SlideShare ist ein Scribd-Unternehmen logo

Network Security Monitoring - Theory and Practice

Michael Boman
Michael Boman

Network Security Monitoring: Theory and Practice presentation for EUSecWest '06 conference 2006/02/21

Technologie
1 von 22
Downloaden Sie, um offline zu lesen
Network Security Monitoring – Theory and Practice Network Security Monitoring Theory and Practice Michael Boman IT Security Researcher and Developer proxy@11a.nu | http://proxy.11a.nu
Network Security Monitoring – Theory and Practice About Me ● Born in Sweden, been working in Singapore for the last 6 years ● Spent the last 5 years specializing in IT Security ● Currently working for KPMG Singapore
Network Security Monitoring – Theory and Practice Agenda ● Network Security Monitoring (NSM) Theory ● Network Security Monitoring (NSM) Practice
Network Security Monitoring – Theory and Practice Assumptions ● Some intruders are smarter than you ● Intruders are unpredictable ● Prevention eventually fails
Network Security Monitoring – Theory and Practice Limitations of Alert Based Approach 1)IDS generates an alert when a packet is matched 2)Analyst's interface displays the offending packet 3)Analyst trying to make decision regarding if the event is a false positive or if the incident response team needs to be informed 4)Usually no other information is easily available to the analyst to make a more informed judgement (if any was collected in the first place)
Network Security Monitoring – Theory and Practice History of NSM ● 1980 – “Computer Security Threat Monitoring and Surveillance” (James P. Anderson) ● 1990 – “A Network Security Monitor” (L. Todd Heberlein et al.) ● 2002 – “Network Security Monitoring” (Bamm Visscher & Richard Bejtlich) – Defined NSM as “the collection, analysis and escalation of indications and warnings (I&W) to detect and respond to intrusions”
Network Security Monitoring – Theory and Practice What is NSM? ● Collection ● Analysis ● Escalation
Network Security Monitoring – Theory and Practice NSM Data Types ● Alert data ● Statistical ● Session ● Full content Less More Storage requirement
Network Security Monitoring – Theory and Practice Data Collection ● Collect as much data you legally and technically can
Network Security Monitoring – Theory and Practice Data Collection ● Sometimes you can't collect everything, but consider this: – Data sampling is better than nothing – Traffic analysis is better than nothing
Network Security Monitoring – Theory and Practice NSM's role in Incident Response ● What else did the intruder potentially compromise? ● What tools did he download? ● Who else do we need to inform?
Network Security Monitoring – Theory and Practice NSM in practice - Sguil ● Sguil is an open source project whose tag line is “For Analysts - By Analysts” ● Written in TCL/TK by Bamm Visscher, with many contributors (including myself) ● Sensor / Server / Client architecture
Network Security Monitoring – Theory and Practice History of Sguil ● SPREG – Proprietary in-house ancestor of Sguil developed in Perl/TK, around 2000-2001 ● Sguil development started late 2002 ● First public release was 0.2, May 2003 ● Current version is 0.6.1
Network Security Monitoring – Theory and Practice Sguil Analyst Console
Network Security Monitoring – Theory and Practice Sguil Framework Demo
Network Security Monitoring – Theory and Practice Future of Sguil ● PADS (Passive Asset Detection System) Integration ● SnortSAM Integration ● Snort rule management
Network Security Monitoring – Theory and Practice NSM in the Real World ● Who is using it – Fortune 500 Companies – US Government Labs – Universities – MSSPs
Network Security Monitoring – Theory and Practice NSM in the Real World ● Real life success stories – Charles Tomlin used Sguil to track down a recent compromise ● http://www.ecs.soton.ac.uk/~cet/2006-01-01.html
Network Security Monitoring – Theory and Practice NSM in the Real World ● NSM Products / Projects – Apparently Sguil is the only public available product / project that utilizes NSM methodology
Network Security Monitoring – Theory and Practice What NSM is Not ● NSM Is Not Device Management ● NSM Is Not Security Event Management ● NSM Is Not Network-Based Forensics ● NSM Is Not Intrusion Prevention
Network Security Monitoring – Theory and Practice Books ● The Tao of Network Security Monitoring: Beyond Intrusion Detection – By Richard Bejtlich – Publisher: Addison-Wesley; ISBN: 0321246772 ● Extrusion Detection: Security Monitoring for Internal Intrusions – By Richard Bejtlich – Publisher: Addison-Wesley; ISBN 0321349962
Network Security Monitoring – Theory and Practice Thank You Questions? There is no secure end-state – only eternal vigilance My Website is at http://proxy.11a.nu Sguil can be downloaded at http://www.sguil.net

Empfohlen

System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...NECST Lab @ Politecnico di Milano
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionMLG College of Learning, Inc
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSMLG College of Learning, Inc
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionVivek Maurya
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCimetrics Inc
 
Fundamentals of threats and risk management course, cybersecurity
Fundamentals of threats and risk management course, cybersecurityFundamentals of threats and risk management course, cybersecurity
Fundamentals of threats and risk management course, cybersecurityTonex
 

Empfohlen

System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...NECST Lab @ Politecnico di Milano
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionMLG College of Learning, Inc
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSMLG College of Learning, Inc
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionVivek Maurya
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCimetrics Inc
 
Fundamentals of threats and risk management course, cybersecurity
Fundamentals of threats and risk management course, cybersecurityFundamentals of threats and risk management course, cybersecurity
Fundamentals of threats and risk management course, cybersecurityTonex
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
 
Information Security Aspects of the Public Safety Data Interoperability Network
Information Security Aspects of the Public Safety Data Interoperability NetworkInformation Security Aspects of the Public Safety Data Interoperability Network
Information Security Aspects of the Public Safety Data Interoperability NetworkBlaz Ivanc
 
Understanding Technology Stakeholders
Understanding Technology StakeholdersUnderstanding Technology Stakeholders
Understanding Technology StakeholdersJohn Gilligan
 
All about Cyber Security - From the perspective of a MS student
All about Cyber Security - From the perspective of a MS studentAll about Cyber Security - From the perspective of a MS student
All about Cyber Security - From the perspective of a MS studentApurv Singh Gautam
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responsejeffmcjunkin
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big DataRaffael Marty
 
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...Puppet
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
 
SIEM 1 solution .pptx
SIEM 1 solution .pptxSIEM 1 solution .pptx
SIEM 1 solution .pptxAbdulrahmanMuhammadB
 
Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source toolsterriert
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.pptssuserec53e73
 
computer architecture.ppt
computer architecture.pptcomputer architecture.ppt
computer architecture.pptPandiya Rajan
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.pptTamer Nadeem
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
 
APT Event - New York
APT Event - New YorkAPT Event - New York
APT Event - New YorkProf John Walker FRSA Purveyor Dark Intelligence
 
The tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdfThe tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdfnoelbuddy
 
security onion
security onionsecurity onion
security onionBoni Yeamin
 

Weitere ähnliche Inhalte

Was ist angesagt?

Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
 
Information Security Aspects of the Public Safety Data Interoperability Network
Information Security Aspects of the Public Safety Data Interoperability NetworkInformation Security Aspects of the Public Safety Data Interoperability Network
Information Security Aspects of the Public Safety Data Interoperability NetworkBlaz Ivanc
 
Understanding Technology Stakeholders
Understanding Technology StakeholdersUnderstanding Technology Stakeholders
Understanding Technology StakeholdersJohn Gilligan
 
All about Cyber Security - From the perspective of a MS student
All about Cyber Security - From the perspective of a MS studentAll about Cyber Security - From the perspective of a MS student
All about Cyber Security - From the perspective of a MS studentApurv Singh Gautam
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responsejeffmcjunkin
 

Was ist angesagt? (7)

Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 Presentation
 
Information Security Aspects of the Public Safety Data Interoperability Network
Information Security Aspects of the Public Safety Data Interoperability NetworkInformation Security Aspects of the Public Safety Data Interoperability Network
Information Security Aspects of the Public Safety Data Interoperability Network
 
Understanding Technology Stakeholders
Understanding Technology StakeholdersUnderstanding Technology Stakeholders
Understanding Technology Stakeholders
 
All about Cyber Security - From the perspective of a MS student
All about Cyber Security - From the perspective of a MS studentAll about Cyber Security - From the perspective of a MS student
All about Cyber Security - From the perspective of a MS student
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
 

Ähnlich wie Network Security Monitoring - Theory and Practice

Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big DataRaffael Marty
 
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...Puppet
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
 
Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source toolsterriert
 
computer architecture.ppt
computer architecture.pptcomputer architecture.ppt
computer architecture.pptPandiya Rajan
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
 
The tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdfThe tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdfnoelbuddy
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
Enterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsEnterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsSplunk
 
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...BAINIDA
 

Ähnlich wie Network Security Monitoring - Theory and Practice (20)

Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
Managing Network Security Monitoring at Large Scale with Puppet - PuppetConf ...
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
 
SIEM 1 solution .pptx
SIEM 1 solution .pptxSIEM 1 solution .pptx
SIEM 1 solution .pptx
 
Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source tools
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.ppt
 
computer architecture.ppt
computer architecture.pptcomputer architecture.ppt
computer architecture.ppt
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.ppt
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
APT Event - New York
APT Event - New YorkAPT Event - New York
APT Event - New York
 
The tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdfThe tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdf
 
security onion
security onionsecurity onion
security onion
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Enterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsEnterprise Security and User Behavior Analytics
Enterprise Security and User Behavior Analytics
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOps
 
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
 
CRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYCRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITY
 

Mehr von Michael Boman

How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysis44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysisMichael Boman
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
 
44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using Arduino44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using ArduinoMichael Boman
 
Malware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMalware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMichael Boman
 
Malware analysis as a hobby (Owasp Göteborg)
Malware analysis as a hobby (Owasp Göteborg)Malware analysis as a hobby (Owasp Göteborg)
Malware analysis as a hobby (Owasp Göteborg)Michael Boman
 
Malware Analysis as a Hobby
Malware Analysis as a HobbyMalware Analysis as a Hobby
Malware Analysis as a HobbyMichael Boman
 
Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)Michael Boman
 
Sans och vett på Internet
Sans och vett på InternetSans och vett på Internet
Sans och vett på InternetMichael Boman
 
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...Michael Boman
 
Hur man kan testa sin HTTPS-server
Hur man kan testa sin HTTPS-serverHur man kan testa sin HTTPS-server
Hur man kan testa sin HTTPS-serverMichael Boman
 
OWASP AppSec Research 2010 - The State of SSL in the World
OWASP AppSec Research 2010 - The State of SSL in the WorldOWASP AppSec Research 2010 - The State of SSL in the World
OWASP AppSec Research 2010 - The State of SSL in the WorldMichael Boman
 
Enkla hackerknep för testare
Enkla hackerknep för testareEnkla hackerknep för testare
Enkla hackerknep för testareMichael Boman
 
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Michael Boman
 
USB (In)Security 2008-08-22
USB (In)Security 2008-08-22USB (In)Security 2008-08-22
USB (In)Security 2008-08-22Michael Boman
 
Automatic Malware Analysis 2008-09-19
Automatic Malware Analysis 2008-09-19Automatic Malware Analysis 2008-09-19
Automatic Malware Analysis 2008-09-19Michael Boman
 
Overcoming USB (In)Security
Overcoming USB (In)SecurityOvercoming USB (In)Security
Overcoming USB (In)SecurityMichael Boman
 
Privacy in Wireless Networks
Privacy in Wireless NetworksPrivacy in Wireless Networks
Privacy in Wireless NetworksMichael Boman
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 

Mehr von Michael Boman (20)

How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysis44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysis
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And Attribution
 
44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using Arduino44CON 2013 - Controlling a PC using Arduino
44CON 2013 - Controlling a PC using Arduino
 
Malware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring BudgetMalware Analysis on a Shoestring Budget
Malware Analysis on a Shoestring Budget
 
Malware analysis as a hobby (Owasp Göteborg)
Malware analysis as a hobby (Owasp Göteborg)Malware analysis as a hobby (Owasp Göteborg)
Malware analysis as a hobby (Owasp Göteborg)
 
Malware Analysis as a Hobby
Malware Analysis as a HobbyMalware Analysis as a Hobby
Malware Analysis as a Hobby
 
Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)Malware analysis as a hobby - the short story (lightning talk)
Malware analysis as a hobby - the short story (lightning talk)
 
Sans och vett på Internet
Sans och vett på InternetSans och vett på Internet
Sans och vett på Internet
 
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
 
Hur man kan testa sin HTTPS-server
Hur man kan testa sin HTTPS-serverHur man kan testa sin HTTPS-server
Hur man kan testa sin HTTPS-server
 
OWASP AppSec Research 2010 - The State of SSL in the World
OWASP AppSec Research 2010 - The State of SSL in the WorldOWASP AppSec Research 2010 - The State of SSL in the World
OWASP AppSec Research 2010 - The State of SSL in the World
 
Enkla hackerknep för testare
Enkla hackerknep för testareEnkla hackerknep för testare
Enkla hackerknep för testare
 
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
 
USB (In)Security 2008-08-22
USB (In)Security 2008-08-22USB (In)Security 2008-08-22
USB (In)Security 2008-08-22
 
Automatic Malware Analysis 2008-09-19
Automatic Malware Analysis 2008-09-19Automatic Malware Analysis 2008-09-19
Automatic Malware Analysis 2008-09-19
 
Overcoming USB (In)Security
Overcoming USB (In)SecurityOvercoming USB (In)Security
Overcoming USB (In)Security
 
Privacy in Wireless Networks
Privacy in Wireless NetworksPrivacy in Wireless Networks
Privacy in Wireless Networks
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 

Kürzlich hochgeladen

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Kürzlich hochgeladen (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Network Security Monitoring - Theory and Practice

  • 1. Network Security Monitoring – Theory and Practice Network Security Monitoring Theory and Practice Michael Boman IT Security Researcher and Developer proxy@11a.nu | http://proxy.11a.nu
  • 2. Network Security Monitoring – Theory and Practice About Me ● Born in Sweden, been working in Singapore for the last 6 years ● Spent the last 5 years specializing in IT Security ● Currently working for KPMG Singapore
  • 3. Network Security Monitoring – Theory and Practice Agenda ● Network Security Monitoring (NSM) Theory ● Network Security Monitoring (NSM) Practice
  • 4. Network Security Monitoring – Theory and Practice Assumptions ● Some intruders are smarter than you ● Intruders are unpredictable ● Prevention eventually fails
  • 5. Network Security Monitoring – Theory and Practice Limitations of Alert Based Approach 1)IDS generates an alert when a packet is matched 2)Analyst's interface displays the offending packet 3)Analyst trying to make decision regarding if the event is a false positive or if the incident response team needs to be informed 4)Usually no other information is easily available to the analyst to make a more informed judgement (if any was collected in the first place)
  • 6. Network Security Monitoring – Theory and Practice History of NSM ● 1980 – “Computer Security Threat Monitoring and Surveillance” (James P. Anderson) ● 1990 – “A Network Security Monitor” (L. Todd Heberlein et al.) ● 2002 – “Network Security Monitoring” (Bamm Visscher & Richard Bejtlich) – Defined NSM as “the collection, analysis and escalation of indications and warnings (I&W) to detect and respond to intrusions”
  • 7. Network Security Monitoring – Theory and Practice What is NSM? ● Collection ● Analysis ● Escalation
  • 8. Network Security Monitoring – Theory and Practice NSM Data Types ● Alert data ● Statistical ● Session ● Full content Less More Storage requirement
  • 9. Network Security Monitoring – Theory and Practice Data Collection ● Collect as much data you legally and technically can
  • 10. Network Security Monitoring – Theory and Practice Data Collection ● Sometimes you can't collect everything, but consider this: – Data sampling is better than nothing – Traffic analysis is better than nothing
  • 11. Network Security Monitoring – Theory and Practice NSM's role in Incident Response ● What else did the intruder potentially compromise? ● What tools did he download? ● Who else do we need to inform?
  • 12. Network Security Monitoring – Theory and Practice NSM in practice - Sguil ● Sguil is an open source project whose tag line is “For Analysts - By Analysts” ● Written in TCL/TK by Bamm Visscher, with many contributors (including myself) ● Sensor / Server / Client architecture
  • 13. Network Security Monitoring – Theory and Practice History of Sguil ● SPREG – Proprietary in-house ancestor of Sguil developed in Perl/TK, around 2000-2001 ● Sguil development started late 2002 ● First public release was 0.2, May 2003 ● Current version is 0.6.1
  • 14. Network Security Monitoring – Theory and Practice Sguil Analyst Console
  • 15. Network Security Monitoring – Theory and Practice Sguil Framework Demo
  • 16. Network Security Monitoring – Theory and Practice Future of Sguil ● PADS (Passive Asset Detection System) Integration ● SnortSAM Integration ● Snort rule management
  • 17. Network Security Monitoring – Theory and Practice NSM in the Real World ● Who is using it – Fortune 500 Companies – US Government Labs – Universities – MSSPs
  • 18. Network Security Monitoring – Theory and Practice NSM in the Real World ● Real life success stories – Charles Tomlin used Sguil to track down a recent compromise ● http://www.ecs.soton.ac.uk/~cet/2006-01-01.html
  • 19. Network Security Monitoring – Theory and Practice NSM in the Real World ● NSM Products / Projects – Apparently Sguil is the only public available product / project that utilizes NSM methodology
  • 20. Network Security Monitoring – Theory and Practice What NSM is Not ● NSM Is Not Device Management ● NSM Is Not Security Event Management ● NSM Is Not Network-Based Forensics ● NSM Is Not Intrusion Prevention
  • 21. Network Security Monitoring – Theory and Practice Books ● The Tao of Network Security Monitoring: Beyond Intrusion Detection – By Richard Bejtlich – Publisher: Addison-Wesley; ISBN: 0321246772 ● Extrusion Detection: Security Monitoring for Internal Intrusions – By Richard Bejtlich – Publisher: Addison-Wesley; ISBN 0321349962
  • 22. Network Security Monitoring – Theory and Practice Thank You Questions? There is no secure end-state – only eternal vigilance My Website is at http://proxy.11a.nu Sguil can be downloaded at http://www.sguil.net