
systems
vulnerable
to?
Vulnerability
Data
What
versions
of
O/S
and
software
am
I
running?
Asset
Data
Who
is
using
my
systems?
Identity
Data
Who
should
have
access
to
what?
Data
Classification
Who
do
I
trust
and
who
trusts
me?
Trust
Hierarchy
Do
I
have
access?
Authentication
Data
What
can
I
access?
Authorization
Data
What
has
been
tested?
QA
Data
Is
data
crossing
between
two
trust
levels?
Trust
Boundaries

12. ! Common
feature
for
modern
routers
and
switches.
! Provides
a
lot
of
data
for
a
reasonable
amount
of
storage.
! Data
can
help
make
many
security
decisions
easier.

13. ! “Security
Flaws
in
Universal
Plug
and
Play”
whitepaper
by
HD
Moore
! Over
23
million
IPs
are
vulnerable
to
remote
code
execution
through
a
single
UDP
packet.
! Affects
Simple
Service
Discovery
Protocol
(SSDP)
which
runs
on
UDP/1900.
Question:
Are
people
actively
scanning
my
network
in
order
to
exploit
this
flaw?

14. ! Source
address
is
external
to
my
network.
! Destination
address
is
on
my
network.
! Connection
uses
UDP
(protocol
17)
on
port
1900.

15. ! A
pattern
search
of
our
NetFlow
data
over
the
past
24
hours
returned
539
results
in
1
minute
and
38
seconds.

17. ! Source
address
is
on
my
network.
! Destination
address
is
external
to
my
network.
! The
destination
IP
is
listed
on
the
Malware
Domain
List.

18. ! Most
of
the
pattern
matches
returned
showed
one
MDL
IP
with
multiple
internal
hosts
connecting
to
it.
! Then
there
was
this…

19. ! Source
address
is
on
my
network.
! Destination
address
is
external
to
my
network.
! Destination
is
associated
with
a
malware
event
from
one
of
our
Malware
Prevention
appliances
(scoped
to
1hr).

20. ! A
pattern
search
of
our
NetFlow
and
MPS
data
over
the
past
hour
returned
134
results
in
2
minutes
and
4
seconds.

23. ! Create
a
list
of
unused
IP
addresses
on
your
network.
! Look
for
the
internal
systems
making
the
most
connections
to
those
IPs.

24. ! Source
address
is
on
my
network.
! Destination
address
is
external
to
my
network.
! Connection
is
UDP
port
53.
! Count
the
connections
to
destination
IP
addresses.

25. ! Source
address
is
on
my
network.
! Destination
address
is
external
to
my
network.
! Sum
up
the
number
of
bytes
sent
and
get
the
top
25.

26. ! Source
address
is
on
my
network.
! Destination
address
is
on
my
network.
! Get
the
count
of
connections
any
IP
makes
to
any
other
IP
addresses.

27. ! Source
address
is
specified
at
runtime.
! Destination
address
is
any
IP.
! Show
all
ports
and
bytes
of
data
sent
to
each.

32. ! What
is
connecting
to
that
IP
address?
! What
is
that
IP
address
connecting
to?
! Do
I
have
any
alerts
associated
with
that
IP
address?
! Is
there
any
significant
amount
of
data
loss
from
that
system?

33. ! What
is
connecting
to
that
IP
address?

38. Dewan
Communications
Facebook

39. ! What
is
that
IP
address
connecting
to?

42. AWS
hosted-­‐by.ihc.ru
Feral
Hosting?
softlayer.com
Dewan
Communications

43. ! Do
I
have
any
alerts
associated
with
that
IP
address?

45. ! Is
there
any
significant
amount
of
data
loss
from
that
system?

48. https://code.google.com/p/collective-­‐intelligence-­‐framework/

49. ! Are
there
alerts
associated
with
this
host
on
my
IPS
or
other
monitoring
devices?
No.
! WAFSEC
reputation
data…
! McAfee
Threat
Intelligence
data…
! This
looks
like
a
false
positive
to
me.

50. ! Should
I
accept
packets
from
random
IP
X?
$ Reputation
Data
$ Attack
Data
$ Vulnerability
Data
$ Asset
Data
$ Trust
Boundaries
! Should
I
allow
random
person
X
to
download
a
file
Y?
$ Data
Classification
$ Reputation
Data
$ Authentication
Data
$ Authorization
Data
$ Trust
Boundaries

51. ! Block
an
IP
address
with
a
Firewall
or
IPS
system.
! Create
WAF
rules
based
on
attack
data.
! Ban
a
system
from
communicating
on
your
network.
! Require
additional
authentication.
! Attack
back?
-­‐
Greg
Hoglund,
Founder
and
Former
CEO
of
HBGary
from
CNBC
“Companies
Battle
Cyberattacks
Using
‘Hack
Back’
6/4/2013

52. ! Many
companies
suffer
from
a
lack
of
visibility
into
critical
security
threats.
! Security
analytics
allow
us
to
see
and
react
to
threats.
! Ideal
tools
are
those
with
both
provider
and
consumer
capabilities.
! Combining
tool
data
together
gives
us
the
context
that
we
can
use
to
make
informed
decisions.
! Network
flow
data
is
the
“glue”
that
ties
the
events
together
and
helps
to
illustrate
the
attack
progression.

53. Josh
Sokol
Twitter:
@joshsokol
Blog:
http://www.webadminblog.com
Walter
Johnson
Twitter:
@sirmodok