Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation.

Published byEmory Bradford Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation."— Presentation transcript:

1 Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation

2 Questions for 28C3  Have you ever been a network engineer, analyst, or administrator?  Have you ever read network, application or security logs?  Have you ever monitored a network or investigated security incidents?  Are you familiar with a correlation engine?  Have you ever wanted to know what a compromise or attack looks like?

3 Network Security Challenges  Too many logs from too many different types of sources  Too many different security consoles to monitor and learn  Too time consuming or impossible to correlate  End Point and network protection limited against 0day/newer malware or polymorphic malicious code

4 Logs and Consoles  Firewall  Web Proxy server  DNS server  Host intrusion detection/prevention  Network intrusion detection/prevention  Server security or application log  Web server  Email server  End point Anti-virus  Badge entries and exit with identification  & many more.....

5 Challenge solved!  Can be used to investigate and monitor multiple security controls in one location in a readable format and console.  Normalizes network, application or security logs into one format and location.  Categorizes the logs into severity, event count, access type, violation type, asset type, etc... Of multiple types of logs.  Can view the correlation of logged events from multiple sources.

6 Unusual DNS Activity  Attempting to contact old DNS root servers  Attempting to contact a suspicious Un- trusted external DNSIP address

7 Unusual DNS Activity  The external IP had advisories for a Trojan/keylogger  Had port 139 open as a DMZ DNS server  Attempting to contact a Bogon/unallocated IP network  Trying to communicate outbound using a suspect port combination

8 Page 8 Bypassing Deep Packet Inspection via Encryption  If traffic is encrypted, only the basic routing information (packet header) can be monitored and processed by an IPS or an application firewall unless the encryption is broken  Only the end host and the destination have the key to the encrypted session.  If the encrypted packet contains advanced routing an IPS nor a application firewall can effectively monitor the traffic

9 Encrypted covert communications channel  Clear text Outbound traffic was detected and blocked by web proxy and web application firewalls and network intrusion prevention security controls via deep packet inspection  Once outbound packets were encrypted communications were able to traverse the network

10 DDoS South Korea July/August 2009  Targeted  Planned  Estimates are from 1100-166,000 computers took part in the attack globally  Controlled bot armies via W32.Dozer and other malicious code  Used high bandwidth networks

11 DDoS South Korea 2009  The client was an EU financial institution significantly owned by a European government  Filtered the traffic by the target IP addresses  Monitored traffic included all perimeter firewalls and network and host intrusion systems  About 200 of the end point assets participated in the attack

12 Correlation Engines  ArcSight SIEM  Tenable Log Correlation Engine 3.6  RSA  NitroView ACE  Alien Vault OSSIM which can be used for ANY type of log and sensor data

13 Closing  One location, centralized for security logs in real-time can enable faster detection, monitoring and investigations  All information in a readable, standardized format allows detection rules to go across the entire network not dependent on vendors or versions but the type of technology  Can be used to test network security, if an attack or exploit can be detected and what if any logs will be produced

14 Questions?

15 Websites/Organizations  Abuse.ch  SRI Malware Center - http://mtc.sri.com/http://mtc.sri.com/  VirusTotal - http://www.virustotal.com/http://www.virustotal.com/  Robtex – http://www.robtex.com/http://www.robtex.com/  Hurricane Electric - http://www.he.nethttp://www.he.net  CleanMX - http://www.clean-mx.de/http://www.clean-mx.de/  EmergingThreats.net-Snort  Alien Vault OSSIM alienvault.com/community  Symantec  McAfee

16 Tools Used  ArcSight SIEM/Logger  Fiddler 2  WireShark  VirusTotal API  Nmap

Download ppt "Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation."

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1 1. 2 OBJECTIVES  Able to explain the roles of NIDS  To understand and able to explain the NIDS Sensor Placement.  Able to solve case studies related.

OBJECTIVES  Able to explain the roles of NIDS  To understand and able to explain the NIDS Sensor Placement.  Able to solve case studies related.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
Security Guidelines and Management

Security Guidelines and Management
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Similar presentations

Ads by Google