A New Way of Thinking About Security

Transcript

1. Kevin Keeney Cyber Security Advocate Medieval Knights, Modern Security, and

   Search

2. Traditional Security • Rules • Signatures • Policies

3. A new way of thinking… • Human vs. Human •

   Teamwork is important

4. Agents can’t bend spoons… I've seen an agent punch through

   a concrete wall. Men have emptied entire clips at them and hit nothing but air. Yet their strength and their speed are still based in a world that is built on rules. Because of that, they will never be as strong or as fast as you can be. - Morpheus, The Matrix, 1999

5. What’s a knight to do? • Intelligence & Operations •

   Hunting • Insider Threat • Automation & Orchestration

6. KNOW THY ENEMY • Strategic Intelligence: Who & Why •

   Tactical Intelligence: How & What

7. KNOW THY SELF • Seems / Gaps / Blind spots

   • Culture • What is your most critical data? • Where are your most important systems? • Priority Defended Assets List (PDAL)

8. Intelligence Operations

9. Operations Focused • Proactive not reactive • Unity of effort

   • Speed is King

10. Why do we need to conduct Hunt Operations? “Be the

    Hunter, not the Hunted.” -The Honorable James Mattis

11. What is Hunt Operations?

12. Who should Hunt?

13. Where should you conduct Hunt Operations?

14. However, keep your head on a swivel…

15. When • Start now! • Do it safely • Trained

    operators • Function as a team • Be willing to allow yourself, your people, and your leadership to fail.

16. How to conduct Hunt Operations

17. Sniff sniff sniff, find the bad actors in your network

    data 17

18. http://rocknsm.io

19. 19 Analysis Walkthrough

20. 20

21. 21 Analysis Walkthrough

22. 22 Analysis Walkthrough

23. 23 Analysis Walkthrough

24. 24 Analysis Walkthrough

25. 25 Analysis Walkthrough

26. 26 Analysis Walkthrough

27. Logs Logs Logs, many devices, many systems 27

28. Endpoint Logs WEF Server Group Policy Windows Remote Management Wecutil

    OR Windows Event Viewer Winlog eats or NXLog Nate “Neutron” https://nathanguagenti.blogspot.com/
29. None

30. Insider Threat

31. None

32. WHAT ARE YOUR IDEAS?

33. WHAT PROBLEMS DO THESE NEW COLLECTIONS CREATE?

34. Poor speed @ scale

35. Automation & Orchestration

36. Computers are useful… • Why have a human do what

    a computer can? • Speed • Accuracy • Elimination of errors

37. The Product Stack

38. Elastic Stack 100% open source

39. Single install Extensions for the Elastic Stack Subscription pricing X-Pack

    Security Alerting Monitoring Reporting Graph Machine Learning

40. 40 X-Pack Security • Username and password • Role-based access

    control • Field & document level security • Integrate with authentication systems Protect Data Access • SSL/TLS encryption Encrypt Data • Audit logging Provide Accountability

41. 41

42. 42 X-Pack Alerting Detect Changes in Your Data Get notified

    your way • Email, Slack, PagerDuty, HipChat or JIRA • Custom integration via webhooks • If you can query it, you can alert on it • Store & track alert history

43. 43

44. 44 X-Pack Machine Learning • Automate anomaly detection • Accelerate

    root cause analysis • Go beyond SIEM rules • Reduce false positives Unsupervised Machine Learning

45. 45

46. 46

47. 47

48. 48 X-Pack Graph • Uses relevance capabilities of Elasticsearch •

    Leverage API and UI-drive tool Find Connections in Your Data

49. 49

50. Enhance your security coverage with Elastic Scalable – Log everything

    and miss fewer attacks Real time – Interactive investigation and threat hunting at scale Analytics – Go beyond SIEM rules and improve threat detection Flexible – Fly and tune your sensors, enrich your data as needed.

51. ES-Hadoop Security Analytics Architecture Web Proxies EDR / EPP IDS

    /IPS / NMS Kafka Redis Messaging Queue Logstash Workers (2+) LDAP Authentication AD Notification SSO X-Pack Kibana X-Pack Instances (2+) Custom UI Elasticsearch Clients Elasticsearch X-Pack Master (3) Ingest (X) Data – Hot (X) Data – Warm (X) Machine Learning (2+) Coordinating (X) Alerting (X) HEARTBEAT Beats FILEBEAT METRICBEAT PACKETBEAT WINGLOGBEAT AUDITBEAT SCANS DNS FILE SIEM Vulnerability Data & Threat Intelligence IP

52. THANK YOU [email protected] @kevinkeeneyjr (573)694-9277