Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.



No description

Seth Misenar

on 20 May 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of ContinuousOwnage

Continuous Ownage
Why YOU Need Continuous Security Monitoring
Seth Misenar, GSE #28
Eric Conrad, GSE #13

Key Underlying Issues
Monitoring capabilities lacking
Staffing levels
Architectural shortcomings
Poorly skilled analysts
Constantly evolving threat landscape
Rapidly changing organizations
New vulnerabilities discovered 24x7
Prevention-oriented represents an outdated model
Security posture assessment typically ad hoc
Prevention-oriented security represents an outdated model
Monitoring capabilities lacking
Step 1: Admit you have a Problem
Verizon DBIR: Lessons Learned
60% - compromised within hours
31% - exfiltration days/months
Discovery of the compromise... 62% took months
70% of the discoveries made by 3rd parties
Mandiant M-Trends Findings
Adversaries present for
days without discovery
Pre-owned just doesn't have that new-network smell...
Is your organization's current state of security acceptable?
Do you feel like you are WINNING?
What would winning even look like in today's environment?
Of the intrusions reviewed
Repeated compromise after successful eradication
Key Underlying Issues
Where can we turn???
Design for FAIL not Fail to Design
Security Operations
Continuous Security Monitoring
SANS SEC511 by Seth Misenar and Eric Conrad
Continuous Monitoring and Security Operations
Day 1: Current State Assessment and SOCs
Day 2: Network Security Architecture
Day 3: Endpoint Security Architecture
Day 4: Network Security Monitoring and CSM
Day 5: Automation and CSM
Day 6: Design/Detect/Defend Challenge
Do not try to prevent compromise - That's impossible
Instead only try to realize the truth
There is no FAIL
"The main takeaway from this case study is that the initial intrusion is not the end of the security process; it’s just the beginning . If at any time during the first four weeks of this attack the DoR had been able to contain the attacker, he would have failed . Despite losing control of multiple systems, the DoR would have prevented the theft of personal information, saving the state at least $12 million in the process "
-- Bejtlich
The Practice of Network Security Monitoring
There is no FAIL
Key Architectural Changes
Design for FAIL - accept and expect compromise
Default deny outbound (important)
Monitor outbound blocks (more important)
Proxy all traffic allowed outbound
Expect the pivot, deny the pivot, look for the pivot
VLAN ACLs to block (detect) desktop-desktop
Reduce Windows User Rights
Perimeter+Prevention -> Holistic+Detection

How quickly would you know???
If a new system popped on your network...
If a new service started listening on a port
If an admin installed a new client app
If a new patch for a browser extension dropped
If someone logged in locally using a service acct
If the binary tied to a service changed
If the local admin acct started authenticating
Remember: 205 days to have a 3rd party notice _you_ were owned...
Zeus Botnet C2 via DNS
Easy to spot that this looks suspicious, but...
Do you even log outbound DNS requests?
If so, do you actually look at them?
How could you automatically detect this activity as suspicious
Large TXT Response
Atypical host (would have to baseline normal...)
C2 - Phone Home
Most malware phones home
pLagUe Botnet uses IRC
Easy block/detect on TCP/6667
How about TCP/80?
HTTP-Based C2
Do We Need a SOC?
Is your SOC just a means of ignoring one enormous bucket of data?
NSM/CSM done right generates vast buckets o' data
As with most things, People/Process are vastly more important than shiny tech
Shiny SIM/SEM/SIEMs, NGFWs, and Malware Detonation Devices are just as easy to ignore as boring scripts
In-House vs. Outsourced SOC
Skilled Analysts key to any successful SOC
Neither cheap nor easy to find
Strong NSM/CSM requires dedicated staff

Source: Verizon DBIR 2013 Report
Define business goals of the SOC
How sensitive is the data?
Probably cheaper to outsource to MSSP
Rarely know your business well
Rarely have staff dedicated to you
Don't do well at detecting compromise
Useful SOC Data Sources

Log Data
Router Logs
Firewall Logs
Proxy Logs
NAT Logs
Internal DNS Logs
Web Server Logs
App Server Logs
DB Logs

Correlated Data
Alert Data
Malware Analysis
Session Data
Packet Data
Partial PCAP
Endpoint Data
Vulnerability Scan Data
AV/HIPS/Endpoint Firewall Logs
OS Event/Syslogs
Memory Capture
Application Whitelisting Reports
Baseline Data
User/Asset/Attribution Data
Active Directory data
Physical Access Control Logs
Inventory Data
We're Gonna Need a Bigger Boat!!!
Thank You!
What makes this course special?
Authored by two GSEs: Seth Misenar (#28) Eric Conrad (#13)
1st Cyber Defense course with a day 6 D3TF (Design/Detect/Defend the Flag) competition powered by

Full transcript