Practical Network Defense at Scale

Or Defending the

Eierlegende Wollmilchsau

whoami?

Name: Travis Carelock

Occupation: Engineer at

15+ years experience in the IT and security fields… wow, I’m old……

BuildingDefense

What are we trying to Accomplish?

Stop the HACK4RS!!

not realistic

node

our servers

our servers

/ˌaɪ̯ɐ.leːɡəndə ˈvɔl.mɪlç.zaʊ̯/Eierlegende Wollmilchsau

Don’t Panic. Start Simple.

Goals

• Investigate Network Traffic

• Network Traffic Rules with Alerts

• Forensic evidence and long term analysis

IPs? Rx/Tx?Ports?

Investigate Network Traffic

Traffic Rules

Forensics and Analysis

What are the Sources of Truth?

• How Consistent?

• How Independent?

• Ease of Corruption?

• Confidence Score?

• Retention Policy?

Data Integrity

Normalize Logs

timestamp

Normalize Logs

data transfer

Tag Logs

“src_ip”

Tag Logs

“’dst_ip”

Type Logs

Integer

Type Logs

IP

What is in the

toolbo

x?

Shoulder of Giants.• Animate of me on should of ES.

me

elasticsearch

Your hands will get

dirtywrite !!

is

Whatthe

target?

What connects?

To what?

SD

Dependency

Automate

10.0.0.50:23463 -> 10.1.1.255:3306

Current View of the World

False Positives-Better Query Design

-Blocking-Policy and Guidelines-Additional Services

Not all anomalies are created equal

What about Alert: Actions?

Create Feedback Cycle

Query External Services

ALERT!

Fatigue!

User Interface?

Query Tools

HistoryAlert Management &

Search Help

Dashboard Generation

….but how well is it working??

Automated

Tests

System Security

Network and Dependency Investigations

QuestionsWhat goals am I trying to accomplish?

What are the sources of truth?

What tools would work best?

What is an anomaly?

Am I correlating the alerts?

What about user experience?

Is the system robust and secure?

What else can I do with all the data?

you!

KeepFighting!!!

name: travis carelock twitter: @l3d email: travis@soundcloud.com pgp: 463E B548 F3B1 F879 4589 6505 E417 7480 D1A4 A990 private: travis@carelock.net pgp: 4CFC 8E69 4A07 59F2 4508 8A39 0AFA 9CC3 2D65 031E otr: l3d@dukgo.comfingerprint: 40FCAFD7 FAA097B6 29BE95CE 6740E37E 0790E295

is hiring!

Web: http://soundcloud.com/jobsEmail: jobs@soundcloud.com

Thank You!Special Thank You to Code Blue and the Organisers!