scanners inventory all machines on site; 12,000+ nmap farm all machines usually twice a day find...
TRANSCRIPT
![Page 1: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown](https://reader035.vdocuments.mx/reader035/viewer/2022071715/56649de35503460f94ada723/html5/thumbnails/1.jpg)
Scanners
Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day
Find critical vulnerabilities and issue blocks Nessus Homegrown tools
![Page 2: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown](https://reader035.vdocuments.mx/reader035/viewer/2022071715/56649de35503460f94ada723/html5/thumbnails/2.jpg)
IDS
Bro cluster on 10 gig spans
Snort on 1 gig switch
Specific sigs used for Snort due to scalability and false positive issues
State based is more attractive than signature based
![Page 3: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown](https://reader035.vdocuments.mx/reader035/viewer/2022071715/56649de35503460f94ada723/html5/thumbnails/3.jpg)
Sig based IDS
Used for point solutions
Simply not terribly effective @Fermi Question:
How would you operate in an ISP's environment?
Answer: Umm... :-)
![Page 4: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown](https://reader035.vdocuments.mx/reader035/viewer/2022071715/56649de35503460f94ada723/html5/thumbnails/4.jpg)
State based IDS
Used for “everything else”
Example Alert if
HTTP connection to this server Followed by GET of a non-PHP file Followed by SSH outbound connection If all of that happens in a short time frame
Sig based IDS cannot do this
![Page 5: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown](https://reader035.vdocuments.mx/reader035/viewer/2022071715/56649de35503460f94ada723/html5/thumbnails/5.jpg)
Netflow
Real-time collection of netflow
Real-time DNS name resolution of all IPs
Historical searches through netflow during incidents
Searches done via Splunk
![Page 6: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown](https://reader035.vdocuments.mx/reader035/viewer/2022071715/56649de35503460f94ada723/html5/thumbnails/6.jpg)
Netflow
Primarily used for incident response
Valuable for telling who a badguy talked to
Tells us whether we need to investigate further and, if so, how much further
![Page 7: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown](https://reader035.vdocuments.mx/reader035/viewer/2022071715/56649de35503460f94ada723/html5/thumbnails/7.jpg)
Log collection
Collecting from 189 hosts
13 billion log entries, and growing, are searchable
~37.3 Gig a day intake
Will be pushing 60 gig a day with netflow
![Page 8: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown](https://reader035.vdocuments.mx/reader035/viewer/2022071715/56649de35503460f94ada723/html5/thumbnails/8.jpg)
Log collection
Central syslog-ng available to all machines
Collection of central web logs
Searches via splunk
Integration of search into enterprise programming API; CST API
![Page 9: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown](https://reader035.vdocuments.mx/reader035/viewer/2022071715/56649de35503460f94ada723/html5/thumbnails/9.jpg)
Darknets and Tarpits
Monitoring all unallocated address space; class B
Valuable for detecting worms and software misconfiguration
If it touches these networks, it is suspect
![Page 10: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown](https://reader035.vdocuments.mx/reader035/viewer/2022071715/56649de35503460f94ada723/html5/thumbnails/10.jpg)
Scanners
![Page 11: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown](https://reader035.vdocuments.mx/reader035/viewer/2022071715/56649de35503460f94ada723/html5/thumbnails/11.jpg)
Log collection