Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation.

Slides:



Advertisements
Similar presentations
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Advertisements

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
FIREWALLS Chapter 11.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
The Most Analytical and Comprehensive Defense Network in a Box.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems
OBJECTIVES  Able to explain the roles of NIDS  To understand and able to explain the NIDS Sensor Placement.  Able to solve case studies related.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
Security Guidelines and Management
Website Hardening HUIT IT Security | Sep
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
Why we keep doing security wrong Grant Cohoe. About Me System Administrator – RSA (The security division of EMC) OpComm Director / Sysadmin / Chairman.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Chapter 6: Packet Filtering
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Chapter 5: Implementing Intrusion Prevention
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Firewall Security.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Integration Framework: QRadar 7.2 MR1.
Module 7: Advanced Application and Web Filtering.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Cryptography and Network Security Sixth Edition by William Stallings.
Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
Juniper Networks Mobile Security Solution Nosipho Masilela COSC 356.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
SIEM Rotem Mesika System security engineering
Securing the Network Perimeter with ISA 2004
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Configuring TMG as a Firewall
6.6 Firewalls Packet Filter (=filtering router)
Chapter 4: Protecting the Organization
Presentation transcript:

Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation

Questions for 28C3  Have you ever been a network engineer, analyst, or administrator?  Have you ever read network, application or security logs?  Have you ever monitored a network or investigated security incidents?  Are you familiar with a correlation engine?  Have you ever wanted to know what a compromise or attack looks like?

Network Security Challenges  Too many logs from too many different types of sources  Too many different security consoles to monitor and learn  Too time consuming or impossible to correlate  End Point and network protection limited against 0day/newer malware or polymorphic malicious code

Logs and Consoles  Firewall  Web Proxy server  DNS server  Host intrusion detection/prevention  Network intrusion detection/prevention  Server security or application log  Web server  server  End point Anti-virus  Badge entries and exit with identification  & many more.....

Challenge solved!  Can be used to investigate and monitor multiple security controls in one location in a readable format and console.  Normalizes network, application or security logs into one format and location.  Categorizes the logs into severity, event count, access type, violation type, asset type, etc... Of multiple types of logs.  Can view the correlation of logged events from multiple sources.

Unusual DNS Activity  Attempting to contact old DNS root servers  Attempting to contact a suspicious Un- trusted external DNSIP address

Unusual DNS Activity  The external IP had advisories for a Trojan/keylogger  Had port 139 open as a DMZ DNS server  Attempting to contact a Bogon/unallocated IP network  Trying to communicate outbound using a suspect port combination

Page 8 Bypassing Deep Packet Inspection via Encryption  If traffic is encrypted, only the basic routing information (packet header) can be monitored and processed by an IPS or an application firewall unless the encryption is broken  Only the end host and the destination have the key to the encrypted session.  If the encrypted packet contains advanced routing an IPS nor a application firewall can effectively monitor the traffic

Encrypted covert communications channel  Clear text Outbound traffic was detected and blocked by web proxy and web application firewalls and network intrusion prevention security controls via deep packet inspection  Once outbound packets were encrypted communications were able to traverse the network

DDoS South Korea July/August 2009  Targeted  Planned  Estimates are from ,000 computers took part in the attack globally  Controlled bot armies via W32.Dozer and other malicious code  Used high bandwidth networks

DDoS South Korea 2009  The client was an EU financial institution significantly owned by a European government  Filtered the traffic by the target IP addresses  Monitored traffic included all perimeter firewalls and network and host intrusion systems  About 200 of the end point assets participated in the attack

Correlation Engines  ArcSight SIEM  Tenable Log Correlation Engine 3.6  RSA  NitroView ACE  Alien Vault OSSIM which can be used for ANY type of log and sensor data

Closing  One location, centralized for security logs in real-time can enable faster detection, monitoring and investigations  All information in a readable, standardized format allows detection rules to go across the entire network not dependent on vendors or versions but the type of technology  Can be used to test network security, if an attack or exploit can be detected and what if any logs will be produced

Questions?

Websites/Organizations  Abuse.ch  SRI Malware Center -  VirusTotal -  Robtex –  Hurricane Electric -  CleanMX -  EmergingThreats.net-Snort  Alien Vault OSSIM alienvault.com/community  Symantec  McAfee

Tools Used  ArcSight SIEM/Logger  Fiddler 2  WireShark  VirusTotal API  Nmap

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.