Scanners

Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day

Find critical vulnerabilities and issue blocks Nessus Homegrown tools

IDS

Bro cluster on 10 gig spans

Snort on 1 gig switch

Specific sigs used for Snort due to scalability and false positive issues

State based is more attractive than signature based

Sig based IDS

Used for point solutions

Simply not terribly effective @Fermi Question:

How would you operate in an ISP's environment?

Answer: Umm... :-)

State based IDS

Used for “everything else”

Example Alert if

HTTP connection to this server Followed by GET of a non-PHP file Followed by SSH outbound connection If all of that happens in a short time frame

Sig based IDS cannot do this

Netflow

Real-time collection of netflow

Real-time DNS name resolution of all IPs

Historical searches through netflow during incidents

Searches done via Splunk

Netflow

Primarily used for incident response

Valuable for telling who a badguy talked to

Tells us whether we need to investigate further and, if so, how much further

Log collection

Collecting from 189 hosts

13 billion log entries, and growing, are searchable

~37.3 Gig a day intake

Will be pushing 60 gig a day with netflow

Log collection

Central syslog-ng available to all machines

Collection of central web logs

Searches via splunk

Integration of search into enterprise programming API; CST API

Darknets and Tarpits

Monitoring all unallocated address space; class B

Valuable for detecting worms and software misconfiguration

If it touches these networks, it is suspect

Scanners

Log collection