0:00:05.950,0:00:10.409 So I’d like to thank Jason for inviting me. I have to say I feel 0:00:10.409,0:00:11.909 woefully unprepared 0:00:11.909,0:00:15.719 all the stuff I’ve been listening to, you pretty much have to be a kernel developer here 0:00:15.719,0:00:18.549 it's not even enough to be like a normal committer I imagine 0:00:18.549,0:00:21.519 um you have to have invented something really cool 0:00:21.519,0:00:23.069 I'm here as a user 0:00:23.069,0:00:27.199 to try to take the loser off of it 0:00:27.199,0:00:31.260 I didn’t even boot into the BSD side of my laptop so 0:00:31.260,0:00:34.290 no rocks thrown up here 0:00:34.290,0:00:36.120 I wanted to talk about actually 0:00:36.120,0:00:39.820 how many people here had some kind of security responsibility 0:00:39.820,0:00:41.660 okay so wow that’s interesting 0:00:41.660,0:00:43.530 okay so there are a lot of security people here 0:00:43.530,0:00:46.500 I usually speak to security audiences 0:00:46.500,0:00:47.430 when I speak in 0:00:47.430,0:00:49.019 or when I spoke before at 0:00:49.019,0:00:52.340 BSD conferences it was usually on something 0:00:52.340,0:00:54.490 something I was doing with BSD 0:00:54.490,0:00:56.409 for security purposes so I kind of 0:00:56.409,0:00:59.610 had that same theme for today 0:00:59.610,0:01:01.350 so what we’ll talk about 0:01:01.350,0:01:03.610 just so you know I am I worked in a variety of 0:01:03.610,0:01:06.560 I was in the military where I learned all this stuff 0:01:06.560,0:01:10.050 I work in commercial industry defense contractors 0:01:10.050,0:01:12.490 I worked for a small start up 0:01:12.490,0:01:14.550 out of Connecticut 0:01:14.550,0:01:17.240 you might have heard of us 0:01:17.240,0:01:22.110 we’ve lost like three hundred billion in market cap over the last year it’s been an exciting ride 0:01:22.110,0:01:25.230 the ads general electric we get three hundred thousand users 0:01:25.230,0:01:28.360 um just a few security issues as you might imagine 0:01:28.360,0:01:30.590 company that size 0:01:30.590,0:01:31.689 but what I’m going to talk about 0:01:31.689,0:01:34.040 uh first of all I’ll just do sort of a 0:01:34.040,0:01:36.149 intro of how I think about security 0:01:36.149,0:01:40.470 and why it drived me down the road of having devices that I’ll talk about 0:01:40.470,0:01:42.280 and I’ll 0:01:42.280,0:01:45.970 I’m open to any questions it’s funny I was actually sitting in front of a couple of guys who were asking me 0:01:45.970,0:01:47.330 we were talking about 0:01:47.330,0:01:50.200 that some of the software I’ll talk about he didn’t even realize it was me 0:01:50.200,0:01:51.120 sitting at front 0:01:51.120,0:01:53.039 so if any point you have questions about 0:01:53.039,0:01:54.940 how we do things why we do things 0:01:54.940,0:01:56.320 please let me know 0:01:56.320,0:01:59.179 what I’m going to describe isn’t exactly what I do with general electric 0:01:59.179,0:02:02.390 or at least it's not officially what I do at general electric 0:02:02.390,0:02:06.950 but you can imagine that I just don’t come up with this stuff in a vacuum and then present it obviously 0:02:06.950,0:02:07.559 it's 0:02:07.559,0:02:12.199 based on what I think works in various environments 0:02:12.199,0:02:15.979 so my job title is director of incident response 0:02:15.979,0:02:19.930 and what I tell people that they usually think of oil spills or 0:02:19.930,0:02:24.479 you know Hazmat or something like that its information security incidents 0:02:24.479,0:02:28.349 and I like to say that I’m as close to the problem as you possibly could be 0:02:28.349,0:02:30.639 right and we have project managers who are 0:02:30.639,0:02:32.890 trying to create risk equations 0:02:32.890,0:02:37.230 they're trying to figure out if I tweak this knob it’ll result in more risk or less risk 0:02:37.230,0:02:38.889 I think that’s a whole bunch of 0:02:38.889,0:02:40.069 crap for the most part 0:02:40.069,0:02:41.209 %um 0:02:41.209,0:02:46.189 I deal with all the failures so I deal with failure all around 0:02:46.189,0:02:47.689 I like to say that this 0:02:47.689,0:02:51.709 theory out there but the reality is when okay you've got 0:02:51.709,0:02:57.999 dozens or hundreds or thousands of systems that are compromised what do you do about that 0:02:57.999,0:03:02.560 so in some ways you might say that's actually the worst possible place to do security is after it’s 0:03:02.560,0:03:03.380 failed but 0:03:03.380,0:03:09.889 in other ways maybe it's the best place because you can see what's wrong and you can try to fix it 0:03:09.889,0:03:14.539 well you have to say what is security and I went to the doctor one day and the doctor asked me questions 0:03:14.539,0:03:15.469 like well how do you feel 0:03:15.469,0:03:17.629 do you feel healthy 0:03:17.629,0:03:19.190 that's kind of like do you feel secure 0:03:19.190,0:03:23.699 so what is that even mean right I mean if you think about health well you might say 0:03:23.699,0:03:25.719 how’s your blood pressure 0:03:25.719,0:03:27.940 well it’s under one hundred and twenty over eighty 0:03:27.940,0:03:29.659 that's sort of one data point 0:03:29.659,0:03:33.119 what about your cholesterol body mass index and so forth 0:03:33.119,0:03:34.999 the idea is that you have to measure something 0:03:34.999,0:03:37.039 and you have to get your data from somewhere 0:03:37.039,0:03:40.040 and what I find is that a lot of people who make security decisions 0:03:40.040,0:03:42.089 are not getting data from anywhere 0:03:42.089,0:03:43.559 In fact 0:03:43.559,0:03:45.450 a lot of very high level security people 0:03:45.450,0:03:48.560 are getting data on the golf course when they're talking to their fellow 0:03:48.560,0:03:49.819 CSIO’s about 0:03:49.819,0:03:52.669 hey what product are you buying from Cisco or this and that 0:03:52.669,0:03:54.969 and it’s completely disconnected from reality 0:03:54.969,0:03:59.029 and as a result nobody can tell whether they’re spending any money on security that makes a difference 0:03:59.029,0:04:00.339 %um or how to get 0:04:00.339,0:04:05.029 how to get better 0:04:05.029,0:04:08.849 so like how many people here are sort of like involved in federal security with like FISMA and stuff 0:04:08.849,0:04:11.559 like that that right 0:04:11.559,0:04:12.510 so I find all that to be the most frustrating thing possible 0:04:12.510,0:04:15.409 I don't deal with that because I’m in private industry 0:04:15.409,0:04:18.889 but I've commented on it quite a bit because I have a blog 0:04:18.889,0:04:22.469 and I like to complain 0:04:22.469,0:04:24.839 so my feeling is that the FISMA folks 0:04:24.839,0:04:27.910 not be implement but the people who wrote the legislation they tended 0:04:27.910,0:04:29.889 to focus on things like imput metrics 0:04:29.889,0:04:30.930 like do you have AV 0:04:30.930,0:04:32.039 do you have your patches 0:04:32.039,0:04:34.499 is the box configured properly 0:04:34.499,0:04:35.889 all those things of that nature 0:04:35.889,0:04:39.610 I call all those input metrics they really make no difference as far as I'm concerned if you're truly trying to figure 0:04:39.610,0:04:41.039 out what the problem is 0:04:41.039,0:04:42.510 it's kind of like looking at a 0:04:42.510,0:04:45.759 sports teams let’s say an American football team 0:04:45.759,0:04:47.240 and you say well 0:04:47.240,0:04:50.069 input metrics would be like how tall are all the players 0:04:50.069,0:04:51.939 how fast do they run the forty 0:04:51.939,0:04:53.330 where did they go to school 0:04:53.330,0:04:54.650 you could look at all those things 0:04:54.650,0:04:56.100 but does that tell you what their 0:04:56.100,0:04:58.549 what their record was over the season 0:04:58.549,0:05:01.250 did they win the Super Bowl did they win their elite championship 0:05:01.250,0:05:03.669 no those are those are all inputs right 0:05:03.669,0:05:05.689 I care about ouputs like 0:05:05.689,0:05:08.810 is this box is this box part of a bot net 0:05:08.810,0:05:10.219 no it’s not really Windows 0:05:10.219,0:05:12.560 %um 0:05:12.560,0:05:13.900 I could boot it into Windows but 0:05:13.900,0:05:16.559 I prefer to stay out of the bot net 0:05:16.559,0:05:18.259 did you 0:05:18.259,0:05:22.669 have an earnings report appear on the network share or on a peer-to-peer network somewhere 0:05:22.669,0:05:25.949 that's that's an ouput that means you had a failure somewhere 0:05:25.949,0:05:28.069 do you have a system or network that’s unavailable 0:05:28.069,0:05:29.720 due to a Ddos attack 0:05:29.720,0:05:31.060 these are all outputs so 0:05:31.060,0:05:32.710 I try to focus on these 0:05:32.710,0:05:36.459 I really don't care so much about that I think these can influence these 0:05:36.459,0:05:40.539 these are the things that I I care about 0:05:40.539,0:05:44.129 and just to step a little bit out and change the way you might think 0:05:44.129,0:05:48.619 about this there was a good article in The Economist last year where they talked about people who are 0:05:48.619,0:05:49.410 trying to make 0:05:49.410,0:05:50.949 policy decisions 0:05:50.949,0:05:53.150 about health policy in Africa 0:05:53.150,0:05:55.500 and it's a safe thing with security 0:05:55.500,0:05:58.349 right actually kind of what I like about seeing the developers here is that in the last talk there was 0:05:58.349,0:06:01.030 lots of discussions about 0:06:01.030,0:06:05.289 you made this change and you get a five percent difference or you made this change and you get a ten percent difference 0:06:05.289,0:06:07.019 none of that happens in security 0:06:07.019,0:06:09.249 it's all well we’ll deploy this and see what happens 0:06:09.249,0:06:12.129 actually it’s not even that we’ll deploy this 0:06:12.129,0:06:13.900 not even let's see what happens 0:06:13.900,0:06:16.000 there’s not even a test to see if it made any difference 0:06:16.000,0:06:17.230 so what I try to 0:06:17.230,0:06:18.640 focus on in my job 0:06:18.640,0:06:20.739 at GE is 0:06:20.739,0:06:22.489 let's do some tests like 0:06:22.489,0:06:24.120 the company is big enough 0:06:24.120,0:06:26.680 why don't we have part of the company 0:06:26.680,0:06:27.699 run 0:06:27.699,0:06:29.539 with no local admin on the desktop 0:06:29.539,0:06:31.309 and another part 0:06:31.309,0:06:34.060 continuing to run its local admin I didn’t say that out loud sorry 0:06:34.060,0:06:36.139 and then compare and see what the infection rates are 0:06:36.139,0:06:39.449 and guess what I bet the ones with local admin are going to be a hell of a lot worse 0:06:39.449,0:06:42.199 and there’s been some recent studies that have shown that that's the case 0:06:42.199,0:06:44.780 so you can run these sort of policy-based trials 0:06:44.780,0:06:46.100 and figure out what you should do 0:06:46.100,0:06:47.880 then I can go talk to my boss and be like look 0:06:47.880,0:06:51.900 this part of the company that runs with local admin they’re ten times worse than everybody else 0:06:51.900,0:06:54.849 and even better I can say it's costing us ten times more 0:06:54.849,0:06:56.529 then we can make a change 0:06:56.529,0:06:57.770 but in order to do that you have to have 0:06:57.770,0:06:58.740 some kind of measurements 0:06:58.740,0:07:01.349 you’re going to have data come from somewhere 0:07:01.349,0:07:04.810 and I like to say that I call this management by fact not by belief 0:07:04.810,0:07:06.479 the there's a lot like 0:07:06.479,0:07:08.860 security people are very religious 0:07:08.860,0:07:09.589 we have this 0:07:09.589,0:07:11.819 idea of what should be and what shouldn’t be 0:07:11.819,0:07:18.049 and it's all because we don't think usually measure what works which is unfortunate 0:07:18.049,0:07:21.770 so I’m all about visibility I want to find out what's going on 0:07:21.770,0:07:24.939 and the reason I think about it this way is I think in the air force 0:07:24.939,0:07:26.990 we have this thing called OODA loop 0:07:26.990,0:07:31.849 and if you’ve ever seen my hands doing this it’s because I'm reliving my air force days flying around in my F-16 0:07:31.849,0:07:35.000 not really I only flew once in the F-16 and once in the F-15 0:07:35.000,0:07:35.770 but 0:07:35.770,0:07:39.219 when I would talk to the fighter pilots they would talk about having this thing the OODA loop 0:07:39.219,0:07:41.400 and it came out 0:07:41.400,0:07:43.539 like I’m thinking before the first gulf war 0:07:43.539,0:07:45.270 and the idea was you’re in your 0:07:45.270,0:07:46.599 F-16 0:07:46.599,0:07:48.110 and you want to win the fight so 0:07:48.110,0:07:50.159 the first thing you do is look out the window 0:07:50.159,0:07:51.389 you see what's going on 0:07:51.389,0:07:52.999 that's your observation 0:07:52.999,0:07:57.409 and then you orient and you figure out well where am I in relation to where the bad guys are 0:07:57.409,0:08:02.359 then you make a decision like okay is there’s a bad guy I better roll over and shoot it down 0:08:02.359,0:08:04.269 and then you take the action 0:08:04.269,0:08:06.009 the problem we have with security 0:08:06.009,0:08:06.849 is that 0:08:06.849,0:08:07.930 there's none of this 0:08:07.930,0:08:09.269 there’s no observe and orient 0:08:09.269,0:08:11.749 there’s only decide and act 0:08:11.749,0:08:13.549 so we have no idea what's happening 0:08:13.549,0:08:16.030 but we're told that to do things so we buy stuff 0:08:16.030,0:08:16.930 we deploy it 0:08:16.930,0:08:18.699 and we just keep doing that over and over again 0:08:18.699,0:08:22.679 and we never figure out if it makes any difference 0:08:22.679,0:08:24.219 the unfortunate thing is if you do 0:08:24.219,0:08:27.599 stumble upon something that works it's usually luck 0:08:27.599,0:08:29.809 %uh as opposed to 0:08:31.029,0:08:37.780 figuring it out by observation and orientation what you should be doing 0:08:37.780,0:08:41.870 so this is probably my favorite description 0:08:41.870,0:08:45.120 of security period 0:08:45.120,0:08:49.830 my aplogies to my European friends this is the football poll security 0:08:49.830,0:08:54.710 but this is what I believe that I've seen this just for years and years and years 0:08:54.710,0:08:56.919 the idea is you’re told 0:08:56.919,0:08:58.750 or you read in a magazine 0:08:58.750,0:09:00.660 or you talk to your buddy 0:09:00.660,0:09:02.180 about something bad 0:09:02.180,0:09:06.090 and you assume that that bad thing that's happening it must be happening at your location 0:09:06.090,0:09:06.540 too 0:09:06.540,0:09:09.190 and sometimes it is but sometimes it isn’t 0:09:09.190,0:09:12.330 and so you run around and you spend all this time on one area 0:09:12.330,0:09:15.680 while meanwhile you could be completely all about something different 0:09:15.680,0:09:19.650 and I first started thinking about this in 2000 2001 0:09:19.650,0:09:21.800 where there were some guys in Finland 0:09:21.800,0:09:27.060 who did this huge innumeration they were doing some of the first fuzzing work against SMTP 0:09:27.060,0:09:27.849 it was called the 0:09:27.849,0:09:29.000 protos toolkit 0:09:29.000,0:09:32.140 and they did all this work in and they found that basically everybody's SMTP 0:09:32.140,0:09:33.970 implementation was really bad 0:09:33.970,0:09:35.640 and they were all vulnerable 0:09:35.640,0:09:37.430 and the whole world was going to end because 0:09:37.430,0:09:40.610 SMTP vulnerabilities existed everywhere 0:09:40.610,0:09:43.769 well I don’t know if everybody was around back then so they're looking at these things 0:09:43.769,0:09:45.470 but did the world end in 2001 0:09:45.470,0:09:47.690 with SMTP 0:09:47.690,0:09:48.940 absolutely not 0:09:48.940,0:09:51.259 so while a lot of effort was spent on 0:09:51.259,0:09:54.350 spending all this time fixing SMTP implementations 0:09:54.350,0:09:55.750 when the bad guys really weren’t 0:09:55.750,0:09:57.240 taking advantage of it 0:09:57.240,0:10:00.740 so this is what I feel like is happening with security now we're told about 0:10:00.740,0:10:03.340 this is the one that really kills me is 0:10:03.340,0:10:04.769 insider threats 0:10:04.769,0:10:05.819 oh they’re insider threats they're so bad 0:10:05.819,0:10:08.890 this in that and so you spend all your time over here and you’re like 0:10:08.890,0:10:13.750 paying attention to your own employees you’re violating their rights and their privacy 0:10:13.750,0:10:15.100 and meanwhie you got like 0:10:15.100,0:10:16.899 Romanians and Russians and Chinese and 0:10:16.899,0:10:17.829 every other 0:10:17.829,0:10:20.380 hacker in the world inside your company 0:10:20.380,0:10:21.980 that you can't do anything about 0:10:21.980,0:10:25.590 unless you know unless you actually do something 0:10:25.590,0:10:28.030 so my goal is to 0:10:28.030,0:10:30.819 get it so this guy he's looking at the right spot 0:10:30.819,0:10:33.040 so at least he has a chance 0:10:33.040,0:10:36.010 right he doesn’t even have a chance if he’s looking over there at least if you can sort of 0:10:36.010,0:10:38.279 orient and say okay well here’s this threat 0:10:38.279,0:10:40.210 here's what I need to do about it 0:10:40.210,0:10:42.430 you have a chance you still might get scored on right 0:10:42.430,0:10:43.830 but at least you can say 0:10:43.830,0:10:47.330 I had a fighting chance many organizations when I was a consultant 0:10:47.330,0:10:48.619 I would drop into 0:10:48.619,0:10:51.690 and they didn't even have a fighting chance there was just no 0:10:51.690,0:10:56.310 I would call them you know indefensible networks 0:10:56.310,0:11:01.160 to use a Cisco term I would call them self-defeating networks 0:11:01.160,0:11:06.490 self-defending anyway 0:11:06.490,0:11:12.610 yeah 0:11:12.610,0:11:16.890 the network part of ours sure 0:11:16.890,0:11:19.110 so yeah isn’t it interesting the self-defending network what does that imply zero head count 0:11:19.110,0:11:21.089 that is the truth behind Cisco's vision 0:11:21.089,0:11:23.370 and think about it they sell it to every CIO 0:11:23.370,0:11:25.080 the CIO is like yeah 0:11:25.080,0:11:27.970 the network takes care of itself 0:11:27.970,0:11:31.990 oh yeah that means you you you you bye bye 0:11:31.990,0:11:33.890 and that's sort of the model that 0:11:33.890,0:11:34.980 I mean think about it 0:11:34.980,0:11:37.140 what business owner with would 0:11:37.140,0:11:39.720 not want to operate zero staff 0:11:39.720,0:11:41.290 if you could still make money 0:11:41.290,0:11:43.050 and no people 0:11:43.050,0:11:43.930 oh that's great 0:11:43.930,0:11:49.920 maybe you just have robots or something right don't they don’t complain 0:11:49.920,0:11:50.850 So anwyay wow 0:11:50.850,0:11:51.909 that came out of nowhere 0:11:51.909,0:11:53.300 but %uh 0:11:53.300,0:11:56.449 that's what I see with a lot of things is a %uh 0:11:56.449,0:11:58.980 presumption that you just buy products right you don't actually 0:11:58.980,0:12:00.960 invest in people so 0:12:00.960,0:12:03.049 back to this whole idea of visibility the question is 0:12:03.049,0:12:04.089 well where should you try to get visibility 0:12:05.259,0:12:07.750 and I’ll talk about what kind of visibility 0:12:07.750,0:12:11.680 well the model that I use is to establish trust boundaries first and what’s interesting about 0:12:11.680,0:12:13.160 using a trust boundary approach is 0:12:13.160,0:12:14.420 it can apply anywhere 0:12:14.420,0:12:16.910 I use a network example here because 0:12:16.910,0:12:19.170 it's a low-cost way to do it 0:12:19.170,0:12:21.220 but you can apply trust boundaries 0:12:21.220,0:12:22.790 on a system 0:12:22.790,0:12:24.010 within an application 0:12:24.010,0:12:26.400 I mean there’s lots of different places that you can apply trust boundaries 0:12:26.400,0:12:28.849 the idea is though once you establish trust boundaries 0:12:28.849,0:12:29.829 start watching 0:12:29.829,0:12:31.150 something there 0:12:31.150,0:12:33.010 so I’m going to use a network example but you could 0:12:33.010,0:12:35.540 you know apply it someplace else 0:12:35.540,0:12:37.050 so what I do is I 0:12:37.050,0:12:39.600 the general process is I identify my trust boundaries 0:12:39.600,0:12:41.280 I apply some instrumentation 0:12:41.280,0:12:43.620 and then I collect analyse and escalate 0:12:43.620,0:12:46.000 %uh collect meaning I get the information 0:12:46.000,0:12:48.420 analyse I look at it figure out what it means 0:12:48.420,0:12:48.889 escalate 0:12:48.889,0:12:53.920 is take it to somebody who cares 0:12:53.920,0:12:57.420 surprisingly difficult to find those people in many 0:12:57.420,0:12:57.980 enterprises 0:12:57.980,0:13:00.020 I came from the DOD where 0:13:00.020,0:13:02.649 if we found a single machine that was compromised 0:13:02.649,0:13:03.730 that was an incident 0:13:03.730,0:13:05.889 and it could be reported all the way up to some general 0:13:05.889,0:13:07.339 who would be on the phone 0:13:07.339,0:13:10.580 like barking orders that you need to fix this within 0:13:10.580,0:13:12.440 hours or days or whatever it was 0:13:12.440,0:13:14.250 to private industry 0:13:14.250,0:13:15.100 where 0:13:15.100,0:13:17.660 you finding a compromise computer 0:13:17.660,0:13:22.200 and the response could be 0:13:22.200,0:13:23.370 eh what can they do 0:13:23.370,0:13:26.790 well they can access any machine that’s in this domain 0:13:26.790,0:13:28.220 well have they 0:13:28.220,0:13:33.670 %uh because I just got here I can't tell yet 0:13:33.670,0:13:35.949 I really don't know if we have to care about this right 0:13:35.949,0:13:39.520 the only thing that’s changed that recently has been the disclosure laws 0:13:39.520,0:13:44.180 because there are some disclosure laws that say if it's possible that they could have stolen the data 0:13:44.180,0:13:45.300 you need to report 0:13:45.300,0:13:47.570 so that's changed the equation 0:13:47.570,0:13:48.140 dramatically 0:13:48.140,0:13:52.940 right it used to be in fact I worked some big cases years ago where it was like 0:13:52.940,0:13:56.940 well you guys signed an NDA with us right yeah we did 0:13:56.940,0:13:58.120 right well just bye bye 0:13:58.120,0:13:59.860 see you later 0:13:59.860,0:14:02.270 okay great alright well I’m glad I’m not a customer 0:14:02.270,0:14:08.190 at this place 0:14:08.190,0:14:12.019 I didn’t responded there I bank with Bank of America and the reason I bank with Bank of America 0:14:12.019,0:14:13.980 is I know the guy who runs security there 0:14:13.980,0:14:16.100 and he does this 0:14:16.100,0:14:17.340 so of course 0:14:17.340,0:14:18.640 I still think he has a job 0:14:18.640,0:14:19.739 now that I think about it 0:14:19.739,0:14:21.390 has he been replaced by a robot 0:14:22.410,0:14:24.490 no he hasn’t been replaced by a robot 0:14:24.490,0:14:26.810 maybe his minions have been replaced by 0:14:26.810,0:14:28.590 Perl strips but 0:14:28.590,0:14:32.010 he’s still there 0:14:32.010,0:14:34.010 so this is my general process 0:14:35.130,0:14:38.570 and it’s funny people have probably heard about building security in 0:14:38.570,0:14:42.620 that's like trying to make things more secure have been trying to do that for like twenty years 0:14:42.620,0:14:44.240 it just doesn't work 0:14:44.240,0:14:48.910 so I would say let’s monitor first because at least when you monitor you can tell that something bad is happening 0:14:48.910,0:14:52.000 if you just say build security in and walk away 0:14:52.000,0:14:52.730 then you’re in trouble 0:14:52.730,0:14:56.250 what I find is that in any product you have this cycle 0:14:56.250,0:14:59.020 where you start out with a feature 0:14:59.020,0:15:03.140 and then the features proliferate and you need to manage them 0:15:03.140,0:15:06.689 and then somebody’s like oh yeah we need to apply some security to that 0:15:06.689,0:15:10.150 and then finally check to see if it works when really it should be the other way 0:15:10.150,0:15:11.500 figure out what’s out there 0:15:11.500,0:15:13.230 build a security policy for it 0:15:13.230,0:15:14.080 manage it 0:15:14.080,0:15:19.330 and then introduce the feature but that's not how it’s done 0:15:19.330,0:15:23.340 I wanted to mention here some I just want to put this on the table before I go into my 0:15:23.340,0:15:24.970 next part because these are they 0:15:24.970,0:15:26.800 %uh criticisms I usually hear 0:15:26.800,0:15:31.220 so let's just mention them now so if I’m taking some kind of a network-centric approach to 0:15:31.220,0:15:32.460 security 0:15:32.460,0:15:35.090 the first thing we’re always told is well what about the cloud 0:15:35.090,0:15:39.440 and this is very interesting %uh I work really closely with the guy does the cloudsecurity.org 0:15:39.440,0:15:40.870 blog 0:15:40.870,0:15:44.800 and %uh he's he's a fellow employee with me is that we always considering this because 0:15:44.800,0:15:45.380 we’re 0:15:45.380,0:15:48.260 putting more and more of our stuff in the cloud 0:15:48.260,0:15:49.140 and if your 0:15:49.140,0:15:50.630 window to the cloud 0:15:50.630,0:15:53.530 is an SSL encrypted pipe 0:15:53.530,0:15:58.430 %um it doesn't help me too much to inpsect it at the network level right 0:15:58.430,0:16:00.129 so we're going to have to push our cloud vendors 0:16:00.129,0:16:02.769 to provide the visibility for us 0:16:02.769,0:16:04.650 oh boy that’s really happening 0:16:04.650,0:16:10.110 try getting good logs out of any of the cloud buyers it is absolutely horrible they they don't 0:16:10.110,0:16:14.150 they don't want to store them they don't want to provide you the data in any format that’s useful 0:16:14.150,0:16:17.710 if they provide you with anything it's generally performance metrics like 0:16:17.710,0:16:20.580 we cleaned ten billion of your emails today 0:16:20.580,0:16:23.159 oh that’s wonderful that’s great you know I don’t care 0:16:23.159,0:16:24.660 I don’t care how many emails you cleaned 0:16:24.660,0:16:26.660 I want to know about 0:16:26.660,0:16:28.660 which ones came from this 0:16:28.660,0:16:30.650 %uh a person who 0:16:30.650,0:16:32.519 was phishing us 0:16:32.519,0:16:36.600 and you know got control of some of our systems and so forth 0:16:36.600,0:16:38.400 virtualisation is obviously an issue 0:16:38.400,0:16:40.100 %um if you think about 0:16:40.100,0:16:42.290 in a one-machine 0:16:42.290,0:16:43.230 one 0:16:43.230,0:16:44.460 platform world 0:16:44.460,0:16:47.260 any time two machines talk you can potentially see the traffic 0:16:47.260,0:16:50.370 what happens when you have a hundred machines all on one platform 0:16:50.370,0:16:54.350 unless you instrument the virtual machine itself 0:16:54.350,0:16:57.539 you know one hundred machines could all be infected an talking to each other and stuff but 0:16:57.539,0:16:59.219 the way I deal with that is 0:16:59.219,0:17:01.649 unless the bad guy is also inside the VM 0:17:01.649,0:17:03.370 like he lives in it 0:17:03.370,0:17:07.810 you can see him because generally the people you care about are on another continent 0:17:07.810,0:17:08.590 so 0:17:08.590,0:17:09.490 I mean it could be 0:17:09.490,0:17:11.390 somewhere else in the united states obviously but for 0:17:11.390,0:17:14.449 the most part like if someone were to compromise my machine 0:17:14.449,0:17:16.439 unless they physically walk up to it and touch it 0:17:16.439,0:17:19.040 there will be some network traffic that reaches out 0:17:19.040,0:17:19.959 and generally that’s enough 0:17:19.959,0:17:22.339 to tell that there’s a problem 0:17:22.339,0:17:28.080 so maybe the fastest way to tell if there’s a kernel rootkit on a system 0:17:28.080,0:17:29.720 it’s for the system to look normal 0:17:29.720,0:17:32.380 but to have it to be beaconing out to 0:17:32.380,0:17:34.160 you know take your pick of rogue country 0:17:34.160,0:17:37.560 so that that's a very effective way to use to find stuff 0:17:37.560,0:17:41.020 And of course you’ve got your non-traditional platforms 0:17:41.020,0:17:43.580 you know I’ve got my Blackberry here I absolutely love it 0:17:43.580,0:17:46.910 but I would love to be able sniff the traffic going to and from it 0:17:46.910,0:17:47.270 because 0:17:47.270,0:17:50.690 who knows who’s sitting on my Blackberry right now 0:17:50.690,0:17:51.650 I really don't know 0:17:51.650,0:17:52.550 and that kills me 0:17:52.550,0:17:53.889 it kills me kills me kills me 0:17:53.889,0:17:55.090 that I cannot 0:17:55.090,0:17:57.809 find an interface sniff traffic on it and see what's happening 0:17:57.809,0:18:00.080 or somehow get between the wireless 0:18:00.080,0:18:03.670 watch the traffic and see what's happening 0:18:03.670,0:18:06.110 so that to me it's a big issue 0:18:06.110,0:18:08.399 and we’ve got all these crazy European privacy laws 0:18:08.399,0:18:11.690 I can’t collect anything in that whole continent 0:18:11.690,0:18:13.690 not true it kills me though it's kind of difficult 0:18:13.690,0:18:15.830 %um you’ve got this tension between 0:18:15.830,0:18:20.570 %uh it's interesting Europeans tend to have very strong collection laws like you have to keep logs for a 0:18:20.570,0:18:22.380 certain period of time 0:18:22.380,0:18:24.830 but at the same time they have very strong privacy laws 0:18:24.830,0:18:27.760 so this is a tension there 0:18:27.760,0:18:29.870 skilled resources I don't know about you but it 0:18:29.870,0:18:33.410 even with the downturn it's tough to find good security people I think 0:18:33.410,0:18:36.540 there's a lot of people who come out with their Cisco certified 0:18:36.540,0:18:37.410 whatever 0:18:37.410,0:18:39.330 and they don't know the first thing about 0:18:39.330,0:18:42.420 how to actually secure anything which is tough 0:18:42.420,0:18:46.270 and then finally we see this quite often in software 0:18:46.270,0:18:47.149 security space 0:18:47.149,0:18:49.820 a lot of the tools that are out there were built for 0:18:49.820,0:18:50.370 developers 0:18:50.370,0:18:52.850 and for performance and not for security 0:18:52.850,0:18:54.470 So you see people using tools 0:18:54.470,0:19:00.280 to disassemble malware that were built for reverse engineering for software purposes 0:19:00.280,0:19:04.150 and not for security purposes 0:19:04.150,0:19:05.960 anyway so what I’m going to talk about briefly 0:19:05.960,0:19:06.980 is not new 0:19:06.980,0:19:08.840 I was actually cleaning out 0:19:08.840,0:19:11.240 an old drive and I found this presentation 0:19:11.240,0:19:13.120 from 2000 0:19:13.120,0:19:16.150 I used to give this briefing when I was in 0:19:16.150,0:19:18.250 the air force cert 0:19:18.250,0:19:20.510 and we would talk about the history of our unit 0:19:20.510,0:19:22.520 and back in 1993 0:19:22.520,0:19:25.910 we were deploying what we call network security monitoring systems 0:19:25.910,0:19:26.720 and 0:19:26.720,0:19:28.810 the NSN term 0:19:28.810,0:19:29.309 comes from 0:19:29.309,0:19:33.490 the first network based IDS that taught 0:19:33.490,0:19:35.400 he wrote it in UC Davis in ‘89 0:19:35.400,0:19:39.520 so this is wow that’s twenty years I feel freaking old right now 0:19:39.520,0:19:39.979 it’s amazing 0:19:39.979,0:19:40.820 so 0:19:40.820,0:19:44.170 so this is not a new thing and I wrote a book about this in 2004 so 0:19:44.170,0:19:45.230 that's five years 0:19:45.230,0:19:46.540 ago now so 0:19:46.540,0:19:50.470 this is not new the funny thing is vendors is finally start to catch up with it 0:19:50.470,0:19:56.750 and they call them network forensic appliances and they charge you fifty thousand dollars 0:19:56.750,0:20:02.110 for the enterprise that’s right 0:20:02.110,0:20:04.870 yeah enterprise means expensive 0:20:04.870,0:20:06.260 I like that 0:20:06.260,0:20:07.480 that’s good 0:20:07.480,0:20:09.100 and GUI that's right 0:20:09.100,0:20:13.610 and somebody you can complain to who can’t really answer your problems 0:20:13.610,0:20:17.320 alright so I present this because I don’t want to take credit for this approach 0:20:18.649,0:20:19.789 because 0:20:19.789,0:20:22.590 people we were doing this I came in around here 0:20:22.590,0:20:24.210 but we were doing this earlier 0:20:24.210,0:20:27.480 so I learned from people who invented this stuff 0:20:27.480,0:20:30.779 you know wow that's like fifteen years ago 0:20:30.779,0:20:35.279 alright so why network censors 0:20:35.279,0:20:40.080 I have to say some of the artwork I saw in these presentations were so awesome I feel that mine’s 0:20:40.080,0:20:40.800 terrible I mean it was 0:20:40.800,0:20:45.840 the lego stuff that was great I need to do like a little lego pyramid 0:20:45.840,0:20:48.000 I really like that but this is different 0:20:50.210,0:20:55.030 I wondered where you got your bricks from I have to like raid my kids lego 0:21:05.990,0:21:07.820 that is funny that is good though I’m a visual 0:21:07.820,0:21:13.250 I was right in there with the bricks 0:21:13.250,0:21:14.179 so 0:21:14.179,0:21:19.730 I call this my top security enterprise trust pyramid 0:21:19.730,0:21:24.180 I ripped this out of something I used to do when I was a consultant 0:21:24.180,0:21:26.990 and basically it’s a justification for why it’s good to have network censors and the idea is this 0:21:26.990,0:21:28.980 this is the least trusted part and this is the most trusted 0:21:31.419,0:21:34.279 that's low user interaction and this is high user interaction 0:21:34.279,0:21:36.769 and this also in terms of the numbers of devices 0:21:36.769,0:21:39.059 so in an enterprise you tend to have the most 0:21:39.059,0:21:40.630 user platforms 0:21:40.630,0:21:43.840 desktops laptops phones all that kind of stuff 0:21:43.840,0:21:45.980 above that you have servers 0:21:45.980,0:21:47.550 above that you have infrastructure 0:21:47.550,0:21:53.920 %um routers firewalls things like that and above that you have censors 0:21:53.920,0:21:55.550 so I trust these the least 0:21:55.550,0:21:56.350 because 0:21:56.350,0:21:57.920 well because there are these 0:21:57.920,0:21:59.390 users 0:21:59.390,0:22:01.800 right and users are doing things like 0:22:01.800,0:22:03.440 interacting with the system 0:22:03.440,0:22:06.229 if they didn’t interact with the system I would probably trust it more 0:22:06.229,0:22:08.090 but because they’re on the system 0:22:08.090,0:22:09.950 they could be running as an admin 0:22:09.950,0:22:11.850 they're going to all these 0:22:11.850,0:22:13.620 you know malicious web sites 0:22:13.620,0:22:15.770 even normal web sites 0:22:15.770,0:22:18.940 that have been owned or are injecting malicious job descripts or whatever 0:22:18.940,0:22:21.430 so the more user interaction there is 0:22:21.430,0:22:24.889 the less likely I’m going to trust what the system tells me 0:22:24.889,0:22:26.600 so why get on a system and I say 0:22:26.600,0:22:29.680 tell me how you're feeling you know what your state 0:22:29.680,0:22:34.190 I'm not going to trust that system eighty is generally worthless 0:22:34.190,0:22:36.960 you have to get outside of the this is the key point 0:22:36.960,0:22:41.070 you have to get away from these things you have to get outside the system to get of you 0:22:41.070,0:22:41.970 whether or not 0:22:41.970,0:22:43.520 you should trust it 0:22:43.520,0:22:44.750 but that's not the case right 0:22:44.750,0:22:49.260 we're moving more and more to pushing all the security down to the end point 0:22:49.260,0:22:50.560 so like my laptop defends itself 0:22:50.560,0:22:52.380 my phone defends itself 0:22:52.380,0:22:53.869 guess what if they fail 0:22:53.869,0:22:56.950 the whole model fails as well 0:22:56.950,0:23:00.110 so above this we have servers I trust servers a little bit more 0:23:00.110,0:23:01.710 because if you're a good admin 0:23:01.710,0:23:03.019 you're not surfing 0:23:03.019,0:23:06.370 MySpace on your Windows server 0:23:06.370,0:23:08.070 right well you’re not on a Windows server 0:23:08.070,0:23:13.590 but well you can admin on a Windows server but you know what I mean 0:23:13.590,0:23:16.710 well because I think that's right that's true 0:23:16.710,0:23:18.960 above that you have infrastructure 0:23:18.960,0:23:20.140 no one should be 0:23:20.140,0:23:21.530 in general 0:23:21.530,0:23:24.050 like no user is directly 0:23:24.050,0:23:25.450 dealing with a firewall 0:23:25.450,0:23:27.309 if a user is logging into a firewall 0:23:27.309,0:23:28.980 there’s a problem right 0:23:28.980,0:23:32.080 a user doesn't necessarily log into a server but he uses services on the server right 0:23:32.080,0:23:34.840 so I tend to trust this even more 0:23:34.840,0:23:38.330 because you just can't touch them 0:23:38.330,0:23:43.230 the number of people who deal with the infrastructure in general is smaller than the number of people who deal with servers 0:23:43.230,0:23:46.150 and in many cases the infrastructure is completely 0:23:46.150,0:23:48.630 you know invisible 0:23:48.630,0:23:52.890 alright how many people like interact with a router when you're sending traffic through 0:23:52.890,0:23:54.970 no you know it passes traffic 0:23:54.970,0:23:57.520 same with the firewall blocks it allows it whatever 0:23:57.520,0:23:58.649 so I tend to trust 0:23:58.649,0:24:01.600 what this will tell me even more because there's less user action 0:24:01.600,0:24:03.690 the final stage here is my sensor 0:24:03.690,0:24:06.390 the sensors completely pass it 0:24:06.390,0:24:09.210 most of the people in the company might not even know it exists 0:24:09.210,0:24:11.139 which is which is good in most cases 0:24:11.139,0:24:14.760 unless you want a deterrent effect 0:24:14.760,0:24:16.390 so I can get data from the sensor 0:24:16.390,0:24:18.390 typically like in my team 0:24:18.390,0:24:21.960 there's only two people that even know the route password 0:24:21.960,0:24:24.270 we could heavily defend these things 0:24:24.270,0:24:26.159 we can have them defend 0:24:26.159,0:24:27.549 each other 0:24:27.549,0:24:28.620 like watch each other 0:24:28.620,0:24:31.529 so I tend to have a very very high confidence to what the sensor is telling me 0:24:31.529,0:24:33.530 as opposed to 0:24:33.530,0:24:35.180 what a user platform is telling me 0:24:35.180,0:24:35.980 so if I’m 0:24:35.980,0:24:37.799 if I’m on a user platform 0:24:37.799,0:24:41.290 and I'm looking around for evidence of a rootkit and I see nothing 0:24:41.290,0:24:44.140 but up here in my sensor showing traffic going by 0:24:44.140,0:24:47.220 out to some site in Brazil 0:24:47.220,0:24:48.490 then I can say 0:24:48.490,0:24:50.070 alright we have a problem here 0:24:50.070,0:24:51.120 so this is why I like 0:24:51.120,0:24:54.020 to itroduce these sorts of devices 0:24:54.020,0:24:55.070 let me talk a little bit 0:24:55.070,0:24:55.959 to about 0:24:55.959,0:24:57.560 least trusted and most trusted 0:24:57.560,0:24:59.840 if you had to rank operating systems here 0:24:59.840,0:25:01.830 would you put Windows up here 0:25:01.830,0:25:02.899 and BSD here 0:25:02.899,0:25:06.150 or the other way around right 0:25:06.150,0:25:11.010 so I like to use BSD especially for my sensors 0:25:11.010,0:25:13.510 because I introduce what we call a technology gap 0:25:13.510,0:25:16.789 my company we use a lot of Windows as you might imagine 0:25:16.789,0:25:19.230 and we use a lot of Linux 0:25:19.230,0:25:22.820 we don't use a lot of BSD in fact I’m probably the only BSD 0:25:22.820,0:25:24.770 shop in the company that I know of 0:25:24.770,0:25:25.729 but that's good 0:25:25.729,0:25:28.090 because if you’re a bad guy and you get inside the company 0:25:28.090,0:25:31.850 and you root our Windows infrastructure and you root our Linux infrastructure 0:25:31.850,0:25:34.420 and then you find some BSD boxes 0:25:34.420,0:25:36.530 and we administer them ourselves 0:25:36.530,0:25:39.020 it's going to take a lot more work to get into this 0:25:39.020,0:25:41.930 and we’re probably did notice when you're trying to get into our systems 0:25:41.930,0:25:44.220 so it does not make sense and I’ve seen 0:25:44.220,0:25:47.450 we get a lot of pressure on this internally and I’ve seen it in other companies 0:25:47.450,0:25:49.740 to have our sensing 0:25:49.740,0:25:50.180 infrastructure 0:25:50.180,0:25:53.679 be integrated with the rest of the company infrastructure 0:25:53.679,0:25:54.930 right oh just have you know 0:25:54.930,0:25:58.190 have our hosted Linux service 0:25:58.190,0:26:00.059 where you know you can have 0:26:00.059,0:26:01.870 potentially all these admins you don't know 0:26:01.870,0:26:04.960 on another continent logging into your devices 0:26:04.960,0:26:07.280 no way you know I want a gap I want 0:26:07.280,0:26:09.580 the stuff that we have to protect 0:26:09.580,0:26:10.730 not be 0:26:10.730,0:26:12.470 the same as what’s using 0:26:12.470,0:26:13.170 or not be 0:26:13.170,0:26:15.740 the same systems that we’re using to watch this 0:26:15.740,0:26:16.729 so I introduced BSD as 0:26:16.729,0:26:18.540 as a new operating system to 0:26:18.540,0:26:23.110 watch this yes 0:26:23.110,0:26:27.950 so the question was do I stay on the Intel platform 0:26:27.950,0:26:30.750 I actually bring up that point in my forensics talks 0:26:30.750,0:26:32.780 I am on an Intel platform 0:26:32.780,0:26:34.370 for my sensors 0:26:34.370,0:26:37.250 however 0:26:37.250,0:26:40.130 depending on how you want to do forensics for example 0:26:40.130,0:26:43.710 I have done cases where I had one tax stack where I’ve got 0:26:43.710,0:26:46.730 you know Intel Windows 0:26:46.730,0:26:48.180 Toolex 0:26:48.180,0:26:48.780 whatever 0:26:48.780,0:26:51.119 and in another platform where I’ve got 0:26:51.119,0:26:52.559 Power PC 0:26:52.559,0:26:53.420 Debian 0:26:53.420,0:26:55.560 blah blah blah blah blah and something completely different 0:26:55.560,0:26:58.740 and I will say by the way 0:26:58.740,0:27:04.310 I don't run the one sytem I expose in my home lab is not an Intel system 0:27:04.310,0:27:06.940 it's a Mac mini 0:27:06.940,0:27:08.550 and it’s running Debian on top 0:27:08.550,0:27:11.789 I tried to put on BSD I had a problem I don’t know what that was 0:27:11.789,0:27:13.109 probably user error but 0:27:13.109,0:27:15.310 so Debian is running on that and what’s 0:27:15.310,0:27:18.529 nice about that is do you remember when the Debian the SSL stuff when was that 0:27:22.789,0:27:24.340 that happened recently 0:27:24.340,0:27:27.360 all of the pre-compiled exploits for that 0:27:27.360,0:27:30.570 %uh and all of the pre-compiled keys 0:27:30.570,0:27:34.230 they shell code was all wrong because I was running Power PC 0:27:34.230,0:27:36.240 and like when I did my 0:27:36.240,0:27:38.050 update or whatever I was like oh 0:27:38.050,0:27:39.110 I wonder if I’m affected by that 0:27:39.110,0:27:42.160 and it kept saying I wasn't even though I knew I was because the 0:27:42.160,0:27:44.270 you know I had the vulnerable library version 0:27:44.270,0:27:46.809 I was like that's right this isn’t an Intel box 0:27:46.809,0:27:48.170 it's a Power PC box 0:27:48.170,0:27:52.120 so I do use that diversity argument in very very limited situations 0:27:52.120,0:27:55.180 but it would be really expensive for me to say buy 0:27:55.180,0:27:57.639 you know eighty 0:27:57.639,0:28:01.710 I don't know I’m not even sure what I would use these days it would be tough to find that I could get 0:28:01.710,0:28:03.070 a good price and everything 0:28:03.070,0:28:06.460 so I have to make some compromises there 0:28:06.460,0:28:10.419 but that’s not a bad idea if you have to have some kind of like central server that was going to like watch everything maybe 0:28:10.419,0:28:12.559 you need to go that extra step to make it 0:28:12.559,0:28:15.580 even more diverse 0:28:15.580,0:28:18.380 alright so I’d like to talk just for a minute about what I do 0:28:18.380,0:28:21.320 like to deploy 0:28:21.320,0:28:23.190 um what’s my time here 0:28:23.190,0:28:29.300 so I'm involved with this open source project called SGUIL S-G-U-I-L 0:28:29.300,0:28:32.780 SGUIL doesn't stand for anything officially 0:28:32.780,0:28:38.180 but it originally when we first wrote it in like by the way Bam Busher is the lead developer he’s probably actually the only developer 0:28:38.180,0:28:42.360 the rest of us are just lamers 0:28:42.360,0:28:43.820 that's what the L means 0:28:43.820,0:28:46.660 originally it was snort GUI for lamers 0:28:46.660,0:28:48.900 %uh but then a couple people who got it 0:28:48.900,0:28:52.490 well we didn't get the joke they got a software like I’m not a lamer I’m not going to use your software 0:28:52.490,0:28:54.220 well I don’t care if you use it or not 0:28:59.890,0:29:01.540 yeah right 0:29:01.540,0:29:04.060 But we felt okay that’s kind of 0:29:04.060,0:29:09.860 we’ll just call it SGUIL it doesn’t mean anything 0:29:09.860,0:29:13.670 So I’m going to talk to you about SGUIL but the thing about SGUIL to remember is 0:29:13.670,0:29:15.310 it's open source it runs on 0:29:15.310,0:29:16.460 you know Picker 0:29:16.460,0:29:18.080 Distrobe Choice 0:29:18.080,0:29:19.970 or Flavor whatever you want 0:29:19.970,0:29:22.080 it's more about the data and less about the tool 0:29:22.080,0:29:24.690 so you could potentially implement this with your own tools 0:29:24.690,0:29:26.850 %uh even commercial if you wanted to 0:29:26.850,0:29:29.350 %um it’s really 0:29:29.350,0:29:32.419 about way of getting data and thinking about it and less about the actual 0:29:32.419,0:29:37.020 the actual tool 0:29:37.020,0:29:38.400 you know this guy it’s Elvis 0:29:38.400,0:29:44.900 you know what martial art he studied 0:29:49.720,0:29:51.000 so here’s Elvis 0:29:51.000,0:29:53.750 and Elvis is the patron saint of this system 0:29:53.750,0:29:56.380 I don't know why it's been a long time 0:29:56.380,0:29:57.230 but %uh 0:29:57.230,0:30:00.609 I love Elvis because he’s in his Kenpo karate stance 0:30:00.609,0:30:02.480 and his stance is like this 0:30:02.480,0:30:08.860 which it would take him like a week to get out of his fight stance to do anything 0:30:08.860,0:30:12.610 I actually won some concert tickets by stumping an Elvis expert on a radio station here 0:30:12.610,0:30:13.399 in DC- 0:30:13.399,0:30:16.120 I called and said what style of martial arts did he 0:30:16.120,0:30:18.590 he’s like oh karate I’m like what style 0:30:18.590,0:30:20.080 oh I don't know 0:30:20.080,0:30:21.070 Kenpo karate well 0:30:21.070,0:30:22.559 who was his masters’ name 0:30:22.559,0:30:23.670 uh Ed Parker 0:30:23.670,0:30:29.540 and they were like oh you just won those tickets you stumped the Elvis expert 0:30:29.540,0:30:34.540 so here you have Elvis I’m going to contrast these two methods of doing investigations right 0:30:34.540,0:30:35.870 so you’ve got Elvis 0:30:35.870,0:30:38.640 he’s your analyst you don’t want to piss him off 0:30:38.640,0:30:40.289 he’s Elvis 0:30:40.289,0:30:43.799 he’ll hit you with his magic karate shot 0:30:43.799,0:30:47.580 he gets an alert via some system right well not these days he’s looking trim man 0:30:47.580,0:30:50.900 by the way if you’ve ever watched him in concert 0:30:50.900,0:30:53.970 he’s doing Kenpo like throughout the concert all the moves 0:30:53.970,0:30:55.910 he’s doing 0:30:55.910,0:30:56.269 he’s doing Kenpo 0:30:56.269,0:30:59.089 you zoom in he’s got a Kenpo patch on whatever he's wearing 0:30:59.089,0:31:01.279 you look at his guitar it’s got the Kenpo patch on it 0:31:01.279,0:31:05.300 like once you’re exposed to the fact that he did this style it's everywhere 0:31:05.300,0:31:06.470 in fact there was one 0:31:06.470,0:31:11.210 he did a concert once actually he didn't do a concert he attended somebody else’s concert 0:31:11.210,0:31:15.190 and I don't know who it was like Johnny Cash or something but he saw him in the audience 0:31:15.190,0:31:16.370 he’s like Elvis do you want to come up here 0:31:16.370,0:31:17.910 you know do a song with me 0:31:17.910,0:31:19.800 and he’s like oh sorry you know 0:31:19.800,0:31:22.880 I'm under contract I can only perform at this 0:31:22.880,0:31:23.570 one casino 0:31:23.570,0:31:27.360 but I’ll tell you what I’ll come on stage and do karate 0:31:30.100,0:31:32.190 so this guy is doing his performance and Elvis is just jumping on doing karate 0:31:32.190,0:31:34.530 I’ve got to find a video of that that would be great 0:31:34.530,0:31:36.720 so anyway Elvis is here 0:31:36.720,0:31:39.440 and his job is to find intruders 0:31:39.440,0:31:41.150 so he gets his console and he gets and alert 0:31:41.150,0:31:41.990 and he looks at it and he’s like 0:31:41.990,0:31:43.520 alright well 0:31:43.520,0:31:45.230 I’ve got to figure out if this matters 0:31:45.230,0:31:48.470 so what do I have to work with 0:31:48.470,0:31:50.960 well I have other alerts like a picture in front of some Cisco device 0:31:50.960,0:31:53.870 like in that range or whatever they are these days 0:31:53.870,0:31:56.940 so he creates the database and he gets more alerts 0:31:56.940,0:31:59.800 and he says well this is nice but I can’t tell if any of this matters 0:31:59.800,0:32:02.770 so that's the end of the line 0:32:02.770,0:32:05.940 right at this point he’s got two options he can either ignore it 0:32:05.940,0:32:10.240 or he can satisfy his fifteen minute SOA that his customer pays three thousand dollars a month 0:32:10.240,0:32:10.860 for 0:32:10.860,0:32:11.940 call the customer and say 0:32:11.940,0:32:13.059 I saw this 0:32:13.059,0:32:14.650 I don't know what it means 0:32:14.650,0:32:17.110 ball is in your court goodbye 0:32:17.110,0:32:21.360 so I don't how many of you have you had that experience with an MSSP but that’s very very common 0:32:21.360,0:32:22.869 so to me this is 0:32:22.869,0:32:27.620 that's completely worthless so this is the alternative I propose 0:32:27.620,0:32:30.550 so see already you can see there’s more lines so that must be good right 0:32:30.550,0:32:32.030 so you got Elvis 0:32:32.030,0:32:35.319 he queries his data he get’s an alert he queries the database he gets the same alert 0:32:35.319,0:32:39.050 but now the difference is he has some data to look at 0:32:39.050,0:32:42.499 so in other words it’s no just an IDS or whatever generate alerts 0:32:42.499,0:32:44.470 there’s some evidence to review 0:32:44.470,0:32:46.880 and the key idea behind NSM is 0:32:46.880,0:32:47.869 the evidence 0:32:47.869,0:32:51.700 is collected whether or not it has security value 0:32:51.700,0:32:55.110 that's not quite right what I mean is you’re always collecting data 0:32:55.110,0:32:57.350 because you don't know what is useful 0:32:57.350,0:32:58.430 in other words 0:32:58.430,0:33:00.360 if you knew what was bad 0:33:00.360,0:33:03.159 why don't you just stop it 0:33:03.159,0:33:05.709 that is the whole fallacy of security right like 0:33:05.709,0:33:07.359 the whole thing IDS was 0:33:07.359,0:33:11.350 if you could detect it why can’t you prevent it oh yeah 0:33:11.350,0:33:14.860 right so you invent this whole IPS category which is a silver bullet which 0:33:14.860,0:33:17.270 did really nothing 0:33:17.270,0:33:21.780 but the idea is yeah you can detect it’s bad why don’t you just stop it well of course that makes a lot of 0:33:21.780,0:33:22.219 sense 0:33:22.219,0:33:24.840 so you have a lot of stopping bad stuff 0:33:24.840,0:33:28.250 but then there’s other bad stuff that’s happening because you don't know it is bad right now 0:33:28.250,0:33:29.899 I mean 0:33:29.899,0:33:34.140 I learned these techniques dealing with 0:33:34.140,0:33:35.820 intruders 0:33:35.820,0:33:38.399 I’ll date myself but in 1998 0:33:38.399,0:33:39.509 intruders in China 0:33:39.509,0:33:41.049 who had writtten their own 0:33:41.049,0:33:44.010 virtualisation platform on top of Solaris 0:33:44.010,0:33:46.159 who were doing stuff we were like holy cow 0:33:46.159,0:33:48.540 because we had no idea that they could do that sort of thing 0:33:48.540,0:33:51.879 so there was no system that was going to detect because we didn't even know it existed 0:33:51.879,0:33:54.530 but guess what we were keeping track of everything that was happening 0:33:54.530,0:33:56.330 and once we knew what to look for 0:33:56.330,0:34:00.380 we checked our data like holy crap they’ve been in here since two years ago 0:34:00.380,0:34:03.230 right this slide that I showed you here 0:34:03.230,0:34:07.240 when we started putting out these sensors there was huge resistance 0:34:07.240,0:34:08.459 this was like 0:34:08.459,0:34:13.399 oh man we’re the air force we just defeated Iraq the fourth biggest army in the world we kick ass 0:34:13.399,0:34:15.739 there can’t be anybody inside of our network and we’re like 0:34:15.739,0:34:19.460 please please can we put a few sensors out there and they’re like all right but you guys are wasting your 0:34:19.460,0:34:20.029 time 0:34:20.029,0:34:23.690 so we put our sensors out and what do you think what did we find 0:34:23.690,0:34:24.720 we were owned 0:34:25.650,0:34:26.230 everywhere 0:34:26.230,0:34:27.569 up down left right 0:34:27.569,0:34:29.499 it was terrible right we were completely owned 0:34:29.499,0:34:31.329 because nobody was watching 0:34:31.329,0:34:33.129 and then after that 0:34:33.129,0:34:37.159 boom that’s when everything took off 0:34:37.159,0:34:40.859 so the key here is that you get your alert but then you have data to look at and the two 0:34:40.859,0:34:43.939 %uh well I should say three main forms of data you collect 0:34:43.939,0:34:45.370 we collected alerts but 0:34:45.370,0:34:46.269 we’re also 0:34:46.269,0:34:47.780 just logging all the flows we see 0:34:47.780,0:34:50.779 we call it session data but it’s just flows 0:34:50.779,0:34:52.999 and we deploy our own software to log the flows 0:34:52.999,0:34:56.460 but the key is we don't log the flows that are associated with the alert we log 0:34:56.460,0:34:57.789 all flows 0:34:57.789,0:34:59.689 so you don’t have to know what support beforehand 0:34:59.689,0:35:01.619 you just keep track of everything 0:35:01.619,0:35:02.840 and once you know what to look for 0:35:02.840,0:35:04.259 you go look for it 0:35:04.259,0:35:08.739 I kind of liken it to the Splunk model like I how many people have used Splunk 0:35:08.739,0:35:10.609 right Splunk is really awesome right 0:35:10.609,0:35:13.719 Splunk is the place you go when you know what to look for 0:35:13.719,0:35:15.740 you generally don't have Splunk tell you stuff 0:35:15.740,0:35:16.679 I mean you can 0:35:16.679,0:35:18.150 but for the most part 0:35:18.150,0:35:21.910 you want to be there when you need to ask the question and have some response 0:35:21.910,0:35:24.470 it's the same thing with this once I know what to look for 0:35:24.470,0:35:25.309 I need a place to go look 0:35:25.309,0:35:28.169 so I query my sessions and I’m like oh well look 0:35:28.169,0:35:29.040 this guy 0:35:29.040,0:35:32.709 just reached out via FTP and grabbed his tools 0:35:32.709,0:35:35.109 guess what most hackers these days still do this 0:35:35.109,0:35:36.189 right they aren’t like 0:35:36.189,0:35:38.319 STP-ing out or whatever 0:35:38.319,0:35:40.489 yeah go grab their tools over FTP 0:35:40.489,0:35:41.439 excuse me well 0:35:41.439,0:35:43.280 they grab their tools over FTP 0:35:43.280,0:35:45.939 while they’re doing that I’m logging all the packet data 0:35:45.939,0:35:51.379 and a lot of people used to say oh Bejtlich you’re crazy who can log packet data on all their gateways 0:35:51.379,0:35:52.829 the NSA does 0:35:52.829,0:35:55.639 so guess what we can too right it’s not that tough 0:35:55.639,0:35:58.500 %uh most network connections are 0:35:58.500,0:36:00.079 DS3s or less 0:36:00.079,0:36:03.509 at least the outbound ones to the internet 0:36:03.509,0:36:05.579 so you could log a lot of packet data 0:36:05.579,0:36:07.809 I mean hard drives are cheap 0:36:07.809,0:36:12.589 they're cheap so you can grab a lot of data 0:36:12.589,0:36:18.589 yeah question what do you use to dump all the data I’ll walk you through all of it yup yes my question is so I’m located my servers are in Maryland 0:36:20.819,0:36:23.099 yes I’m an ISP what happens when I get stuff from Massachussetts or California and they’re going you can’t do that 0:36:27.329,0:36:28.269 yes okay so there’s two things 0:36:28.269,0:36:32.709 the first thing I thought you were going to go down was I’m an ISP do I do this for my 0:36:32.709,0:36:33.949 customers the answer would be no 0:36:33.949,0:36:37.429 %uh I would do this for my infrastructure 0:36:37.429,0:36:40.489 as far as the privacy stuff goes 0:36:40.489,0:36:44.589 we're we’re wrestling with ourselves and what I end up doing is typically 0:36:44.589,0:36:46.899 scaling back to what the law will allow 0:36:46.899,0:36:50.660 and then showing that it's either adequate or not adequate 0:36:50.660,0:36:56.319 and then I take it to the lawyers and say we have to somehow push back against this 0:36:56.319,0:36:57.630 %uh but okay 0:36:57.630,0:37:00.229 so imagine that you do the full content though 0:37:00.229,0:37:06.089 and by the way this isn’t theoretical we do this all the time I have a reverse engineer on my staff who 0:37:06.089,0:37:10.589 when we see machines mission going down pulling their binaries when the machines are owned 0:37:10.589,0:37:12.399 I pass in the traffic 0:37:12.399,0:37:14.219 he pulls out the 0:37:14.219,0:37:15.260 exe 0:37:15.260,0:37:19.160 he reverses it figures out what it does and now we go into the next stage of insert-response 0:37:19.160,0:37:21.249 so it can be done 0:37:21.249,0:37:24.869 so then we say oh shoot it uses this back door we go back and look in the sessions and we say 0:37:24.869,0:37:27.879 oh I see this back door let's go and look at the traffic 0:37:27.879,0:37:29.350 and it just keeps going so 0:37:29.350,0:37:36.350 the idea is that this isn’t the end of the investigation it’s the beginning the investigation 0:37:36.579,0:37:37.369 sure 0:37:37.369,0:37:39.059 can it be done 0:37:39.059,0:37:41.209 it’s easy to do and can be done completely free 0:37:41.209,0:37:42.249 yes 0:37:42.249,0:37:44.220 yes and that is very true 0:37:44.220,0:37:45.249 everything that I’ve shown here 0:37:45.249,0:37:48.249 you could literally walk out of here 0:37:48.249,0:37:50.619 go into the freeBSD ports tree find a SGUIL ports 0:37:52.119,0:37:54.840 do your make I mean the ports are a little ugh 0:37:54.840,0:37:58.029 I'm not 0:37:58.029,0:37:59.730 you don’t want to slam a guy who 0:37:59.730,0:38:01.190 volunteers and makes ports right 0:38:01.190,0:38:05.700 but there’s still a decent amount of work that you have to do once the ports are installed it’s good for basically 0:38:05.700,0:38:09.880 satisfying dependencies and so forth 0:38:09.880,0:38:12.879 so this is the implementation we use as far as software stack 0:38:12.879,0:38:14.699 for %uh alert data 0:38:14.699,0:38:17.459 we use Snort 0:38:17.459,0:38:22.799 I’m starting to I’ve used Bro a little bit I’m starting to integrate Bro though 0:38:22.799,0:38:26.949 full content data I tend to use Demon Logger 0:38:26.949,0:38:29.029 it’s Marty Rush’s implementation of Packet Logger 0:38:29.029,0:38:30.069 for session data 0:38:30.069,0:38:34.539 I use SANCP which is sort a friend of Myrobe which you can sort of see some other options there 0:38:34.539,0:38:36.469 and then statistical data 0:38:36.469,0:38:38.939 you know think MRTGA type of thing that 0:38:38.939,0:38:40.949 shows you traffic over time or whatever 0:38:40.949,0:38:45.979 %um and the nice thing is SGUIL is the interface to a lot of this and you know 0:38:45.979,0:38:47.619 I’m going to show you what that looks like 0:38:47.619,0:38:50.709 by the way so this is it in a picture 0:38:50.709,0:38:52.289 so what is SGUIL well 0:38:52.289,0:38:54.949 okay yes this is a Windows screenshot 0:38:54.949,0:39:00.159 it shows that you can run your BSD back end on the servers and then have your boss uses Windows 0:39:00.159,0:39:00.769 GUI 0:39:00.769,0:39:02.189 and log into it 0:39:02.189,0:39:03.159 and %uh 0:39:03.159,0:39:07.559 again this isn’t about the tool as much as the data and the way you investigate it but 0:39:07.559,0:39:08.989 here’s the screenshot so 0:39:08.989,0:39:11.890 you can see we have a console here 0:39:11.890,0:39:16.509 and these are our store alerts coming in and by the way it can be other things we've got it 0:39:16.509,0:39:20.469 this isn't a sim incidentally we were talking just a few minutes ago like 0:39:20.469,0:39:22.380 the way we describe it is 0:39:22.380,0:39:23.259 with a sim 0:39:23.259,0:39:26.170 you could put ABCD all the way through W 0:39:26.170,0:39:27.200 into a sim 0:39:27.200,0:39:28.819 and it’d still be garbage 0:39:28.819,0:39:31.449 but with this we pick the X Y and Z that we 0:39:31.449,0:39:34.109 think give you the best value 0:39:34.109,0:39:37.619 so for us those are alert sessions and and full content 0:39:37.619,0:39:39.650 so you’ve got your interface here 0:39:39.650,0:39:43.670 and we try to present as much information on one screen without having to do a bunch of window 0:39:43.670,0:39:44.889 management 0:39:44.889,0:39:46.839 yes it is TCL/TK 0:39:46.839,0:39:50.599 we started this back in 2001 0:39:50.599,0:39:54.009 but it works it you know it’s fine it’s platform 0:39:54.009,0:39:56.349 so here’s the packet that caused the alert 0:39:56.349,0:39:58.349 here is the of 0:39:58.349,0:40:00.100 the rule that caused the alert 0:40:00.100,0:40:02.160 and in most systems this is what you would get 0:40:02.160,0:40:05.079 right you're left deciding if it's okay 0:40:05.079,0:40:09.039 in an HTTP transaction 0:40:09.039,0:40:12.460 for someone to have put through what looks like the output of an ID command on Unix 0:40:12.460,0:40:14.779 where the result was 0:40:14.779,0:40:16.179 UID zero 0:40:16.179,0:40:19.529 is that good or is that bad I mean you’d probably say that sounds bad 0:40:19.529,0:40:24.219 but once you do the analysis you’ll find out it's not the question is you have to make that decision 0:40:24.219,0:40:25.760 and every vendor that I’ve met 0:40:25.760,0:40:26.839 they leave you here 0:40:26.839,0:40:28.399 and they abandon you 0:40:28.399,0:40:29.479 they say 0:40:29.479,0:40:31.439 good luck I’ve given you the packet 0:40:31.439,0:40:33.329 like you’ll talk to the source buyer guys they’re like 0:40:33.329,0:40:36.199 I gave you the packet what more do you need 0:40:36.199,0:40:37.639 I need to know if it matters 0:40:37.639,0:40:41.569 and you’re like well 0:40:41.569,0:40:42.889 I 0:40:42.889,0:40:46.549 can give you the packet look 0:40:46.549,0:40:48.680 yeah packet so what it’s a packet 0:40:48.680,0:40:52.439 I can tell there’s a packet here yes there’s a packet and yes it’s nice that you gave me a nice open rule so I can tell how it 0:40:52.439,0:40:55.140 came to its decision unlike you know a closed system 0:40:55.140,0:40:56.150 you can't tell 0:40:56.150,0:40:58.240 but I have to tell if this matters for me 0:40:58.240,0:40:59.859 what do you do next 0:40:59.859,0:41:03.769 we could do a couple things one thing you can do is build transcript 0:41:03.769,0:41:05.550 the transcript is 0:41:05.550,0:41:06.510 all of the 0:41:06.510,0:41:08.380 session in this case 0:41:08.380,0:41:12.719 rendered through in this case we use TCP flow so we say 0:41:12.719,0:41:13.789 literally right-click 0:41:13.789,0:41:15.379 give me your transcript 0:41:15.379,0:41:16.740 system goes out to the sensor 0:41:16.740,0:41:18.369 pulls back the P cap data 0:41:18.369,0:41:20.319 renders it in TCP flow 0:41:20.319,0:41:21.259 colors the blue 0:41:21.259,0:41:24.249 %uh the source the red is the destination 0:41:24.249,0:41:26.079 so you can see that my system 0:41:26.079,0:41:31.009 visited the www.testmyids.com site 0:41:31.009,0:41:32.320 and it replied 0:41:32.320,0:41:34.009 with the content 0:41:34.009,0:41:36.159 so 0:41:36.159,0:41:37.679 there is no like 0:41:37.679,0:41:39.289 back door on port 80 here 0:41:39.289,0:41:40.689 this is a 0:41:40.689,0:41:47.119 by the way the other thing that’s nice is that I came through this proxy and whatever 0:41:47.119,0:41:50.779 if I’m dealing with a binary protocol like let’s say SNB or RPC or something that doesn’t 0:41:50.779,0:41:52.249 render well as text 0:41:52.249,0:41:56.849 that's same right-click you can instead choose to dump it into Wireshark 0:41:56.849,0:41:58.099 so here’s the Wireshark data 0:41:58.099,0:42:00.829 and you can use anything you want to do for Wireshark at this point 0:42:00.829,0:42:01.900 this is fast right 0:42:01.900,0:42:05.699 I don’t know how many of you have had to do this by hand 0:42:05.699,0:42:08.570 you know you SSH out to the sensor find a pcat file 0:42:08.570,0:42:10.709 come up with a BPF in your head 0:42:10.709,0:42:12.119 you know run it 0:42:12.119,0:42:13.890 copy it someplace no this is 0:42:13.890,0:42:15.359 right-click right-click right-click I’ve got all my data 0:42:17.130,0:42:20.909 if you want to see well have I ever gone to this IP address before 0:42:20.909,0:42:23.219 I query for my sessions and I say 0:42:23.219,0:42:27.459 you know in this case it’s a sequel query on that desk IP 0:42:27.459,0:42:30.770 and by the way you can right-click and do a default query or else if you know what the schema looks like you can just modify it by hand 0:42:37.369,0:42:40.139 and I think that’s it 0:42:40.139,0:42:41.820 so if you want to try any of that 0:42:41.820,0:42:44.889 like I said %uh the ports exist 0:42:44.889,0:42:49.399 I maintain some really really really really lame scripts that automate this 0:42:49.399,0:42:52.190 but I need to install it on my home gateway or something like that 0:42:52.190,0:42:56.319 They’re more of just a reference 0:42:56.319,0:42:57.140 but that’s what I do on BSD as far as network security monitoring goes 0:42:57.140,0:43:03.609 I’d be happy to answer any questions 0:43:03.609,0:43:09.139 yes 0:43:09.139,0:43:14.049 what additional features are you looking for in the future I would say for SGUIL for new features the first thing is resolve 0:43:14.049,0:43:15.700 intellectual property 0:43:15.700,0:43:16.140 because 0:43:16.140,0:43:19.469 I hired Bam as my lead incident handler at GE 0:43:19.469,0:43:20.439 so 0:43:20.439,0:43:21.780 we need to figure out 0:43:21.780,0:43:24.940 if he works on it at work 0:43:24.940,0:43:27.640 can we release it well first of all can he even work on it at work 0:43:27.640,0:43:29.130 and secondly if he does 0:43:29.130,0:43:33.189 can we release so we're trying to work out those I think it'll be resolved postively 0:43:33.189,0:43:35.119 because we're GE’s actually fairly pro-open-source 0:43:36.849,0:43:41.189 I told the CEO of the company that this thing used my sequel as a back end and 0:43:41.189,0:43:42.229 he’s like I love my sequel 0:43:42.229,0:43:43.680 okay 0:43:43.680,0:43:45.470 he’s like you’ve got your money I’m like oh 0:43:45.470,0:43:47.089 okay that’s all I had to say great 0:43:47.089,0:43:50.969 %uh he hates Microsoft he hates the company 0:43:53.819,0:43:58.789 so we wanted once we get that result we want to probably introduce other data sources 0:43:58.789,0:43:59.549 so introduce like Bro plugin 0:44:01.090,0:44:02.240 some other agents 0:44:02.240,0:44:03.799 they could accept other data 0:44:03.799,0:44:05.470 %uh we need to have 0:44:05.470,0:44:07.789 some kind of reporting mechanism 0:44:07.789,0:44:08.610 because people don't know 0:44:08.610,0:44:11.589 what comes out once you put it in 0:44:11.589,0:44:16.329 there's been some talk about making this turn into a Splunk base application 0:44:16.329,0:44:18.119 so all the data goes into Splunk 0:44:18.119,0:44:25.119 I mean you could you'd do like use Splunk as the interface so that's a possibility 0:44:28.909,0:44:33.859 yeah Splunk is remarkably cheap for an enterprise app though we’ve bought like giant licenses 0:44:33.859,0:44:34.669 that have not 0:44:34.669,0:44:38.399 I mean they've been like five-figure purchases which is really good considering how many gigabytes of data 0:44:38.399,0:44:39.489 we’re indexing 0:44:39.489,0:44:41.789 %uh but you know for the 0:44:41.789,0:44:46.170 situation here it would be an option because the free Splunk is 500mb a day 0:44:46.170,0:44:49.229 so it's not that 0:44:49.229,0:44:56.229 any other questions 0:45:02.480,0:45:04.219 yeah I think Bro if you’ve never heard of Bro bro-ids.org 0:45:04.219,0:45:08.279 in fact I’m going to Bro training next week in Berkeley which is just going to rock I’m so excited 0:45:08.279,0:45:10.629 about that 0:45:10.629,0:45:12.469 Bro I think is a perfect 0:45:12.469,0:45:14.809 a perfect compliment to Snort 0:45:14.809,0:45:17.750 Snort not exclusively but Snort is quite a bit about signatures 0:45:17.750,0:45:21.140 there are some few processors that look for protocol anomalies and so forth 0:45:21.140,0:45:26.189 but Bro on it’s own is completely the opposite it’s all about protocol anomalies 0:45:26.189,0:45:27.939 Snort has kind of like real 0:45:27.939,0:45:30.999 hackish type state keeping using flow bits 0:45:30.999,0:45:32.739 Bro is all about state 0:45:32.739,0:45:35.160 so you put the two of them together you might say 0:45:35.160,0:45:37.499 shoot I really need to know when such and such happens 0:45:37.499,0:45:41.270 but to do that Snort I’d have to do all this flow bits and stuff 0:45:41.270,0:45:43.030 whereas with Bro you’re like oh 0:45:43.030,0:45:43.810 just track the connections and then do this 0:45:43.810,0:45:50.810 so the two of them together I think work really well 0:45:51.619,0:45:54.980 the questions was does Bro have Snort rule input functionality 0:45:54.980,0:45:57.769 it does to the extent that every 0:45:57.769,0:46:02.059 like hardware vendor accelerator vendor Snort competitor says that they do 0:46:02.059,0:46:05.079 %uh Snort is the engine is always being updated 0:46:05.079,0:46:07.880 so generally what when somebody says that they can 0:46:07.880,0:46:09.880 %uh run Snort rules faster 0:46:09.880,0:46:12.420 they’re usually only talking about content matches 0:46:12.420,0:46:14.519 so they take whatever the the 0:46:14.519,0:46:15.500 content match is 0:46:15.500,0:46:18.829 and implement it quickly in hardware 0:46:18.829,0:46:23.099 so over time the degree to which you can map real Snort rules fades 0:46:23.099,0:46:24.309 so whereas 0:46:24.309,0:46:26.510 five years ago it might have been like ninety percent 0:46:26.510,0:46:28.619 these days it's like twenty five percent 0:46:28.619,0:46:35.619 so they probably can pull in a certain percentage but not a lot 0:46:46.159,0:46:50.020 right right exactly so the question was about retention of the full content data 0:46:50.020,0:46:53.439 I should mention that for alerts we try to keep for about a year 0:46:53.439,0:46:56.809 for flows we try to keep about six months 0:46:56.809,0:46:59.529 and alerts and flows are both centralized although 0:46:59.529,0:47:03.059 given the flow volume we’re seeing we might have to start pushing that back onto the 0:47:03.059,0:47:04.909 sensor 0:47:04.909,0:47:07.549 pcat data it is 0:47:07.549,0:47:10.509 just what we can afford as far as hard drive spaces go 0:47:10.509,0:47:11.769 my last budget 0:47:11.769,0:47:15.319 I could only spend about twenty five hundred to three grand per sensor 0:47:15.319,0:47:18.949 which limited me to about one to 0:47:18.949,0:47:22.139 yeah about one terabyte of disk space with raid 0:47:22.139,0:47:23.809 so %uh 0:47:23.809,0:47:26.279 depending on where the sensor goes that could be 0:47:26.279,0:47:28.809 three months or three weeks 0:47:28.809,0:47:34.189 or or a day or three days or three hours right 0:47:34.189,0:47:36.259 what I do is I end up 0:47:36.259,0:47:38.450 I buy up chassis that can 0:47:38.450,0:47:40.960 potentially grow to have a lot more storage once I have budget 0:47:40.960,0:47:42.509 I put the system out there 0:47:42.509,0:47:43.319 and I say 0:47:43.319,0:47:46.439 look this is look what I found at this location boss 0:47:46.439,0:47:50.709 if you give me a little more more money I can put in you know four terabytes of disk space as opposed 0:47:50.709,0:47:51.609 to one 0:47:51.609,0:47:53.209 and then they give me that 0:47:53.209,0:47:55.520 but the pcap data only stays on a sensor 0:47:55.520,0:47:58.049 so what I try to do is I have an analysis window 0:47:58.049,0:47:59.179 and a pcap window 0:47:59.179,0:48:03.799 and I try to have that pcap window longer than the analysis window 0:48:03.799,0:48:08.239 so the questions yes 0:48:08.239,0:48:12.269 yeah so any type of encryption on host 0:48:12.269,0:48:14.139 but the funny thing is 0:48:14.139,0:48:17.909 most of the time when I did get type of 0:48:17.909,0:48:19.160 like third-party tips 0:48:19.160,0:48:22.669 it's usually have you seen anybody visiting this IP address 0:48:22.669,0:48:25.919 and if I see the visit to that IP address even if it’s encrypted 0:48:25.919,0:48:27.669 I know it 0:48:27.669,0:48:29.429 this isn't the whole game right 0:48:29.429,0:48:32.750 usually what I do is I use all of this identify boxes that problems 0:48:32.750,0:48:34.439 and then I roll in to do 0:48:34.439,0:48:35.809 host-based forensics 0:48:35.809,0:48:42.809 so that some of the other coin other side 0:48:45.349,0:48:49.310 yeah that is really dependent on the way that 0:48:49.310,0:48:50.729 encryption algorithm is implemented 0:48:50.729,0:48:55.159 some of them are are very friendly to that others are not 0:48:55.159,0:48:57.339 and others 0:48:57.339,0:48:59.070 that you know in some cases 0:48:59.070,0:49:02.300 it might be better to use another approach like there's certain proxies that are out 0:49:02.300,0:49:03.829 there like that 0:49:03.829,0:49:05.419 Palo Alto firewall 0:49:05.419,0:49:07.969 you can specify encryption policies so 0:49:07.969,0:49:12.210 and if you go to banks if you go to certain sites they don’t mess with the SSL 0:49:12.210,0:49:14.150 everywhere else they man it in the middle 0:49:14.150,0:49:16.349 and so you can get access to the logs that way 0:49:16.349,0:49:18.619 so I try not to do that with the sensors so much 0:49:18.619,0:49:19.659 I try to keep it I try to make 0:49:19.659,0:49:21.799 the sensor so nobody even knows they’re there 0:49:21.799,0:49:23.529 if at all possible 0:49:23.529,0:49:28.169 yes 0:49:39.739,0:49:43.599 his comment was even if there is four four three traffic that’s encrypted 0:49:43.599,0:49:45.349 general to be something else that isn’t 0:49:45.349,0:49:48.969 and that's really what all this is about it's generally about getting a hint that something 0:49:48.969,0:49:49.890 is wrong 0:49:49.890,0:49:53.460 and you don't necessarily know what the hint is until you’ve been burnt pretty badly 0:49:53.460,0:49:56.609 and then you go back and you figure out the scope of the incident is 0:49:56.609,0:50:00.119 in no forensic case have I ever worked where I had a complete picture 0:50:00.119,0:50:01.929 you know I had the guys hard drive I had 0:50:01.929,0:50:04.280 his logs his network traffic it's generally 0:50:04.280,0:50:05.490 you get some piece 0:50:05.490,0:50:08.160 and then you start investigating 0:50:08.160,0:50:10.190 and the reason I do this approach is because it’s cheap 0:50:10.190,0:50:14.099 you know twenty five hundred dollar commodity hardware open source software 0:50:14.099,0:50:15.820 little bit of experience 0:50:15.820,0:50:17.280 and suddenly I’ve got some 0:50:17.280,0:50:18.220 you know some viable data 0:50:18.220,0:50:22.129 you’d think working at GE I’d have some huge budget 0:50:22.129,0:50:23.000 no way not at all 0:50:23.000,0:50:24.819 any other questions 0:50:24.819,0:50:31.819 yes 0:50:35.649,0:50:38.709 well to tell you the truth I started using 0:50:38.709,0:50:39.750 FreeBSD specifically 0:50:39.750,0:50:44.710 %uh in 2000 and the reason was our developers who who were building the ASM sensors 0:50:44.710,0:50:46.659 in the 0:50:47.569,0:50:48.279 they said 0:50:48.279,0:50:52.579 if we’re going to have a good network stack we should use a BSD base stack as opposed to Linux 0:50:52.579,0:50:53.959 so that's how it started 0:50:53.959,0:50:59.519 %um since then there have been many changes in both sides Linux within the BSDs and so forth 0:50:59.519,0:51:02.419 so I'm really not in a position to say which 0:51:02.419,0:51:03.319 is better 0:51:03.319,0:51:04.410 I I would say 0:51:04.410,0:51:06.679 I've never had a BSD let me down 0:51:06.679,0:51:08.599 put it that way 0:51:08.599,0:51:10.930 as far as FreeBSD goes specifically 0:51:10.930,0:51:14.229 there’s som like minor things that make my life better 0:51:14.229,0:51:18.349 one is I know a lot of the network developers so when there's an issue I can talk to them 0:51:18.349,0:51:19.859 directly 0:51:19.859,0:51:20.919 and they can say 0:51:20.919,0:51:22.420 like some of the 0:51:22.420,0:51:23.660 I don’t know who’s from the free 0:51:23.660,0:51:26.099 but some of the zero copy stuff that's being worked on 0:51:26.099,0:51:29.159 like that helps me a lot 0:51:29.159,0:51:32.999 some it's the most stupid things like the ability that any 0:51:32.999,0:51:33.869 any 0:51:33.869,0:51:35.469 app which 0:51:35.469,0:51:37.719 is opening up a BPF 0:51:37.719,0:51:40.109 you can track performance with the what was it 0:51:40.109,0:51:41.609 net stat dash B 0:51:41.609,0:51:42.400 capital B 0:51:42.400,0:51:45.859 little things like that are helpful too 0:51:45.859,0:51:52.859 there's another question 0:52:03.309,0:52:05.019 yes 0:52:05.019,0:52:09.189 yeah so I don’t know if what you've seen in the news about like Chinese hackers and all 0:52:09.189,0:52:12.499 this has been going on for a long time it's just that 0:52:12.499,0:52:14.590 nowadays they're mostly on Windows but 0:52:14.590,0:52:16.269 ten years ago what was popular 0:52:16.269,0:52:20.489 like commercial in the military it was Solaris 0:52:20.489,0:52:25.289 so we were seeing all sorts weird traffic in our Solaris boxes that we couldn’t account for 0:52:25.289,0:52:27.439 so these guys had written once we 0:52:27.439,0:52:28.929 started doing some 0:52:28.929,0:52:31.199 forensics and it wasn't the forensics of 0:52:31.199,0:52:33.929 pull the power cord which is what was popular back then right 0:52:33.929,0:52:35.319 it was you know 0:52:35.319,0:52:37.960 let's take us the actually I think back then we were doing 0:52:37.960,0:52:40.019 we generated a crash dump 0:52:40.019,0:52:41.139 and then analyzed it 0:52:41.139,0:52:43.899 so these guys were writing 0:52:43.899,0:52:45.089 memory resident 0:52:45.089,0:52:46.289 did not touch 0:52:46.289,0:52:48.129 did not touch the hard drive 0:52:48.129,0:52:50.240 %uh implementations where 0:52:50.240,0:52:52.029 they built their own 0:52:52.029,0:52:53.639 like hyper visor and had their own little operating 0:52:53.639,0:52:59.469 system on top of our Solaris boxes that we couldn't see 0:52:59.469,0:53:01.519 yeah so 0:53:01.519,0:53:04.179 that was back then 0:53:04.179,0:53:06.059 right %uh 0:53:06.059,0:53:08.489 it’s I’ve worked on that side the defensive side 0:53:08.489,0:53:10.929 I’ve also worked on a not defensive side 0:53:10.929,0:53:12.849 I won’t say what that is but 0:53:12.849,0:53:15.159 %uh the stuff I saw here 0:53:15.159,0:53:16.709 that we were doing as contractors 0:53:16.709,0:53:20.369 I was I was like wow this can be done this is really amazing so 0:53:20.369,0:53:25.279 most of the time if you have an imagination you can sort of imagine what's happening 0:53:25.279,0:53:27.579 and if you think about it you might think well 0:53:27.579,0:53:30.910 we're not the only ones in the world who can do that so there’s probably guys on the other 0:53:30.910,0:53:31.649 side 0:53:31.649,0:53:34.789 who can do it so then you have to start looking for it 0:53:34.789,0:53:36.729 what you see is a progression of 0:53:36.729,0:53:39.009 things that happened at the very high end 0:53:39.009,0:53:41.189 eventually it filters down you know 0:53:41.189,0:53:44.339 really good rootkits used to be the province of people who wrote them 0:53:44.339,0:53:46.039 but now you can buy them 0:53:46.039,0:53:53.039 find them share them whatever 0:53:59.749,0:54:03.279 sure yeah so the question is do we do any pattern analysis 0:54:03.279,0:54:06.219 there's nothing bad about Latvia 0:54:06.219,0:54:07.679 you asked a good question 0:54:07.679,0:54:11.549 but 0:54:11.549,0:54:14.059 let me put it this way 0:54:14.059,0:54:17.089 I'm creating that the first GE cert 0:54:17.089,0:54:20.400 it's 2099 but yes we just did up our first cert 0:54:20.400,0:54:25.559 so we are we're not even like crawling yet we’re like the baby on its back 0:54:25.559,0:54:26.799 oh look I can lift my head up 0:54:26.799,0:54:31.879 so we're still getting our hands around what does it even mean to operate the cert data we have and 0:54:31.879,0:54:32.549 so forth 0:54:32.549,0:54:36.649 I would expect within the next two years we're going been doing the kinds of things I would have 0:54:36.649,0:54:37.579 expected 0:54:37.579,0:54:38.769 you know a real 0:54:38.769,0:54:39.649 cert to do 0:54:39.649,0:54:41.320 it now includes things like 0:54:41.320,0:54:47.279 we know our environment so well that when we see that box doing that that's outside the scope 0:54:47.279,0:54:50.689 it's one of those things where we have ideas that are probably 0:54:50.689,0:54:52.429 like two years ahead of where we can implement 0:54:52.429,0:54:53.729 but once we do that 0:54:53.729,0:55:00.199 we’ll find stuff like that 0:55:00.199,0:55:04.569 have we gotten people to do their own what 0:55:04.569,0:55:08.579 so the question was I think you probably heard the question 0:55:08.579,0:55:12.139 we are actually collaborating with 0:55:12.139,0:55:16.670 %uh ICIR at Berkeley like Verne Paxon and his guys the Bro guys 0:55:16.670,0:55:18.880 and %uh at New York University so 0:55:18.880,0:55:21.940 there’s two research programs at each and we're going to be 0:55:21.940,0:55:23.269 probably 0:55:23.269,0:55:25.950 I would guess we’re probably going to ship them data 0:55:25.950,0:55:30.809 because that’s what’s great about our method right we just collect data so we can sign an NDA ship them data 0:55:30.809,0:55:32.919 and they can apply all their different 0:55:32.919,0:55:34.259 research 0:55:34.259,0:55:36.260 theories against it and find stuff for us 0:55:36.260,0:55:38.299 so yeah I’d expect some of that 0:55:38.299,0:55:45.299 from those guys 0:55:49.229,0:55:54.039 yes 0:55:54.039,0:55:56.439 yeah so the way I deploy is I use taps where possible because you can’t screw it up 0:55:56.439,0:55:59.439 I mean you can there are certain fiber types you can physically connect backwards 0:55:59.439,0:56:02.349 so just enough light will get through so the traffic follows 0:56:02.349,0:56:04.649 but no light is reflected out to your sensor 0:56:04.649,0:56:06.760 but for the most part if you’re talking copper 0:56:06.760,0:56:07.430 done tap 0:56:07.430,0:56:09.649 it gives you your traffic 0:56:09.649,0:56:13.350 I even prefer that model for like IPS’s if you have to use an IPS 0:56:13.350,0:56:15.599 use a bypass switch as opposed to putting it in line 0:56:15.599,0:56:18.539 I don't put anything in line because as soon as you’re in line 0:56:18.539,0:56:20.599 what happens 0:56:20.599,0:56:24.029 you get blamed so I stay I’m like look I have a dum tap 0:56:24.029,0:56:27.329 pull the power cords it’s not going to affect the network in the least right 0:56:27.329,0:56:32.129 I have my sensor my sensor could blow up in a ball of fire and you wouldn’t even notice it 0:56:32.129,0:56:36.609 and all the business owners are like yes 0:56:36.609,0:56:39.239 but if I told them I’m putting this box in line 0:56:39.239,0:56:40.979 anything that happens you’re like 0:56:42.449,0:56:44.469 your box took down my ten million dollar an hour system I’m going to kill you 0:56:44.469,0:56:45.160 so 0:56:45.160,0:56:50.029 I don't bother with that 0:56:50.029,0:56:54.879 I’ve got a good track record that’s why I’m still employed 0:56:54.879,0:56:55.469 so far 0:56:55.469,0:56:57.629 the only time I ever took something down 0:56:57.629,0:56:59.429 I was fully authorized to do 0:56:59.429,0:57:00.529 %uh we had 0:57:00.529,0:57:01.729 some script kitty 0:57:01.729,0:57:03.220 who was 0:57:03.220,0:57:03.969 defacing 0:57:03.969,0:57:05.569 web site after web site 0:57:05.569,0:57:06.869 we had some you know 0:57:06.869,0:57:09.380 Microsoft IS 4 0 websites back in the air force 0:57:09.380,0:57:10.839 and he was dialing in getting 0:57:10.839,0:57:13.789 a new IP defacing the website 0:57:13.789,0:57:16.260 disconnecting dialing in so he had a new IP 0:57:16.260,0:57:19.590 so we had all our admins trying to block these IPs 0:57:19.590,0:57:20.339 and we’re like this isn’t working 0:57:23.069,0:57:24.959 stupid stupid defensive policies 0:57:24.959,0:57:29.620 this is all like at two o'clock in the morning eastern time actually no central wherever I was 0:57:29.620,0:57:30.759 in Texas 0:57:30.759,0:57:35.449 and so finally I said this guy is all over the space he’s in California he's using the UUnet 0:57:35.449,0:57:38.170 the Uunet blocker however they’re signing they’re signing the IPs 0:57:38.170,0:57:41.390 it's just all over the place we're blocking Uunet 0:57:41.390,0:57:43.799 all of Uunet to the air force 0:57:43.799,0:57:44.790 so 0:57:44.790,0:57:45.369 I was like 0:57:45.369,0:57:49.939 execute that blocking order 0:57:49.939,0:57:51.089 yeah 0:57:51.089,0:57:55.309 I knew there was going to be hell to pay the next morning so I the next thing I did I was I started writing 0:57:55.309,0:58:00.729 this is why I blocked this whatever and I had tons of generals why did you I couldn’t check my email 0:58:00.729,0:58:05.439 and I got up in front of the generals and I said sir this is why I did it I did it to protect air force assets 0:58:05.439,0:58:09.259 and all that so I was alright 0:58:09.259,0:58:15.639 yeah question 0:58:15.639,0:58:16.719 %um 0:58:16.719,0:58:18.550 yes the sensors are 0:58:18.550,0:58:19.969 scanned all the time 0:58:19.969,0:58:21.669 %uh I use them 0:58:21.669,0:58:26.459 the model I use with the sensors is you don't firewall all things off like you might with a Windows 0:58:26.459,0:58:26.959 platform 0:58:26.959,0:58:29.139 you disabled things 0:58:29.139,0:58:30.250 I mean you traditionally you don’t turn it on 0:58:31.819,0:58:35.139 so I typically only expose SSH 0:58:35.139,0:58:38.219 the systems reach out they don’t 0:58:38.219,0:58:40.660 all the things you would think is what I do 0:58:40.660,0:58:42.140 and of course they’re scanned 0:58:42.140,0:58:43.909 people try to brute force them of course 0:58:43.909,0:58:46.179 if I see somebody brute forcing in my sensor 0:58:46.179,0:58:47.119 who are you 0:58:47.119,0:58:49.170 because these are all internally managed 0:58:49.170,0:58:50.450 well who are you 0:58:50.450,0:58:52.649 why do you even know that this box is here 0:58:52.649,0:58:56.229 we're going to come and get you 0:58:56.229,0:58:57.379 the 0:58:57.379,0:59:00.919 sounds better than it is 0:59:04.479,0:59:08.799 we selling our fleet of black helicopters actually 0:59:10.030,0:59:13.449 we don't have a fleet of corporate jets like a lot of other companies 0:59:13.449,0:59:16.189 we have net jets accounts 0:59:16.189,0:59:23.189 well I don’t but the CEO does we do have a helicopter I’ve seen it once 0:59:23.869,0:59:26.289 yeah the question was would 0:59:26.289,0:59:27.469 honey pot be of any value 0:59:27.469,0:59:28.969 honey pots are things that are good to run if 0:59:28.969,0:59:32.119 one you’re researcher or two you have a lot of time on your hands 0:59:32.119,0:59:36.039 because I have like a network of three hundred thousand honey pots 0:59:36.039,0:59:38.479 so 0:59:38.479,0:59:40.230 actually it’s more like half a million now that I think about it 0:59:40.230,0:59:43.139 so yeah at some point 0:59:43.139,0:59:46.959 there’s actually two things one is yeah at some point you could deploy some honey pots if you see them 0:59:46.959,0:59:47.589 scanned 0:59:47.589,0:59:50.209 but I have enough systems that are 0:59:50.209,0:59:51.839 alive or getting scanned or attacked or exploited 0:59:51.839,0:59:54.169 the second thing we have is 0:59:54.169,0:59:55.510 if you're inside our network 0:59:55.510,0:59:59.869 and if you try to do anything to any any network that is not explicitly routed by us 0:59:59.869,1:00:01.239 you end up in a sink hole 1:00:01.239,1:00:02.509 so the sink hole 1:00:02.509,1:00:04.589 is an awesome awesome place to find 1:00:04.589,1:00:07.389 misconfigured systems malicious systems and so forth 1:00:07.389,1:00:09.040 so I have a sink hole router 1:00:09.040,1:00:11.210 and before that I had a sensor that watches that traffic 1:00:11.210,1:00:13.709 so the sink hole routers are a great 1:00:13.709,1:00:14.999 indicator 1:00:14.999,1:00:17.509 source of indicators 1:00:17.509,1:00:20.849 it also keeps a lot of load off of our firewalls 1:00:20.849,1:00:27.289 so you can’t scan Google from inside GE as for example it goes straight into the sinkhole 1:00:27.289,1:00:29.740 I know Capitol One does that as well 1:00:29.740,1:00:32.109 that's it’s a good trick 1:00:32.109,1:00:34.199 any other questions 1:00:34.199,1:00:34.739 okay thank you very much.