scanners inventory all machines on site; 12,000+ nmap farm all machines usually twice a day find...

11
Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown tools

Upload: irene-montgomery

Post on 25-Dec-2015

220 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown

Scanners

Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day

Find critical vulnerabilities and issue blocks Nessus Homegrown tools

Page 2: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown

IDS

Bro cluster on 10 gig spans

Snort on 1 gig switch

Specific sigs used for Snort due to scalability and false positive issues

State based is more attractive than signature based

Page 3: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown

Sig based IDS

Used for point solutions

Simply not terribly effective @Fermi Question:

How would you operate in an ISP's environment?

Answer: Umm... :-)

Page 4: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown

State based IDS

Used for “everything else”

Example Alert if

HTTP connection to this server Followed by GET of a non-PHP file Followed by SSH outbound connection If all of that happens in a short time frame

Sig based IDS cannot do this

Page 5: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown

Netflow

Real-time collection of netflow

Real-time DNS name resolution of all IPs

Historical searches through netflow during incidents

Searches done via Splunk

Page 6: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown

Netflow

Primarily used for incident response

Valuable for telling who a badguy talked to

Tells us whether we need to investigate further and, if so, how much further

Page 7: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown

Log collection

Collecting from 189 hosts

13 billion log entries, and growing, are searchable

~37.3 Gig a day intake

Will be pushing 60 gig a day with netflow

Page 8: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown

Log collection

Central syslog-ng available to all machines

Collection of central web logs

Searches via splunk

Integration of search into enterprise programming API; CST API

Page 9: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown

Darknets and Tarpits

Monitoring all unallocated address space; class B

Valuable for detecting worms and software misconfiguration

If it touches these networks, it is suspect

Page 10: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown

Scanners

Page 11: Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown

Log collection