scanners inventory all machines on site; 12,000+ nmap farm all machines usually twice a day find...
TRANSCRIPT
Scanners
Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day
Find critical vulnerabilities and issue blocks Nessus Homegrown tools
IDS
Bro cluster on 10 gig spans
Snort on 1 gig switch
Specific sigs used for Snort due to scalability and false positive issues
State based is more attractive than signature based
Sig based IDS
Used for point solutions
Simply not terribly effective @Fermi Question:
How would you operate in an ISP's environment?
Answer: Umm... :-)
State based IDS
Used for “everything else”
Example Alert if
HTTP connection to this server Followed by GET of a non-PHP file Followed by SSH outbound connection If all of that happens in a short time frame
Sig based IDS cannot do this
Netflow
Real-time collection of netflow
Real-time DNS name resolution of all IPs
Historical searches through netflow during incidents
Searches done via Splunk
Netflow
Primarily used for incident response
Valuable for telling who a badguy talked to
Tells us whether we need to investigate further and, if so, how much further
Log collection
Collecting from 189 hosts
13 billion log entries, and growing, are searchable
~37.3 Gig a day intake
Will be pushing 60 gig a day with netflow
Log collection
Central syslog-ng available to all machines
Collection of central web logs
Searches via splunk
Integration of search into enterprise programming API; CST API
Darknets and Tarpits
Monitoring all unallocated address space; class B
Valuable for detecting worms and software misconfiguration
If it touches these networks, it is suspect
Scanners
Log collection