![Page 1: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/1.jpg)
Practical Network Defense at Scale
Or Defending the
Eierlegende Wollmilchsau
![Page 2: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/2.jpg)
whoami?
Name: Travis Carelock
Occupation: Engineer at
15+ years experience in the IT and security fields… wow, I’m old……
![Page 3: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/3.jpg)
![Page 4: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/4.jpg)
![Page 5: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/5.jpg)
BuildingDefense
![Page 6: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/6.jpg)
![Page 7: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/7.jpg)
![Page 8: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/8.jpg)
What are we trying to Accomplish?
![Page 9: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/9.jpg)
Stop the HACK4RS!!
![Page 10: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/10.jpg)
not realistic
![Page 11: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/11.jpg)
![Page 12: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/12.jpg)
![Page 13: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/13.jpg)
node
![Page 14: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/14.jpg)
our servers
![Page 15: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/15.jpg)
our servers
![Page 16: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/16.jpg)
/ˌaɪ̯ɐ.leːɡəndə ˈvɔl.mɪlç.zaʊ̯/Eierlegende Wollmilchsau
![Page 17: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/17.jpg)
![Page 18: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/18.jpg)
Don’t Panic. Start Simple.
![Page 19: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/19.jpg)
Goals
• Investigate Network Traffic
• Network Traffic Rules with Alerts
• Forensic evidence and long term analysis
![Page 20: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/20.jpg)
IPs? Rx/Tx?Ports?
Investigate Network Traffic
![Page 21: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/21.jpg)
Traffic Rules
![Page 22: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/22.jpg)
Forensics and Analysis
![Page 23: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/23.jpg)
What are the Sources of Truth?
![Page 24: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/24.jpg)
![Page 25: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/25.jpg)
• How Consistent?
• How Independent?
• Ease of Corruption?
• Confidence Score?
• Retention Policy?
Data Integrity
![Page 26: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/26.jpg)
Normalize Logs
timestamp
![Page 27: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/27.jpg)
Normalize Logs
data transfer
![Page 28: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/28.jpg)
Tag Logs
“src_ip”
![Page 29: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/29.jpg)
Tag Logs
“’dst_ip”
![Page 30: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/30.jpg)
Type Logs
Integer
![Page 31: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/31.jpg)
Type Logs
IP
![Page 32: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/32.jpg)
What is in the
toolbo
x?
![Page 33: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/33.jpg)
![Page 34: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/34.jpg)
![Page 35: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/35.jpg)
Shoulder of Giants.• Animate of me on should of ES.
me
elasticsearch
![Page 36: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/36.jpg)
![Page 37: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/37.jpg)
Your hands will get
dirtywrite !!
![Page 38: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/38.jpg)
is
Whatthe
target?
![Page 39: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/39.jpg)
What connects?
To what?
![Page 40: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/40.jpg)
![Page 41: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/41.jpg)
SD
![Page 42: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/42.jpg)
Dependency
![Page 43: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/43.jpg)
Automate
![Page 44: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/44.jpg)
![Page 45: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/45.jpg)
10.0.0.50:23463 -> 10.1.1.255:3306
![Page 46: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/46.jpg)
![Page 47: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/47.jpg)
Current View of the World
![Page 48: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/48.jpg)
False Positives-Better Query Design
-Blocking-Policy and Guidelines-Additional Services
![Page 49: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/49.jpg)
Not all anomalies are created equal
![Page 50: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/50.jpg)
What about Alert: Actions?
![Page 51: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/51.jpg)
![Page 52: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/52.jpg)
Create Feedback Cycle
![Page 53: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/53.jpg)
Query External Services
![Page 54: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/54.jpg)
ALERT!
Fatigue!
![Page 55: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/55.jpg)
User Interface?
![Page 56: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/56.jpg)
![Page 57: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/57.jpg)
Query Tools
HistoryAlert Management &
Search Help
Dashboard Generation
![Page 58: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/58.jpg)
….but how well is it working??
![Page 59: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/59.jpg)
Automated
Tests
![Page 60: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/60.jpg)
System Security
![Page 61: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/61.jpg)
![Page 62: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/62.jpg)
![Page 63: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/63.jpg)
Network and Dependency Investigations
![Page 64: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/64.jpg)
![Page 65: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/65.jpg)
QuestionsWhat goals am I trying to accomplish?
What are the sources of truth?
What tools would work best?
What is an anomaly?
Am I correlating the alerts?
What about user experience?
Is the system robust and secure?
What else can I do with all the data?
![Page 66: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/66.jpg)
you!
![Page 67: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/67.jpg)
KeepFighting!!!
![Page 68: Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“ by Travis Carelock - CODE BLUE 2015](https://reader035.vdocument.in/reader035/viewer/2022070602/5878e3311a28abfa038b4f25/html5/thumbnails/68.jpg)
name: travis carelock twitter: @l3d email: [email protected] pgp: 463E B548 F3B1 F879 4589 6505 E417 7480 D1A4 A990 private: [email protected] pgp: 4CFC 8E69 4A07 59F2 4508 8A39 0AFA 9CC3 2D65 031E otr: [email protected]: 40FCAFD7 FAA097B6 29BE95CE 6740E37E 0790E295
is hiring!
Web: http://soundcloud.com/jobsEmail: [email protected]
Thank You!Special Thank You to Code Blue and the Organisers!