Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf 2014
Download as PPTX, PDF5 likes2,610 views
The presentation discusses the evolution of network security threats and the limitations of compliance as a measure of security. It emphasizes the importance of advanced network security monitoring (NSM) over traditional methods and highlights six key takeaways, including the need for rapid deployment of updates and the significance of proper tool placement. The speakers, Mike Pananen and Chris Nyhuis, from Vigilant LLC, provide insights into leveraging Puppet for efficient security management.
![25
package { ‘snort’:
ensure => present,
}->
file { ‘/etc/snort/rules:
ensure => directory,
owner => ‘snort’,
group => ‘snort’,
mode => '0660',
recurse => true,
purge => true,
force => true,
show_diff => false,
source => ‘puppet:///modules/snort/rules',
notify => Service[‘snort’],
}->
file { ‘/etc/snort/snort.conf’:
ensure => present,
owner => ‘snort’,
group => ‘snort’,
mode => ‘0660’,
source => ‘puppet:///modules/snort/snort.conf',
notify => Service[‘snort’],
}->
service { ‘snort’:
ensure => running
enable => true,
}
Deploy
Snort
with
Puppet
Know More. Secure More](https://image.slidesharecdn.com/managingnetworksecuritymonitoringatlargescalewithpuppet-michaelpananenchrisnyhuisvigilanttechnologys-140925200304-phpapp01/85/Managing-Network-Security-Monitoring-at-Large-Scale-with-Puppet-PuppetConf-2014-25-320.jpg)
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf 2014
- 1. Managing Network Security with Puppet 1 Presented by: Mike Pananen – Vigilant LLC. Chris Nyhuis – Vigilant LLC. 9/26/2014 Puppet Conf Sept 24th, 2014 Know More. Secure More
- 2. 2 Mike Pananen mpananen@vigilantnow.com Twitter: @panaman13 • Master of Puppets at Vigilant • Worked with Puppet since 2011 • Built Global NSM Sensor grids 500+ Sensors. Know More. Secure More
- 3. 3 Chris Nyhuis cnyhuis@vigilantnow.com Twitter: @vigilance_one • Owner of Vigilant Technology Solutions an IT Cyber Security Firm based in Cincinnati. • In Security and IT Industry 17 Years • Cyber Security Instructor at Advanced Technical Intelligence Center (Dayton) • Passionate about Orphan Care Know More. Secure More
- 4. 4 Agenda • Understanding the Problem • How attacks have changed and the Security industry hasn’t • Why NSM is important • Lower your Security Operations Costs with Puppet Know More. Secure More
- 5. 5 Understanding the Problem: The Compliance and Security Myth Compliance • PCI • HIPPAA • IRS Regulations • Controls • Policy • Visibility • Process Security to learn from attacks • Ability to adapt defenses • Real-Time action required Know More. Secure More
- 6. 6 Understanding the Problem The Compliance and Security Myth Compliance • Vulnerability • PCI/HIPPAA • IRS Regulations • Controls • Policy Security • Visibility • Process to learn from attacks • Ability to adapt defenses • Real-Time action required Know More. Secure More
- 7. 7 What do these companies have in common? Neiman Marcus HealthNet Know More. Secure More
- 8. 130,000,000 8 What do these companies have in common? They were all compliant… HealthNet Heartland 52,000,000 145,000,000 70,000,000 94,000,000 1,500,000 92,000,000 3,900,000 24,000,000 Know More. Secure More
- 9. 9 Ponemon’s Cost of Data Breach Study: Global Study, sponsored by IBM. Studied 314 companies spanning 10 countries.. • Average total cost of a Data Breach increased by 15% • Average of $3.5 million • Cost per record is $145.00 • Your Reputation is priceless Know More. Secure More
- 10. 10 Take Away #1 Security is not the same as Compliance – Security is a balance of Control and Visibility Know More. Secure More
- 11. 11 Understanding the Problem: The threats have changed Before • Random Small Attacks • Attackers were more randomly skilled • I’m too small - Big targets were the focus Today • Highly designed organized attacks • Attackers are skilled - APT • Attacks are coming through supply chain Know More. Secure More
- 12. 12 Take Away #2 SMB is the new gateway – Protect your reputation you may be the path Know More. Secure More
- 13. 13 Understanding the Problem: Threat protection has changed Before • Signatures - The Herd Mentality Protection Today • Attacks are more targeted Know More. Secure More
- 14. That is why… • 54% of malware typically evades anti-virus detection • Less than 2% of breaches are detected in the first 24 14 hours, less than 46% in the first 30 days • 60% of breaches have data exfiltrated in first 24 hours • A Trustwave study considered 450 global data breach investigations, as well as thousands of penetration tests and scans. It found that the average time between an initial breach and detection was 210 days. In 2011 it was 90 Days. • Over 92% of breaches are discovered by a third party or customer Know More. Secure More
- 15. 15 And because of that… Symantec's senior vice president Brian Dye declared last quarter to the Wall Street Journal that antivirus "is dead." Know More. Secure More
- 16. 16 Understanding the Problem: The threat protection has changed Before • Signatures - The Herd Mentality Protection • Automated Alerting • UTM / Trad Firewalls on perimeter 100% Secure Today • Attacks are more targeted • Combination of Automation and People • Anomaly Detection -They are in, find them quick Know More. Secure More
- 17. 17 Take Away #3 Signature Based Detection is a layer, it should be a layer of your protection just not your only one. Know More. Secure More
- 18. 18 NSM vs IDS IDS - “Possible Bad thing Detected – 10.0.9.5” NSM – “Possible Bad thing Detected – 10.0.9.5” -> Intel hit – badguydomain.com -> HTTP – 10.0.9.5 visited http://badguydomain.com/badstuff on port 80 -> Session tracked 10.0.9.5 using FTP on IP 58.14.0.69 -> Packet capture – Detailed Map of incident including files -> Trace what else that IP talked to on your network -> Analyze badguy files -> Create new signatures/intelligence if needed to detect actor Know More. Secure More
- 19. 19 Advanced Network Security Monitoring Know More. Secure More
- 20. 20 Take Away #4 NSM Gives you the full picture Know More. Secure More
- 21. 21 Lower Your Costs - Use tools to Catch them early Know More. Secure More
- 22. 22 NSM tools OPEN SOURCE TECHNOLOGY IDS FLOW HTTP PCAP Know More. Secure More
- 23. 23 NSM - IDS Tools Snort http://www.snort.org Suricata http://suricata-ids.org Bro http://www.bro.org Know More. Secure More
- 24. 24 Rules Write your own, download free or purchased rules Emerging Threats http://www.emergingthreats.org ETOpen, ETPro Snort Community Rules https://www.snort.org/downloads Vulnerability Research Team https://www.snort.org/vrt Know More. Secure More
- 25. 25 package { ‘snort’: ensure => present, }-> file { ‘/etc/snort/rules: ensure => directory, owner => ‘snort’, group => ‘snort’, mode => '0660', recurse => true, purge => true, force => true, show_diff => false, source => ‘puppet:///modules/snort/rules', notify => Service[‘snort’], }-> file { ‘/etc/snort/snort.conf’: ensure => present, owner => ‘snort’, group => ‘snort’, mode => ‘0660’, source => ‘puppet:///modules/snort/snort.conf', notify => Service[‘snort’], }-> service { ‘snort’: ensure => running enable => true, } Deploy Snort with Puppet Know More. Secure More
- 26. 26 BRO Swiss army knife in your NSM tool box Notice Framework - Network anomaly and and scripted alerts Intel Framework - Network Intelligence detection, ip, domain, email, etc conn.log 1410156004.036451 C3SZcg4BiqLox95C6f 172.16.30.90 56978 10.10.20.60 8140 tcp ssl0.287418 4045 6226 SF T 0 ShADadfF 13 4729 13 6910 (empty) - - http.log 1410576714.203766 CcyC7F3M9pCMaEauR 10.0.20.3 50495 192.0.72.2 80 1 GET thechive.files.wordpress.com /2012/10/porn-stars-before-makeup-after-with-without-13.jpg?w=500&h=326 - Mozilla/4.0 (compatible;) 0 0 304 Not Modified - - - (empty) - - - - - - - - - FQY9eR3W1hezAV1yRhtext/plain smtp.log 1411473791.484895 C5Ulst3pXPGQ9Twt8h 10.0.4.5 57378 21.8.8411925 1 yaawfquh5.visime.eu <WonderHose@visime.eu> <billgates@microsoft.com> Tue, 23 Sep 2014 05:03:10 -0700 "Wonder <57691741739649757694320462663@yaawfquh5.visime.eu> - This hose contracts when the water stops! Other logs: dns, smtp, dhcp, dpd, intel, notice, ssl, ssh, software ………. Know More. Secure More
- 27. 27 Free Intel Sources (atomic indicators) http://www.malwaredomains.com Bad Domain Names https://zeustracker.abuse.ch IP List and Domain Names http://www.emergingthreats.com IP List Know More. Secure More
- 28. 28 Deploy Bro with Puppet https://forge.puppetlabs.com/panaman/bro class { 'bro': int => 'bond0', } Know More. Secure More
- 29. 29 PCAP FULL PACKET CAPTURE netsniff-ng http://netsniff-ng.org daemonlogger http://sourceforge.net/projects/daemonlogger/ tcpdump http://www.tcpdump.org Know More. Secure More
- 30. 30 /usr/sbin/netsniff-ng -i bond0 -s -J -F 500MiB -o /nsm/pcap/$(date "+%Y-%m-%d") Know More. Secure More
- 31. 31 Take Away #5 Puppet can deploy new configs, signatures and inteligence to your sensors quickly. Speed is important in NSM Know More. Secure More
- 32. 32 Network Tap http://www.networkinstruments.com/products/ntaps/index.php http://dual-comm.com http://www.netoptics.com/products/network-taps http://www.gigamon.com/network-tap Know More. Secure More
- 33. Tap Placement - True source and true destination. Know More. Secure More 33
- 34. 34 Take Away #6 Correct TAP Placement is as important and the right tools. Know More. Secure More
- 35. 35 Log Management ElasticSearch http://www.elasticsearch.org Splunk http://www.splunk.com Elsa https://code.google.com/p/enterprise-log-search-and-archive/ Know More. Secure More
- 36. Know More. Secure More 36
- 37. Know More. Secure More 37
- 38. 38 Six Take Aways 1. Security is not the same as Compliance 2. SMB is the new gateway – Protect your reputation you may be the path 3. Signature Based Detection is a layer, it should be a layer of your protection just not your only one. 4. NSM Gives you the full picture 5. Speed is key - Deploy Rules immediately with Puppet. 6. Correct TAP Placement is as important and the right tools. Know More. Secure More
- 39. 39 Puppet Conf 2014 - Questions Mike Pananen mpananen@vigilantnow.com Twitter @panaman13 Chris Nyhuis cnyhuis@vigilantnow.com Twitter @vigilance_one Know More. Secure More