Tweet
Tweet

Slide 1

Slide 1 text

Building Effective Security Alerting Kai Zhong @sixhundredns Ken Lee @kennysan

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

OPEN SOURCE!

Slide 4

Slide 4 text

Who Are We?

Slide 5

Slide 5 text

KZER Kai Zhong Product Security Engineer @ Etsy Loves tea, cats and netbooks Twitter: @sixhundredns

Slide 6

Slide 6 text

I’m a

Slide 7

Slide 7 text

KLEE Ken Lee Senior Product Security Engineer @ Etsy Spoke at Defcon 21 about Content Security Policy Loves funny cat gifs Twitter: @Kennysan

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

What is Etsy?

Slide 10

Slide 10 text

Some Stats $2.32 billion GMS marketplace

Slide 11

Slide 11 text

Some Stats $2.32 billion GMS marketplace 1.7 million active sellers

Slide 12

Slide 12 text

Some Stats $2.32 billion GMS marketplace 1.7 million active sellers 26.1 million active buyers

Slide 13

Slide 13 text

Some Stats

Slide 14

Slide 14 text

Engineering Stats Average 40-60 deploys a day

Slide 15

Slide 15 text

Engineering Stats Average 40-60 deploys a day PHP 7

Slide 16

Slide 16 text

Engineering Stats Average 40-60 deploys a day PHP 7 Native iOS, Android apps

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

What Are We Covering?

Slide 19

Slide 19 text

History

Slide 20

Slide 20 text

Our Solution

Slide 21

Slide 21 text

Alert Management @ Etsy

Slide 22

Slide 22 text

Demo

Slide 23

Slide 23 text

But First, Some Terminology

Slide 24

Slide 24 text

Logs

Slide 25

Slide 25 text

The ELK Stack

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

Logstash Data processor and log shipper

Slide 28

Slide 28 text

Logstash Data processor and log shipper Allows you to break out your log data into separate fields

Slide 29

Slide 29 text

Logstash Data processor and log shipper Allows you to break out your log data into separate fields We use it to ship logs into Elasticsearch!

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

Elasticsearch Distributed, real-time search engine

Slide 32

Slide 32 text

Elasticsearch Distributed, real-time search engine Allows storing complex, nested documents

Slide 33

Slide 33 text

Elasticsearch Distributed, real-time search engine Allows storing complex, nested documents Allows generating statistics over your data

Slide 34

Slide 34 text

Elasticsearch Distributed, real-time search engine Allows storing complex, nested documents Allows generating statistics over your data We use it for analyzing logs!

Slide 35

Slide 35 text

Kibana Data visualization frontend for Elasticsearch

Slide 36

Slide 36 text

Kibana Data visualization frontend for Elasticsearch Log discovery

Slide 37

Slide 37 text

Kibana Data visualization frontend for Elasticsearch Log discovery Visualizations!

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

History

Slide 40

Slide 40 text

Switching to ELK Work started in mid 2014

Slide 41

Slide 41 text

Switching to ELK Work started in mid 2014 Finished in mid 2015

Slide 42

Slide 42 text

Switching to ELK Work started in mid 2014 Finished in mid 2015 We learned a lot from the migration

Slide 43

Slide 43 text

Switching to ELK Work started in mid 2014 Finished in mid 2015 We learned a lot from the migration And got a bunch of great tools out of it

Slide 44

Slide 44 text

It Was A Bumpy Road Hiccups are expected when moving to a new technology

Slide 45

Slide 45 text

It Was A Bumpy Road Hiccups are expected when moving to a new technology Had to deal with annoying, performance-impacting bugs

Slide 46

Slide 46 text

It Was A Bumpy Road Hiccups are expected when moving to a new technology Had to deal with annoying, performance-impacting bugs Issues with SSDs, kernel-level bugs

Slide 47

Slide 47 text

It Was A Bumpy Road Hiccups are expected when moving to a new technology Had to deal with annoying, performance-impacting bugs Issues with SSDs, kernel-level bugs Security needed an alerting solution

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

ESQuery

Slide 50

Slide 50 text

Features Superset of the standard Lucene syntax

Slide 51

Slide 51 text

Features Superset of the standard Lucene syntax Syntactically similar to SPL!

Slide 52

Slide 52 text

Features Superset of the standard Lucene syntax Syntactically similar to SPL! Supports all the functionality we need!!!

Slide 53

Slide 53 text

Syntax Command Syntax Inline params $size:20 $sort:user_id $fields:[a,b,c] Joins * | join source:src_ip target:dst_ip Aggregations * | agg:terms field:src_ip | agg:terms field:user_id Variable substitution src_ip:@internal_ips

Slide 54

Slide 54 text

SPL source="/data/syslog/current/web/info.log" log_namespace="login" reason="wrong password" response=403 | top 10 remote_host

Slide 55

Slide 55 text

ESQuery type:web_info_log log_namespace:login logdata.reason:"wrong password" -response:403 | agg:terms field:logdata.remote_host size:10

Slide 56

Slide 56 text

{ "query": { "filtered": { "query": { "bool": { "minimum_number_should_match": 1, "should": [ { "query_string": { "query": "type:web_info_log log_namespace:login logdata.reason:\"wrong password\" response:403 ", "default_operator": "AND", "lowercase_expanded_terms": false, "allow_leading_wildcard": false }}]}}, "filter": { "bool": { "must": [ { "range": { "event_timestamp": { "from": 1468294422783, "to": 1468295322783 }}}]}}}}, "size": 0, "sort": [ { "event_timestamp": { "order": "desc", "ignore_unmapped": true }}, { "event_timestamp": { "order": "desc", "ignore_unmapped": true }}], "aggs": { "terms_bucket": { "terms": { "field": "logdata.remote_host", "size": 10 }}}}

Slide 57

Slide 57 text

splogTASH

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

411

Slide 60

Slide 60 text

Alert Generation & Management Write queries to be periodically executed

Slide 61

Slide 61 text

Alert Generation & Management Write queries to be periodically executed Receive email alerts with results

Slide 62

Slide 62 text

Alert Generation & Management Write queries to be periodically executed Receive email alerts with results Manage alerts via the web interface

Slide 63

Slide 63 text

Dashboard

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

No content

Slide 66

Slide 66 text

No content

Slide 67

Slide 67 text

Managing queries

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

No content

Slide 70

Slide 70 text

No content

Slide 71

Slide 71 text

No content

Slide 72

Slide 72 text

No content

Slide 73

Slide 73 text

No content

Slide 74

Slide 74 text

Configuring a query

Slide 75

Slide 75 text

No content

Slide 76

Slide 76 text

No content

Slide 77

Slide 77 text

No content

Slide 78

Slide 78 text

No content

Slide 79

Slide 79 text

No content

Slide 80

Slide 80 text

No content

Slide 81

Slide 81 text

No content

Slide 82

Slide 82 text

No content

Slide 83

Slide 83 text

Types of queries

Slide 84

Slide 84 text

Logstash

Slide 85

Slide 85 text

No content

Slide 86

Slide 86 text

No content

Slide 87

Slide 87 text

No content

Slide 88

Slide 88 text

HTTP

Slide 89

Slide 89 text

No content

Slide 90

Slide 90 text

No content

Slide 91

Slide 91 text

Graphite

Slide 92

Slide 92 text

No content

Slide 93

Slide 93 text

No content

Slide 94

Slide 94 text

Configuring a query (cont)

Slide 95

Slide 95 text

No content

Slide 96

Slide 96 text

No content

Slide 97

Slide 97 text

No content

Slide 98

Slide 98 text

No content

Slide 99

Slide 99 text

No content

Slide 100

Slide 100 text

No content

Slide 101

Slide 101 text

No content

Slide 102

Slide 102 text

No content

Slide 103

Slide 103 text

Configuring groups

Slide 104

Slide 104 text

No content

Slide 105

Slide 105 text

No content

Slide 106

Slide 106 text

No content

Slide 107

Slide 107 text

No content

Slide 108

Slide 108 text

No content

Slide 109

Slide 109 text

No content

Slide 110

Slide 110 text

No content

Slide 111

Slide 111 text

Configuring a query (cont)

Slide 112

Slide 112 text

No content

Slide 113

Slide 113 text

No content

Slide 114

Slide 114 text

No content

Slide 115

Slide 115 text

Scheduling

Slide 116

Slide 116 text

Under the Hood Scheduler Search Jobs Workers

Slide 117

Slide 117 text

Under the Hood Search Alerts Targets Filters Search Job Data Source

Slide 118

Slide 118 text

Configuring filters

Slide 119

Slide 119 text

No content

Slide 120

Slide 120 text

No content

Slide 121

Slide 121 text

Filter types Regex

Slide 122

Slide 122 text

No content

Slide 123

Slide 123 text

Filter types Regex Throttle

Slide 124

Slide 124 text

No content

Slide 125

Slide 125 text

Filter types Regex Throttle Expression

Slide 126

Slide 126 text

No content

Slide 127

Slide 127 text

Configuring targets

Slide 128

Slide 128 text

No content

Slide 129

Slide 129 text

No content

Slide 130

Slide 130 text

Target types Jira

Slide 131

Slide 131 text

No content

Slide 132

Slide 132 text

Target types Jira Webhook

Slide 133

Slide 133 text

No content

Slide 134

Slide 134 text

Target types Jira Webhook Pagerduty

Slide 135

Slide 135 text

No content

Slide 136

Slide 136 text

Managing alerts

Slide 137

Slide 137 text

No content

Slide 138

Slide 138 text

No content

Slide 139

Slide 139 text

No content

Slide 140

Slide 140 text

No content

Slide 141

Slide 141 text

No content

Slide 142

Slide 142 text

No content

Slide 143

Slide 143 text

Alert actions Assign

Slide 144

Slide 144 text

Alert actions Assign Annotate

Slide 145

Slide 145 text

Alert actions Assign Annotate Resolve

Slide 146

Slide 146 text

Reviewing an alert

Slide 147

Slide 147 text

No content

Slide 148

Slide 148 text

No content

Slide 149

Slide 149 text

No content

Slide 150

Slide 150 text

No content

Slide 151

Slide 151 text

No content

Slide 152

Slide 152 text

No content

Slide 153

Slide 153 text

No content

Slide 154

Slide 154 text

No content

Slide 155

Slide 155 text

No content

Slide 156

Slide 156 text

No content

Slide 157

Slide 157 text

Live alerts feed

Slide 158

Slide 158 text

No content

Slide 159

Slide 159 text

No content

Slide 160

Slide 160 text

No content

Slide 161

Slide 161 text

Alert Management @ Etsy

Slide 162

Slide 162 text

Make Alerting Great Again

Slide 163

Slide 163 text

Sensitivity For a given event, how often a search modelled on that event will alert

Slide 164

Slide 164 text

Sensitivity For a given event, how often a search modelled on that event will alert True Positive Rate

Slide 165

Slide 165 text

Sensitivity For a given event, how often a search modelled on that event will alert True Positive Rate Avoid creating searches that are too specific

Slide 166

Slide 166 text

Sensitivity For a given event, how often a search modelled on that event will alert True Positive Rate Avoid creating searches that are too specific Minimize False Negatives

Slide 167

Slide 167 text

Sensitivity For a given event, how often a search modelled on that event will alert True Positive Rate Avoid creating searches that are too specific Minimize False Negatives E.g. IP address AND user agent AND user id

Slide 168

Slide 168 text

Specificity For a given event, how often a search modelled on that event will correctly not fire

Slide 169

Slide 169 text

Specificity For a given event, how often a search modelled on that event will correctly not fire True Negative Rate

Slide 170

Slide 170 text

Specificity For a given event, how often a search modelled on that event will correctly not fire True Negative Rate Avoid creating searches that are overly broad

Slide 171

Slide 171 text

Specificity For a given event, how often a search modelled on that event will correctly not fire True Negative Rate Avoid creating searches that are overly broad Minimize False Positives

Slide 172

Slide 172 text

Specificity For a given event, how often a search modelled on that event will correctly not fire True Negative Rate Avoid creating searches that are overly broad Minimize False Positives E.g. Numerous POST requests to /login

Slide 173

Slide 173 text

No content

Slide 174

Slide 174 text

Incident Response High specificity alerts

Slide 175

Slide 175 text

Incident Response High specificity alerts Low priority alerts don’t generate notification e-mails

Slide 176

Slide 176 text

Incident Response High specificity alerts Low priority alerts don’t generate notification e-mails Medium/High priority alerts generate alerts

Slide 177

Slide 177 text

Incident Response High specificity alerts Low priority alerts don’t generate notification e-mails Medium/High priority alerts generate alerts Attackers often generate a lot of noise -- can result in numerous alerts firing!

Slide 178

Slide 178 text

Responding to an Alert Is this an alert that can wait till morning?

Slide 179

Slide 179 text

Responding to an Alert Is this an alert that can wait till morning? How many other related alerts went off during this time period?

Slide 180

Slide 180 text

Responding to an Alert Is this an alert that can wait till morning? How many other related alerts went off during this time period? Example: failed logins and bot activity

Slide 181

Slide 181 text

How We Respond to an Alert

Slide 182

Slide 182 text

Responding to an Alert Was there activity our alerts did not catch initially?

Slide 183

Slide 183 text

Responding to an Alert Was there activity our alerts did not catch initially? Dashboards, developers, combing through log files

Slide 184

Slide 184 text

Responding to an Alert Was there activity our alerts did not catch initially? Dashboards, developers, combing through log files Incorporate into new alerts, improve sensitivity of old alerts

Slide 185

Slide 185 text

Alert Maintenance Sometimes certain queries are no longer useful

Slide 186

Slide 186 text

Alert Maintenance Sometimes certain queries are no longer useful Review noisy alerts

Slide 187

Slide 187 text

Alert Maintenance Sometimes certain queries are no longer useful Review noisy alerts Add in other useful fields

Slide 188

Slide 188 text

Alert Maintenance Sometimes certain queries are no longer useful Review noisy alerts Add in other useful fields Example: Attacker using an off-the shelf scanner

Slide 189

Slide 189 text

What Deserves an Alert? Potential error conditions

Slide 190

Slide 190 text

No content

Slide 191

Slide 191 text

What Deserves an Alert? Potential error conditions Volume of traffic/Thresholds being hit

Slide 192

Slide 192 text

No content

Slide 193

Slide 193 text

What Deserves an Alert? Potential error conditions Volume of traffic/Thresholds being hit Deprecating old code

Slide 194

Slide 194 text

No content

Slide 195

Slide 195 text

Multiple 411 Instances Really easy to set up a new instance

Slide 196

Slide 196 text

Multiple 411 Instances Really easy to set up a new instance Supports multiple hosts out the box

Slide 197

Slide 197 text

Multiple 411 Instances Really easy to set up a new instance Supports multiple hosts out the box Just need to run a script

Slide 198

Slide 198 text

Instances Sec411

Slide 199

Slide 199 text

Instances Sec411 Netsec411

Slide 200

Slide 200 text

Instances Sec411 Netsec411 Dev411

Slide 201

Slide 201 text

Instances Sec411 Netsec411 Dev411 Sox411

Slide 202

Slide 202 text

Demo

Slide 203

Slide 203 text

Questions? 411 is available at: https://fouroneone.io Kai @sixhundredns [email protected] Ken Lee @kennysan [email protected]