Presentation is loading. Please wait.

Presentation is loading. Please wait.

Correlated Security Enforcement

Published byΓλυκερία Θεοδωρίδης Modified over 6 years ago

Similar presentations

Presentation on theme: "Correlated Security Enforcement"— Presentation transcript:

1 Correlated Security Enforcement
Enriching security events using network traffic and event monitoring data Nick Buraglio Network Engineer, Network Planning Team Energy Sciences Network TNC 17 May 31, 2017

2 Correlated Security Enforcement
What does that actually mean? Utilize existing network data not typically used for security purposes Create a functional data repository able to store, and reference Execute actions based on variable data sources from across a given set of systems (e.g. a transit ASN) Analogous to SARNET “analyze”

3 Motivations Simplify or remove need for on-demand forensics during a given event Increase the detail and sensitivity of events being cross referenced Add diversity to the data sources used to take action Reduce false positives and negatives by corroborating events with data Understand where best to take action given the network topology Automation implies removing the need to perform a single repetitive task, orchestration implies the automation of an entire workflow - we want to start with the former and lead up to the latter. This aligns with the R&D we’re working on for the network as well. Seamless “undoing” - this would be our security orchestration

4 Motivations Significantly narrow margin for human error
Allows for extensive programmatic changes to complex elements Facilitate more seamless “undoing” of both manual and automated actions (e.g. Black Hole block scaling based on abuse level)* Make sure we’re not building wheels *Some networks do this now with black hole routing Automation implies removing the need to perform a single repetitive task, orchestration implies the automation of an entire workflow - we want to start with the former and lead up to the latter. This aligns with the R&D we’re working on for the network as well. Seamless “undoing” - this would be our security orchestration

5 Goals Leverage existing network data traditionally used for network triage and root cause analysis for network events Like a SIEM for the WAN Give it “all of the data” Index “all of the data” Allow for broad and flexible data inputs Provide mechanisms for extensive output actions Don’t build wheels

6 Goals Extend current offerings More granular filtering
Faster responses to events Software based checks and balances (whitelist, blacklist, intel feeds) Extend what we’re already doing to a wide area context Feed back into the system to create more specific and accurate triggers

7 Simple design Input Index / Correlation / Enhancement Actions

8 Input The usual [network] suspects Syslog data
Flow data (Sampled or not - at least 1:2000) DNS Query Logs Community Intel feeds Existing IDS Alerts The not-so-usual suspects SDN Controller data Routing topology Data sources we have been working with as a start - not limited to these. The IDS alerts and / or the Intel feeds are the key sources, they launch the execution of the corroboration and correlation software.

9 Input / Corroboration Initial searches were very slow
Time to completion was hours and not seconds Initial builds worked well (due to simplicity) NetFlow files take the longest to manually crunch In order to speed up processing added stretch goal of “Index all of the data” (that it is possible to index)

10 Correlated Security Enforcement - Correlation
Very simple Very modular Very lightweight Input Actions Index / Correlation

11 Correlation Concept code written in python
Built to handle everything from flat files (flow data, syslog) to APIs (packet design and Arbor) Ran in a mid-tier Ubuntu VM Inputs were diverse Output action was a stretch goal Bad actors are sourced from bro logs 3 bro systems in diverse geographical and topological locations Search all provided inputs for relevant data in bro alert Match relevant data (src/dst ip, ports) Build topological paths based on route table

12 Enter: Indexing “Traditional” Indexing tools ELK Stack Splunk
Cloud Tools Google BigQuery / Data Flow* *Under investigation In an indeal deployment the indexing is a catalyst for two things: faster searching of diverse data sets and a centralization mechanism. While the centralization isn’t required - coreflow is purposely written to support APIs - it aits in speed of query and centralization of data

13 Actions Actions are underway with future support for OpenFlow Flowmod
BGP Null Route BGP FlowSpec API Alarm via slack API calls to NCSA BHR instance Build intel base Eventually no alerts (only a report) - actions should be automatic* Actions are the simplest of the three modules. The basic action is a BGP null route since that’s the most common of the security mechanisms, and it plays into many pre-existing deployments. API calls are the best case - the NCSA BHR that we utilize is essentially an API call *

14 Workflow pool=20 Alerts Map flows to netflow Search queued flows
Nfdump Map flows to netflow Guess possible routes Search queued flows Process Alerts Nfdump Queue (id, flow_pair) Queue (id, netflow_data) Queue (id, routes) Queue (id, alert) Nfdump Extract Flow data Add netflow results Add potential routes Export Results

15 Correlated Security Enforcement

16 Correlated Security Enforcement

17 Correlated Security Enforcement - Workflow

18 Correlated Security Enforcement - Workflow

19 Correlated Security Enforcement - Workflow

20 Correlated Security Enforcement - Actions
This is the model that we are working on within ESnet. Highly dependent on the policy enforcement point, as flexible as the hardware allows and totally independent of the correlation engine.

21 Stretch Goals Leverage machine learning Automate and learn from events
Leverage high power, out of band resources to discover patterns and similarities not easily seen otherwise Add additional bro sensors across the WAN Monitor low speed infrastructure “in the wild” Integrate Layer 7 patterns Keep adding data sources Move processing to the cloud Integrate into NSF CICI project # (Secure SDX) Build on orchestration with machine learning. Lets us leverage very high powered out of band resources like compute clusters, etc., to compare and contrast many different data sources such as routing topology and DNBs query log data.

22 Correlated Security Enforcement - Analogs
Commercial options are few and far between Mostly enterprise focused Some WAN options - but mostly different or incomplete Components are plentiful Build it like Lego Apache Metron Kentik Arbor ?

23 “Code or it didn’t happen”
Code available at (private repository): As we expand development we will make this public. If you’d like to participate we can probably work something out.

24 Contact Contact Nick Buraglio (ESnet) buraglio@es.net
Ralph Koning (UvA)

Download ppt "Correlated Security Enforcement"

Similar presentations

Network II.5 simulator ..

Network II.5 simulator ..
TSpaces Services Suite: Automating the Development and Management of Web Services Presenter: Kevin McCurley IBM Almaden Research Center Contact: Marcus.

TSpaces Services Suite: Automating the Development and Management of Web Services Presenter: Kevin McCurley IBM Almaden Research Center Contact: Marcus.
Private and Confidential ThinkControl & ProLiant Essentials Rapid Deployment Pack.

Private and Confidential ThinkControl & ProLiant Essentials Rapid Deployment Pack.
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
Components and Architecture CS 543 – Data Warehousing.

Components and Architecture CS 543 – Data Warehousing.
1 Location-Based Services Using GSM Cell Information over Symbian OS Final Year Project LYU0301 Mok Ming Fai (mfmok1) Lee Kwok Chau (leekc1)

1 Location-Based Services Using GSM Cell Information over Symbian OS Final Year Project LYU0301 Mok Ming Fai (mfmok1) Lee Kwok Chau (leekc1)
Chapter 9: Moving to Design

Chapter 9: Moving to Design
Workflow API and workflow services A case study of biodiversity analysis using Windows Workflow Foundation Boris Milašinović Faculty of Electrical Engineering.

Workflow API and workflow services A case study of biodiversity analysis using Windows Workflow Foundation Boris Milašinović Faculty of Electrical Engineering.
A Brief Overview by Aditya Dutt March 18 th ’ 2014 1Aditya Inc.

A Brief Overview by Aditya Dutt March 18 th ’ Aditya Inc.
ArcGIS Workflow Manager An Introduction

ArcGIS Workflow Manager An Introduction
Cloud Computing for the Enterprise November 18th, 2011. This work is licensed under a Creative Commons.

Cloud Computing for the Enterprise November 18th, This work is licensed under a Creative Commons.
 Cloud computing  Workflow  Workflow lifecycle  Workflow design  Workflow tools : xcp, eucalyptus, open nebula.

 Cloud computing  Workflow  Workflow lifecycle  Workflow design  Workflow tools : xcp, eucalyptus, open nebula.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
IT 456 Seminar 5 Dr Jeffrey A Robinson. Overview of Course Week 1 – Introduction Week 2 – Installation of SQL and management Tools Week 3 - Creating and.

IT 456 Seminar 5 Dr Jeffrey A Robinson. Overview of Course Week 1 – Introduction Week 2 – Installation of SQL and management Tools Week 3 - Creating and.
2007. Software Engineering Laboratory, School of Computer Science S E Web-Harvest Web-Harvest: Open Source Web Data Extraction tool 이재정 Software Engineering.

2007. Software Engineering Laboratory, School of Computer Science S E Web-Harvest Web-Harvest: Open Source Web Data Extraction tool 이재정 Software Engineering.
9 Systems Analysis and Design in a Changing World, Fourth Edition.

9 Systems Analysis and Design in a Changing World, Fourth Edition.
SOFTWARE DEFINED NETWORKING/OPENFLOW: A PATH TO PROGRAMMABLE NETWORKS April 23, 2012 © 2011-2012 Brocade Communications Systems, Inc.

SOFTWARE DEFINED NETWORKING/OPENFLOW: A PATH TO PROGRAMMABLE NETWORKS April 23, 2012 © Brocade Communications Systems, Inc.
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t CERN Agile Infrastructure Monitoring Pedro Andrade CERN – IT/GT HEPiX Spring 2012.

CERN IT Department CH-1211 Genève 23 Switzerland t CERN Agile Infrastructure Monitoring Pedro Andrade CERN – IT/GT HEPiX Spring 2012.
Introduction to Avaya’s SDN Architecture February 2015.

Introduction to Avaya’s SDN Architecture February 2015.

Similar presentations

Ads by Google