doc/en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv

0:00:05.950,0:00:10.409
So I’d like to thank Jason for inviting me.
I have to say I feel

0:00:10.409,0:00:11.909
woefully unprepared

0:00:11.909,0:00:15.719
all the stuff I’ve been listening to, you pretty
much have to be a kernel developer here 

0:00:15.719,0:00:18.549
it's not even enough to be like a normal committer I imagine

0:00:18.549,0:00:21.519
um you have to have invented something really cool

0:00:21.519,0:00:23.069
I'm here as a user

0:00:23.069,0:00:27.199
to try to take the loser off of it

0:00:27.199,0:00:31.260
I didn’t even boot into the BSD side of my laptop so

0:00:31.260,0:00:34.290
no rocks thrown up here

0:00:34.290,0:00:36.120
I wanted to talk about actually 

0:00:36.120,0:00:39.820
how many people here had some kind of security responsibility

0:00:39.820,0:00:41.660
okay so wow that’s interesting

0:00:41.660,0:00:43.530
okay so there are a lot of security people here

0:00:43.530,0:00:46.500
I usually speak to security audiences

0:00:46.500,0:00:47.430
when I speak in

0:00:47.430,0:00:49.019
or when I spoke before at

0:00:49.019,0:00:52.340
BSD conferences it was usually on something

0:00:52.340,0:00:54.490
something I was doing with BSD

0:00:54.490,0:00:56.409
for security purposes so I kind of

0:00:56.409,0:00:59.610
had that same theme for today

0:00:59.610,0:01:01.350
so what we’ll talk about

0:01:01.350,0:01:03.610
just so you know I am I worked in a variety
of

0:01:03.610,0:01:06.560
I was in the military where I learned all this stuff

0:01:06.560,0:01:10.050
I work in commercial industry defense contractors

0:01:10.050,0:01:12.490
I worked for a small start up

0:01:12.490,0:01:14.550
out of Connecticut

0:01:14.550,0:01:17.240
you might have heard of us

0:01:17.240,0:01:22.110
we’ve lost like three hundred billion in market cap over
the last year it’s been an exciting ride

0:01:22.110,0:01:25.230
the ads General Electric we get three hundred thousand users

0:01:25.230,0:01:28.360
um just a few security issues as you might
imagine

0:01:28.360,0:01:30.590
company that size

0:01:30.590,0:01:31.689
but what I’m going to talk about

0:01:31.689,0:01:34.040
uh first of all I’ll just do sort of a

0:01:34.040,0:01:36.149
intro of how I think about security

0:01:36.149,0:01:40.470
and why it drived me down the road of having
devices that I’ll talk about

0:01:40.470,0:01:42.280
and I’ll

0:01:42.280,0:01:45.970
I’m open to any questions it’s funny I was actually sitting
in front of a couple of guys who were asking me

0:01:45.970,0:01:47.330
we were talking about

0:01:47.330,0:01:50.200
that some of the software I’ll talk about he didn’t even
realize it was me

0:01:50.200,0:01:51.120
sitting at front

0:01:51.120,0:01:53.039
so if any point you have questions about

0:01:53.039,0:01:54.940
how we do things why we do things

0:01:54.940,0:01:56.320
please let me know

0:01:56.320,0:01:59.179
what I’m going to describe isn’t exactly what I do
with General Electric

0:01:59.179,0:02:02.390
or at least it's not officially what I do at General
Electric

0:02:02.390,0:02:06.950
but you can imagine that I just don’t come up with
this stuff in a vacuum and then present it obviously

0:02:06.950,0:02:07.559
it's

0:02:07.559,0:02:12.199
based on what I think works in various environments

0:02:12.199,0:02:15.979
so my job title is director of incident response

0:02:15.979,0:02:19.930
and what I tell people that they usually think of 
oil spills or

0:02:19.930,0:02:24.479
you know Hazmat or something like that
its information security incidents

0:02:24.479,0:02:28.349
and I like to say that I’m as close to the problem
as you possibly could be

0:02:28.349,0:02:30.639
right and we have project managers who are

0:02:30.639,0:02:32.890
trying to create risk equations

0:02:32.890,0:02:37.230
they're trying to figure out if I tweak this
knob it’ll result in more risk or less risk

0:02:37.230,0:02:38.889
I think that’s a whole bunch of

0:02:38.889,0:02:40.069
crap for the most part

0:02:40.069,0:02:41.209
%um

0:02:41.209,0:02:46.189
I deal with all the failures so I
deal with failure all around

0:02:46.189,0:02:47.689
I like to say that this

0:02:47.689,0:02:51.709
theory out there but the reality is when
okay you've got

0:02:51.709,0:02:57.999
dozens or hundreds or thousands of systems
that are compromised what do you do about that

0:02:57.999,0:03:02.560
so in some ways you might say that's actually
the worst possible place to do security is after it’s

0:03:02.560,0:03:03.380
failed but

0:03:03.380,0:03:09.889
in other ways maybe it's the best place because
you can see what's wrong and you can try to fix it

0:03:09.889,0:03:14.539
well you have to say what is security and I went
to the doctor one day and the doctor asked me questions 

0:03:14.539,0:03:15.469
like well how do you feel

0:03:15.469,0:03:17.629
do you feel healthy

0:03:17.629,0:03:19.190
that's kind of like do you feel secure

0:03:19.190,0:03:23.699
so what is that even mean right I mean
if you think about health well you might say

0:03:23.699,0:03:25.719
how’s your blood pressure

0:03:25.719,0:03:27.940
well it’s under 120 over 80

0:03:27.940,0:03:29.659
that's sort of one data point

0:03:29.659,0:03:33.119
what about your cholesterol body mass index and so forth

0:03:33.119,0:03:34.999
the idea is that you have to measure something

0:03:34.999,0:03:37.039
and you have to get your data from somewhere

0:03:37.039,0:03:40.040
and what I find is that a lot of people who make
security decisions

0:03:40.040,0:03:42.089
are not getting data from anywhere

0:03:42.089,0:03:43.559
In fact

0:03:43.559,0:03:45.450
a lot of very high level security people

0:03:45.450,0:03:48.560
are getting data on the golf course when they're
talking to their fellow

0:03:48.560,0:03:49.819
CSIO’s about

0:03:49.819,0:03:52.669
hey what product are you buying from Cisco or this and that

0:03:52.669,0:03:54.969
and it’s completely disconnected from reality

0:03:54.969,0:03:59.029
and as a result nobody can tell whether they’re spending
any money on security that makes a difference

0:03:59.029,0:04:00.339
%um or how to get

0:04:00.339,0:04:05.029
how to get better

0:04:05.029,0:04:08.849
so like how many people here are sort of like involved in
federal security with like FISMA and stuff

0:04:08.849,0:04:11.559
like that that right

0:04:11.559,0:04:12.510
so I find all that to be the most frustrating thing possible

0:04:12.510,0:04:15.409
I don't deal with that because I’m in private industry

0:04:15.409,0:04:18.889
but I've commented on it quite a bit because I 
have a blog

0:04:18.889,0:04:22.469
and I like to complain

0:04:22.469,0:04:24.839
so my feeling is that the FISMA folks

0:04:24.839,0:04:27.910
not be implement but the people who wrote the legislation
they tended

0:04:27.910,0:04:29.889
to focus on things like imput metrics

0:04:29.889,0:04:30.930
like do you have AV

0:04:30.930,0:04:32.039
do you have your patches

0:04:32.039,0:04:34.499
is the box configured properly

0:04:34.499,0:04:35.889
all those things of that nature

0:04:35.889,0:04:39.610
I call all those input metrics they really make no difference
as far as I'm concerned if you're truly trying to figure

0:04:39.610,0:04:41.039
out what the problem is

0:04:41.039,0:04:42.510
it's kind of like looking at a

0:04:42.510,0:04:45.759
sports teams let’s say an American football team

0:04:45.759,0:04:47.240
and you say well

0:04:47.240,0:04:50.069
input metrics would be like how tall are all the players

0:04:50.069,0:04:51.939
how fast do they run the forty

0:04:51.939,0:04:53.330
where did they go to school

0:04:53.330,0:04:54.650
you could look at all those things

0:04:54.650,0:04:56.100
but does that tell you what their

0:04:56.100,0:04:58.549
what their record was over the season

0:04:58.549,0:05:01.250
did they win the Super Bowl did they win their elite
championship

0:05:01.250,0:05:03.669
no those are those are all inputs right

0:05:03.669,0:05:05.689
I care about ouputs like

0:05:05.689,0:05:08.810
is this box is this box part of a bot net

0:05:08.810,0:05:10.219
no it’s not really Windows

0:05:10.219,0:05:12.560
%um

0:05:12.560,0:05:13.900
I could boot it into Windows but

0:05:13.900,0:05:16.559
I prefer to stay out of the bot net

0:05:16.559,0:05:18.259
did you

0:05:18.259,0:05:22.669
have an earnings report appear on the network share or
on a peer-to-peer network somewhere

0:05:22.669,0:05:25.949
that's an ouput that means you had a failure somewhere

0:05:25.949,0:05:28.069
do you have a system or network that’s unavailable

0:05:28.069,0:05:29.720
due to a DDoS attack

0:05:29.720,0:05:31.060
these are all outputs so

0:05:31.060,0:05:32.710
I try to focus on these

0:05:32.710,0:05:36.459
I really don't care so much about that I think
these can influence these

0:05:36.459,0:05:40.539
these are the things that I care about

0:05:40.539,0:05:44.129
and just to step a
little bit out and change the way you might think

0:05:44.129,0:05:48.619
about this there was a good article in The Economist last
year where they talked about people who are

0:05:48.619,0:05:49.410
trying to make

0:05:49.410,0:05:50.949
policy decisions

0:05:50.949,0:05:53.150
about health policy in Africa

0:05:53.150,0:05:55.500
and it's a safe thing with security

0:05:55.500,0:05:58.349
right actually kind of what I like about seeing the
developers here is that in the last talk there was

0:05:58.349,0:06:01.030
lots of discussions about

0:06:01.030,0:06:05.289
you made this change and you get a 5% difference
or you made this change and you get a 10% difference

0:06:05.289,0:06:07.019
none of that happens in security 

0:06:07.019,0:06:09.249
it's all well we’ll deploy this and see what happens

0:06:09.249,0:06:12.129
actually it’s not even that we’ll deploy this

0:06:12.129,0:06:13.900
not even let's see what happens 

0:06:13.900,0:06:16.000
there’s not even a test to see if it made any difference

0:06:16.000,0:06:17.230
so what I try to

0:06:17.230,0:06:18.640
focus on in my job

0:06:18.640,0:06:20.739
at GE is

0:06:20.739,0:06:22.489
let's do some tests like

0:06:22.489,0:06:24.120
the company is big enough

0:06:24.120,0:06:26.680
why don't we have part of the company

0:06:26.680,0:06:27.699
run

0:06:27.699,0:06:29.539
with no local admin on the desktop

0:06:29.539,0:06:31.309
and another part

0:06:31.309,0:06:34.060
continuing to run its local admin I didn’t say that
out loud sorry

0:06:34.060,0:06:36.139
and then compare and see what the infection rates are

0:06:36.139,0:06:39.449
and guess what I bet the ones with local admin
are going to be a hell of a lot worse

0:06:39.449,0:06:42.199
and there’s been some recent studies that have
shown that that's the case

0:06:42.199,0:06:44.780
so you can run these sort of policy-based trials

0:06:44.780,0:06:46.100
and figure out what you should do

0:06:46.100,0:06:47.880
then I can go talk to my boss and be like look

0:06:47.880,0:06:51.900
this part of the company that runs with local admin
they’re ten times worse than everybody else

0:06:51.900,0:06:54.849
and even better I can say it's costing us ten
times more

0:06:54.849,0:06:56.529
then we can make a change

0:06:56.529,0:06:57.770
but in order to do that you have to have

0:06:57.770,0:06:58.740
some kind of measurements

0:06:58.740,0:07:01.349
you’re going to have data come from somewhere

0:07:01.349,0:07:04.810
and I like to say that I call this management
by fact not by belief

0:07:04.810,0:07:06.479
the there's a lot like

0:07:06.479,0:07:08.860
security people are very religious

0:07:08.860,0:07:09.589
we have this

0:07:09.589,0:07:11.819
idea of what should be and what shouldn’t be

0:07:11.819,0:07:18.049
and it's all because we don't think usually
measure what works which is unfortunate

0:07:18.049,0:07:21.770
so I’m all about visibility I want to find out what's
going on

0:07:21.770,0:07:24.939
and the reason I think about it this way is
I think in the air force

0:07:24.939,0:07:26.990
we have this thing called OODA loop

0:07:26.990,0:07:31.849
and if you’ve ever seen my hands doing this it’s because
I'm reliving my air force days flying around in my F-16

0:07:31.849,0:07:35.000
not really I only flew once in the F-16 and
once in the F-15

0:07:35.000,0:07:35.770
but

0:07:35.770,0:07:39.219
when I would talk to the fighter pilots they would talk
about having this thing the OODA loop

0:07:39.219,0:07:41.400
and it came out

0:07:41.400,0:07:43.539
like I’m thinking before the first gulf war

0:07:43.539,0:07:45.270
and the idea was you’re in your

0:07:45.270,0:07:46.599
F-16

0:07:46.599,0:07:48.110
and you want to win the fight so

0:07:48.110,0:07:50.159
the first thing you do is look out the window

0:07:50.159,0:07:51.389
you see what's going on

0:07:51.389,0:07:52.999
that's your observation

0:07:52.999,0:07:57.409
and then you orient and you figure out well where am
I in relation to where the bad guys are

0:07:57.409,0:08:02.359
then you make a decision like okay there’s a bad guy
I better roll over and shoot it down

0:08:02.359,0:08:04.269
and then you take the action

0:08:04.269,0:08:06.009
the problem we have with security

0:08:06.009,0:08:06.849
is that

0:08:06.849,0:08:07.930
there's none of this

0:08:07.930,0:08:09.269
there’s no observe and orient

0:08:09.269,0:08:11.749
there’s only decide and act

0:08:11.749,0:08:13.549
so we have no idea what's happening

0:08:13.549,0:08:16.030
but we're told that to do things so we buy stuff

0:08:16.030,0:08:16.930
we deploy it

0:08:16.930,0:08:18.699
and we just keep doing that over and over again

0:08:18.699,0:08:22.679
and we never figure out if it makes any difference

0:08:22.679,0:08:24.219
the unfortunate thing is if you do

0:08:24.219,0:08:27.599
stumble upon something that works it's
usually luck

0:08:27.599,0:08:29.809
%uh as opposed to

0:08:31.029,0:08:37.780
figuring it out by observation and orientation
what you should be doing

0:08:37.780,0:08:41.870
so this is probably my favorite description

0:08:41.870,0:08:45.120
of security period

0:08:45.120,0:08:49.830
my apologies to my European friends this
is the football poll security

0:08:49.830,0:08:54.710
but this is what I believe that I've seen
this just for years and years and years

0:08:54.710,0:08:56.919
the idea is you’re told

0:08:56.919,0:08:58.750
or you read in a magazine

0:08:58.750,0:09:00.660
or you talk to your buddy

0:09:00.660,0:09:02.180
about something bad

0:09:02.180,0:09:06.090
and you assume that that bad thing that's
happening it must be happening at your location

0:09:06.090,0:09:06.540
too

0:09:06.540,0:09:09.190
and sometimes it is but sometimes it isn’t

0:09:09.190,0:09:12.330
and so you run around and you spend all this time
on one area

0:09:12.330,0:09:15.680
while meanwhile you could be completely all about
something different

0:09:15.680,0:09:19.650
and I first started thinking about this in 2000-2001

0:09:19.650,0:09:21.800
where there were some guys in Finland

0:09:21.800,0:09:27.060
who did this huge enumeration they were doing some of the
first fuzzing work against SMTP

0:09:27.060,0:09:27.849
it was called 

0:09:27.849,0:09:29.000
The Protos Toolkit

0:09:29.000,0:09:32.140
and they did all this work in and they found that
basically everybody's SMTP 

0:09:32.140,0:09:33.970
implementation was really bad

0:09:33.970,0:09:35.640
and they were all vulnerable
 
0:09:35.640,0:09:37.430
and the whole world was going to end because

0:09:37.430,0:09:40.610
SMTP vulnerabilities existed everywhere

0:09:40.610,0:09:43.769
well I don’t know if everybody was around back then
so they're looking at these things

0:09:43.769,0:09:45.470
but did the world end in 2001

0:09:45.470,0:09:47.690
with SMTP

0:09:47.690,0:09:48.940
absolutely not

0:09:48.940,0:09:51.259
so while a lot of effort was spent on

0:09:51.259,0:09:54.350
spending all this time fixing SMTP implementations

0:09:54.350,0:09:55.750
when the bad guys really weren’t

0:09:55.750,0:09:57.240
taking advantage of it

0:09:57.240,0:10:00.740
so this is what I feel like is happening with
security now we're told about

0:10:00.740,0:10:03.340
this is the one that really kills me is 

0:10:03.340,0:10:04.769
insider threats

0:10:04.769,0:10:05.819
oh they’re insider threats they're so bad

0:10:05.819,0:10:08.890
this in that and so you spend all your time over
here and you’re like

0:10:08.890,0:10:13.750
paying attention to your own employees you’re violating
their rights and their privacy

0:10:13.750,0:10:15.100
and meanwhile you got like

0:10:15.100,0:10:16.899
Romanians and Russians and Chinese and

0:10:16.899,0:10:17.829
every other

0:10:17.829,0:10:20.380
hacker in the world inside your company

0:10:20.380,0:10:21.980
that you can't do anything about

0:10:21.980,0:10:25.590
unless you know unless you actually do something

0:10:25.590,0:10:28.030
so my goal is to

0:10:28.030,0:10:30.819
get it so this guy he's looking at the right
spot

0:10:30.819,0:10:33.040
so at least he has a chance

0:10:33.040,0:10:36.010
right he doesn’t even have a chance if he’s looking
over there at least if you can sort of

0:10:36.010,0:10:38.279
orient and say okay well here’s this threat

0:10:38.279,0:10:40.210
here's what I need to do about it

0:10:40.210,0:10:42.430
you have a chance you still might get scored on right

0:10:42.430,0:10:43.830
but at least you can say

0:10:43.830,0:10:47.330
I had a fighting chance many organizations
when I was a consultant

0:10:47.330,0:10:48.619
I would drop into

0:10:48.619,0:10:51.690
and they didn't even have a fighting chance
there was just no

0:10:51.690,0:10:56.310
I would call them you know indefensible networks

0:10:56.310,0:11:01.160
to use a Cisco term I would call them self-defeating networks

0:11:01.160,0:11:06.490
self-defending anyway

0:11:06.490,0:11:12.610
yeah

0:11:12.610,0:11:16.890
the network part of ours sure

0:11:16.890,0:11:19.110
so yeah isn’t it interesting the self-defending network what
does that imply zero head count

0:11:19.110,0:11:21.089
that is the truth behind Cisco's vision

0:11:21.089,0:11:23.370
and think about it they sell it to every CIO

0:11:23.370,0:11:25.080
the CIO is like yeah

0:11:25.080,0:11:27.970
the network takes care of itself

0:11:27.970,0:11:31.990
oh yeah that means you you you you bye bye

0:11:31.990,0:11:33.890
and that's sort of the model that

0:11:33.890,0:11:34.980
I mean think about it

0:11:34.980,0:11:37.140
what business owner with would

0:11:37.140,0:11:39.720
not want to operate zero staff

0:11:39.720,0:11:41.290
if you could still make money

0:11:41.290,0:11:43.050
and no people

0:11:43.050,0:11:43.930
oh that's great

0:11:43.930,0:11:49.920
maybe you just have robots or something right don't they
don’t complain

0:11:49.920,0:11:50.850
So anyway wow

0:11:50.850,0:11:51.909
that came out of nowhere

0:11:51.909,0:11:53.300
but %uh

0:11:53.300,0:11:56.449
that's what I see with a lot of things is a %uh

0:11:56.449,0:11:58.980
presumption that you just buy products right you
don't actually

0:11:58.980,0:12:00.960
invest in people so

0:12:00.960,0:12:03.049
back to this whole idea of visibility the question is

0:12:03.049,0:12:04.089
well where should you try to get visibility

0:12:05.259,0:12:07.750
and I’ll talk about what kind of visibility

0:12:07.750,0:12:11.680
well the model that I use is to establish trust 
boundaries first and what’s interesting about 

0:12:11.680,0:12:13.160
using a trust boundary approach is

0:12:13.160,0:12:14.420
it can apply anywhere

0:12:14.420,0:12:16.910
I use a network example here because

0:12:16.910,0:12:19.170
it's a low-cost way to do it

0:12:19.170,0:12:21.220
but you can apply trust boundaries

0:12:21.220,0:12:22.790
on a system

0:12:22.790,0:12:24.010
within an application

0:12:24.010,0:12:26.400
I mean there’s lots of different places that you can apply
trust boundaries 

0:12:26.400,0:12:28.849
the idea is though once you establish trust boundaries

0:12:28.849,0:12:29.829
start watching

0:12:29.829,0:12:31.150
something there

0:12:31.150,0:12:33.010
so I’m going to use a network example but you could

0:12:33.010,0:12:35.540
you know apply it someplace else

0:12:35.540,0:12:37.050
so what I do is I

0:12:37.050,0:12:39.600
the general process is I identify my trust boundaries

0:12:39.600,0:12:41.280
I apply some instrumentation

0:12:41.280,0:12:43.620
and then I collect analyze and escalate

0:12:43.620,0:12:46.000
%uh collect meaning I get the information

0:12:46.000,0:12:48.420
analyze I look at it figure out what it means

0:12:48.420,0:12:48.889
escalate

0:12:48.889,0:12:53.920
is take it to somebody who cares

0:12:53.920,0:12:57.420
surprisingly difficult to find those people
in many

0:12:57.420,0:12:57.980
enterprises

0:12:57.980,0:13:00.020
I came from the DOD where

0:13:00.020,0:13:02.649
if we found a single machine that was compromised

0:13:02.649,0:13:03.730
that was an incident

0:13:03.730,0:13:05.889
and it could be reported all the way up to some
general

0:13:05.889,0:13:07.339
who would be on the phone

0:13:07.339,0:13:10.580
like barking orders that you need to fix this
within

0:13:10.580,0:13:12.440
hours or days or whatever it was

0:13:12.440,0:13:14.250
to private industry

0:13:14.250,0:13:15.100
where

0:13:15.100,0:13:17.660
you finding a compromise computer

0:13:17.660,0:13:22.200
and the response could be

0:13:22.200,0:13:23.370
eh what can they do

0:13:23.370,0:13:26.790
well they can access any machine that’s in this domain

0:13:26.790,0:13:28.220
well have they

0:13:28.220,0:13:33.670
%uh because I just got here I can't tell yet

0:13:33.670,0:13:35.949
I really don't know if we have to care about
this right

0:13:35.949,0:13:39.520
the only thing that’s changed that recently has been the
disclosure laws

0:13:39.520,0:13:44.180
because there are some disclosure laws that say if
it's possible that they could have stolen the data

0:13:44.180,0:13:45.300
you need to report

0:13:45.300,0:13:47.570
so that's changed the equation

0:13:47.570,0:13:48.140
dramatically

0:13:48.140,0:13:52.940
right it used to be in fact I worked some big
cases years ago where it was like

0:13:52.940,0:13:56.940
well you guys signed an NDA with us right yeah we
did

0:13:56.940,0:13:58.120
right well just bye bye

0:13:58.120,0:13:59.860
see you later

0:13:59.860,0:14:02.270
okay great alright well I’m glad I’m not a customer

0:14:02.270,0:14:08.190
at this place

0:14:08.190,0:14:12.019
I didn’t responded there I bank with Bank of America and the
reason I bank with Bank of America

0:14:12.019,0:14:13.980
is I know the guy who runs security there

0:14:13.980,0:14:16.100
and he does this

0:14:16.100,0:14:17.340
so of course

0:14:17.340,0:14:18.640
I still think he has a job

0:14:18.640,0:14:19.739
now that I think about it

0:14:19.739,0:14:21.390
has he been replaced by a robot

0:14:22.410,0:14:24.490
no he hasn’t been replaced by a robot

0:14:24.490,0:14:26.810
maybe his minions have been replaced by

0:14:26.810,0:14:28.590
Perl strips but

0:14:28.590,0:14:32.010
he’s still there

0:14:32.010,0:14:34.010
so this is my general process

0:14:35.130,0:14:38.570
and it’s funny people have probably heard about building security in

0:14:38.570,0:14:42.620
that's like trying to make things more secure
have been trying to do that for like 20 years

0:14:42.620,0:14:44.240
it just doesn't work

0:14:44.240,0:14:48.910
so I would say let’s monitor first because at least when you monitor you can tell that something bad is happening

0:14:48.910,0:14:52.000
if you just say build security in and walk away

0:14:52.000,0:14:52.730
then you’re in trouble

0:14:52.730,0:14:56.250
what I find is that in any product you have
this cycle

0:14:56.250,0:14:59.020
where you start out with a feature

0:14:59.020,0:15:03.140
and then the features proliferate and you need to manage them

0:15:03.140,0:15:06.689
and then somebody’s like oh yeah we need to apply
some security to that

0:15:06.689,0:15:10.150
and then finally check to see if it works when really
it should be the other way

0:15:10.150,0:15:11.500
figure out what’s out there

0:15:11.500,0:15:13.230
build a security policy for it

0:15:13.230,0:15:14.080
manage it

0:15:14.080,0:15:19.330
and then introduce the feature but that's 
not how it’s done

0:15:19.330,0:15:23.340
I wanted to mention here some I just want
to put this on the table before I go into my

0:15:23.340,0:15:24.970
next part because these are they

0:15:24.970,0:15:26.800
%uh criticisms I usually hear 

0:15:26.800,0:15:31.220
so let's just mention them now so if I’m taking some kind of
a network-centric approach to

0:15:31.220,0:15:32.460
security

0:15:32.460,0:15:35.090
the first thing we’re always told is well what about the
cloud

0:15:35.090,0:15:39.440
and this is very interesting %uh I work really
closely with the guy does the cloudsecurity.org 

0:15:39.440,0:15:40.870
blog

0:15:40.870,0:15:44.800
and %uh he's a fellow employee with
me is that we always considering this because

0:15:44.800,0:15:45.380
we’re

0:15:45.380,0:15:48.260
putting more and more of our stuff in the cloud

0:15:48.260,0:15:49.140
and if your 

0:15:49.140,0:15:50.630
window to the cloud

0:15:50.630,0:15:53.530
is an SSL encrypted pipe

0:15:53.530,0:15:58.430
%um it doesn't help me too much to inspect it at the
network level right

0:15:58.430,0:16:00.129
so we're going to have to push our cloud vendors

0:16:00.129,0:16:02.769
to provide the visibility for us

0:16:02.769,0:16:04.650
oh boy that’s really happening

0:16:04.650,0:16:10.110
try getting good logs out of any of the cloud buyers
it is absolutely horrible they don't

0:16:10.110,0:16:14.150
want to store them they don't want
to provide you the data in any format that’s useful

0:16:14.150,0:16:17.710
if they provide you with anything it's generally
performance metrics like

0:16:17.710,0:16:20.580
we cleaned ten billion of your emails today

0:16:20.580,0:16:23.159
oh that’s wonderful that’s great you know I don’t care

0:16:23.159,0:16:24.660
I don’t care how many emails you cleaned

0:16:24.660,0:16:26.660
I want to know about

0:16:26.660,0:16:28.660
which ones came from this

0:16:28.660,0:16:30.650
%uh a person who

0:16:30.650,0:16:32.519
was phishing us

0:16:32.519,0:16:36.600
and you know got control of some of our systems and
so forth

0:16:36.600,0:16:38.400
virtualization is obviously an issue

0:16:38.400,0:16:40.100
%um if you think about

0:16:40.100,0:16:42.290
in a one-machine

0:16:42.290,0:16:43.230
one

0:16:43.230,0:16:44.460
platform world

0:16:44.460,0:16:47.260
any time two machines talk you can potentially see the
traffic

0:16:47.260,0:16:50.370
what happens when you have a hundred machines all on one
platform

0:16:50.370,0:16:54.350
unless you instrument the virtual machine
itself

0:16:54.350,0:16:57.539
you know one hundred machines could all be infected an
talking to each other and stuff but

0:16:57.539,0:16:59.219
the way I deal with that is

0:16:59.219,0:17:01.649
unless the bad guy is also inside the VM

0:17:01.649,0:17:03.370
like he lives in it

0:17:03.370,0:17:07.810
you can see him because generally the people
you care about are on another continent

0:17:07.810,0:17:08.590
so

0:17:08.590,0:17:09.490
I mean it could be

0:17:09.490,0:17:11.390
somewhere else in the United States obviously but for

0:17:11.390,0:17:14.449
the most part like if someone were to compromise
my machine

0:17:14.449,0:17:16.439
unless they physically walk up to it and touch it

0:17:16.439,0:17:19.040
there will be some network traffic that reaches out

0:17:19.040,0:17:19.959
and generally that’s enough 

0:17:19.959,0:17:22.339
to tell that there’s a problem

0:17:22.339,0:17:28.080
so maybe the fastest way to tell if there’s a
kernel rootkit on a system

0:17:28.080,0:17:29.720
it’s for the system to look normal

0:17:29.720,0:17:32.380
but to have it to be beaconing out to 

0:17:32.380,0:17:34.160
you know take your pick of rogue country

0:17:34.160,0:17:37.560
so that that's a very effective way to
use to find stuff

0:17:37.560,0:17:41.020
And of course you’ve got your non-traditional
platforms

0:17:41.020,0:17:43.580
you know I’ve got my Blackberry here I absolutely love it

0:17:43.580,0:17:46.910
but I would love to be able sniff the traffic
going to and from it

0:17:46.910,0:17:47.270
because

0:17:47.270,0:17:50.690
who knows who’s sitting on my Blackberry right now

0:17:50.690,0:17:51.650
I really don't know

0:17:51.650,0:17:52.550
and that kills me

0:17:52.550,0:17:53.889
it kills me kills me kills me

0:17:53.889,0:17:55.090
that I cannot

0:17:55.090,0:17:57.809
find an interface sniff traffic on it and see
what's happening

0:17:57.809,0:18:00.080
or somehow get between the wireless

0:18:00.080,0:18:03.670
watch the traffic and see what's happening

0:18:03.670,0:18:06.110
so that to me it's a big issue

0:18:06.110,0:18:08.399
and we’ve got all these crazy European privacy laws

0:18:08.399,0:18:11.690
I can’t collect anything in that whole continent

0:18:11.690,0:18:13.690
not true it kills me though it's kind of difficult

0:18:13.690,0:18:15.830
%um you’ve got this tension between

0:18:15.830,0:18:20.570
%uh it's interesting Europeans tend to have very
strong collection laws like you have to keep logs for a

0:18:20.570,0:18:22.380
certain period of time

0:18:22.380,0:18:24.830
but at the same time they have very strong privacy laws

0:18:24.830,0:18:27.760
so this is a tension there

0:18:27.760,0:18:29.870
skilled resources I don't know about you but
it

0:18:29.870,0:18:33.410
even with the downturn it's tough to find
good security people I think

0:18:33.410,0:18:36.540
there's a lot of people who come out with
their Cisco certified

0:18:36.540,0:18:37.410
whatever

0:18:37.410,0:18:39.330
and they don't know the first thing about

0:18:39.330,0:18:42.420
how to actually secure anything which is tough

0:18:42.420,0:18:46.270
and then finally we see this quite often in software

0:18:46.270,0:18:47.149
security space

0:18:47.149,0:18:49.820
a lot of the tools that are out there were
built for

0:18:49.820,0:18:50.370
developers

0:18:50.370,0:18:52.850
and for performance and not for security

0:18:52.850,0:18:54.470
So you see people using tools

0:18:54.470,0:19:00.280
to disassemble malware that were built
for reverse engineering for software purposes

0:19:00.280,0:19:04.150
and not for security purposes

0:19:04.150,0:19:05.960
anyway so what I’m going to talk about briefly

0:19:05.960,0:19:06.980
is not new

0:19:06.980,0:19:08.840
I was actually cleaning out 

0:19:08.840,0:19:11.240
an old drive and I found this presentation

0:19:11.240,0:19:13.120
from 2000

0:19:13.120,0:19:16.150
I used to give this briefing when I was in 

0:19:16.150,0:19:18.250
the air force cert

0:19:18.250,0:19:20.510
and we would talk about the history of our
unit

0:19:20.510,0:19:22.520
and back in 1993

0:19:22.520,0:19:25.910
we were deploying what we call network security
monitoring systems

0:19:25.910,0:19:26.720
and

0:19:26.720,0:19:28.810
the NSN term

0:19:28.810,0:19:29.309
comes from

0:19:29.309,0:19:33.490
the first network based IDS that taught

0:19:33.490,0:19:35.400
he wrote it in UC Davis in 1989

0:19:35.400,0:19:39.520
so this is wow that’s 20 years I feel
freaking old right now

0:19:39.520,0:19:39.979
it’s amazing

0:19:39.979,0:19:40.820
so

0:19:40.820,0:19:44.170
so this is not a new thing and I wrote a book about this
in 2004 so

0:19:44.170,0:19:45.230
that's five years

0:19:45.230,0:19:46.540
ago now so

0:19:46.540,0:19:50.470
this is not new the funny thing is vendors
is finally start to catch up with it

0:19:50.470,0:19:56.750
and they call them network forensic appliances
and they charge you 50,000 dollars

0:19:56.750,0:20:02.110
for the enterprise that’s right

0:20:02.110,0:20:04.870
yeah enterprise means expensive

0:20:04.870,0:20:06.260
I like that

0:20:06.260,0:20:07.480
that’s good

0:20:07.480,0:20:09.100
and GUI that's right

0:20:09.100,0:20:13.610
and somebody you can complain to who can’t really answer
your problems

0:20:13.610,0:20:17.320
alright so I present this because I don’t want to take credit
for this approach

0:20:18.649,0:20:19.789
because

0:20:19.789,0:20:22.590
people we were doing this I came in around here

0:20:22.590,0:20:24.210
but we were doing this earlier

0:20:24.210,0:20:27.480
so I learned from people who invented this stuff

0:20:27.480,0:20:30.779
you know wow that's like 15 years ago

0:20:30.779,0:20:35.279
alright so why network censors

0:20:35.279,0:20:40.080
I have to say some of the artwork I saw in these
presentations were so awesome I feel that mine’s

0:20:40.080,0:20:40.800
terrible I mean it was

0:20:40.800,0:20:45.840
the lego stuff that was great I need to do like a
little lego pyramid

0:20:45.840,0:20:48.000
I really like that but this is different

0:20:50.210,0:20:55.030
I wondered where you got your bricks from I have to like
raid my kids lego

0:21:05.990,0:21:07.820
that is funny that is good though I’m a visual

0:21:07.820,0:21:13.250
I was right in there with the bricks

0:21:13.250,0:21:14.179
so

0:21:14.179,0:21:19.730
I call this my top security enterprise trust pyramid

0:21:19.730,0:21:24.180
I ripped this out of something I used to do when
I was a consultant

0:21:24.180,0:21:26.990
and basically it’s a justification for why it’s good to have
network censors and the idea is this

0:21:26.990,0:21:28.980
this is the least trusted part and this is the most trusted

0:21:31.419,0:21:34.279
that's low user interaction and this is high user interaction

0:21:34.279,0:21:36.769
and this also in terms of the numbers of devices

0:21:36.769,0:21:39.059
so in an enterprise you tend to have the most

0:21:39.059,0:21:40.630
user platforms

0:21:40.630,0:21:43.840
desktops laptops phones all that kind of stuff

0:21:43.840,0:21:45.980
above that you have servers

0:21:45.980,0:21:47.550
above that you have infrastructure

0:21:47.550,0:21:53.920
%um routers firewalls things like that and above
that you have censors

0:21:53.920,0:21:55.550
so I trust these the least

0:21:55.550,0:21:56.350
because

0:21:56.350,0:21:57.920
well because there are these

0:21:57.920,0:21:59.390
users

0:21:59.390,0:22:01.800
right and users are doing things like

0:22:01.800,0:22:03.440
interacting with the system

0:22:03.440,0:22:06.229
if they didn’t interact with the system I would
probably trust it more

0:22:06.229,0:22:08.090
but because they’re on the system

0:22:08.090,0:22:09.950
they could be running as an admin

0:22:09.950,0:22:11.850
they're going to all these

0:22:11.850,0:22:13.620
you know malicious web sites

0:22:13.620,0:22:15.770
even normal web sites

0:22:15.770,0:22:18.940
that have been owned or are injecting malicious job descripts
or whatever

0:22:18.940,0:22:21.430
so the more user interaction there is

0:22:21.430,0:22:24.889
the less likely I’m going to trust what
the system tells me

0:22:24.889,0:22:26.600
so why get on a system and I say

0:22:26.600,0:22:29.680
tell me how you're feeling you know what your
state

0:22:29.680,0:22:34.190
I'm not going to trust that system eighty
is generally worthless

0:22:34.190,0:22:36.960
you have to get outside of the this is
the key point

0:22:36.960,0:22:41.070
you have to get away from these things you
have to get outside the system to get of you

0:22:41.070,0:22:41.970
whether or not

0:22:41.970,0:22:43.520
you should trust it

0:22:43.520,0:22:44.750
but that's not the case right

0:22:44.750,0:22:49.260
we're moving more and more to pushing all the security
down to the end point

0:22:49.260,0:22:50.560
so like my laptop defends itself

0:22:50.560,0:22:52.380
my phone defends itself

0:22:52.380,0:22:53.869
guess what if they fail

0:22:53.869,0:22:56.950
the whole model fails as well

0:22:56.950,0:23:00.110
so above this we have servers I
trust servers a little bit more

0:23:00.110,0:23:01.710
because if you're a good admin

0:23:01.710,0:23:03.019
you're not surfing

0:23:03.019,0:23:06.370
MySpace on your Windows Server

0:23:06.370,0:23:08.070
right well you’re not on a Windows Server

0:23:08.070,0:23:13.590
but well you can admin on a Windows Server
but you know what I mean

0:23:13.590,0:23:16.710
well because I think that's right that's true

0:23:16.710,0:23:18.960
above that you have infrastructure

0:23:18.960,0:23:20.140
no one should be

0:23:20.140,0:23:21.530
in general

0:23:21.530,0:23:24.050
like no user is directly

0:23:24.050,0:23:25.450
dealing with a firewall

0:23:25.450,0:23:27.309
if a user is logging into a firewall

0:23:27.309,0:23:28.980
there’s a problem right

0:23:28.980,0:23:32.080
a user doesn't necessarily log into a server but he uses
services on the server right

0:23:32.080,0:23:34.840
so I tend to trust this even more

0:23:34.840,0:23:38.330
because you just can't touch them

0:23:38.330,0:23:43.230
the number of people who deal with the infrastructure in
general is smaller than the number of people who deal
with servers

0:23:43.230,0:23:46.150
and in many cases the infrastructure is completely

0:23:46.150,0:23:48.630
you know invisible

0:23:48.630,0:23:52.890
alright how many people like interact with a router when 
you're sending traffic through

0:23:52.890,0:23:54.970
no you know it passes traffic

0:23:54.970,0:23:57.520
same with the firewall blocks it allows it whatever

0:23:57.520,0:23:58.649
so I tend to trust 

0:23:58.649,0:24:01.600
what this will tell me even more because there's
less user action

0:24:01.600,0:24:03.690
the final stage here is my sensor

0:24:03.690,0:24:06.390
the sensors completely pass it

0:24:06.390,0:24:09.210
most of the people in the company might not even know it
exists

0:24:09.210,0:24:11.139
which is which is good in most cases

0:24:11.139,0:24:14.760
unless you want a deterrent effect

0:24:14.760,0:24:16.390
so I can get data from the sensor

0:24:16.390,0:24:18.390
typically like in my team

0:24:18.390,0:24:21.960
there's only two people that even know the route
password

0:24:21.960,0:24:24.270
we could heavily defend these things

0:24:24.270,0:24:26.159
we can have them defend

0:24:26.159,0:24:27.549
each other

0:24:27.549,0:24:28.620
like watch each other

0:24:28.620,0:24:31.529
so I tend to have a very very high confidence to
what the sensor is telling me

0:24:31.529,0:24:33.530
as opposed to

0:24:33.530,0:24:35.180
what a user platform is telling me

0:24:35.180,0:24:35.980
so

0:24:35.980,0:24:37.799
if I’m on a user platform

0:24:37.799,0:24:41.290
and I'm looking around for evidence of a rootkit
and I see nothing

0:24:41.290,0:24:44.140
but up here in my sensor showing traffic going by

0:24:44.140,0:24:47.220
out to some site in Brazil

0:24:47.220,0:24:48.490
then I can say

0:24:48.490,0:24:50.070
alright we have a problem here

0:24:50.070,0:24:51.120
so this is why I like

0:24:51.120,0:24:54.020
to introduce these sorts of devices

0:24:54.020,0:24:55.070
let me talk a little bit

0:24:55.070,0:24:55.959
to about

0:24:55.959,0:24:57.560
least trusted and most trusted

0:24:57.560,0:24:59.840
if you had to rank operating systems here

0:24:59.840,0:25:01.830
would you put Windows up here

0:25:01.830,0:25:02.899
and BSD here

0:25:02.899,0:25:06.150
or the other way around right

0:25:06.150,0:25:11.010
so I like to use BSD especially for my sensors

0:25:11.010,0:25:13.510
because I introduce what we call a technology gap

0:25:13.510,0:25:16.789
my company we use a lot of Windows as you
might imagine

0:25:16.789,0:25:19.230
and we use a lot of Linux

0:25:19.230,0:25:22.820
we don't use a lot of BSD in fact I’m
probably the only BSD 

0:25:22.820,0:25:24.770
shop in the company that I know of

0:25:24.770,0:25:25.729
but that's good

0:25:25.729,0:25:28.090
because if you’re a bad guy and you get inside the company

0:25:28.090,0:25:31.850
and you root our Windows infrastructure and you root our
Linux infrastructure

0:25:31.850,0:25:34.420
and then you find some BSD boxes

0:25:34.420,0:25:36.530
and we administer them ourselves

0:25:36.530,0:25:39.020
it's going to take a lot more work to get
into this

0:25:39.020,0:25:41.930
and we’re probably did notice when you're trying
to get into our systems

0:25:41.930,0:25:44.220
so it does not make sense and I’ve seen

0:25:44.220,0:25:47.450
we get a lot of pressure on this internally
and I’ve seen it in other companies

0:25:47.450,0:25:49.740
to have our sensing

0:25:49.740,0:25:50.180
infrastructure

0:25:50.180,0:25:53.679
be integrated with the rest of the company
infrastructure

0:25:53.679,0:25:54.930
right oh just have you know

0:25:54.930,0:25:58.190
have our hosted Linux service

0:25:58.190,0:26:00.059
where you know you can have

0:26:00.059,0:26:01.870
potentially all these admins you don't know

0:26:01.870,0:26:04.960
on another continent logging into your devices

0:26:04.960,0:26:07.280
no way you know I want a gap I want

0:26:07.280,0:26:09.580
the stuff that we have to protect

0:26:09.580,0:26:10.730
not be

0:26:10.730,0:26:12.470
the same as what’s using

0:26:12.470,0:26:13.170
or not be

0:26:13.170,0:26:15.740
the same systems that we’re using to watch this

0:26:15.740,0:26:16.729
so I introduced BSD as 

0:26:16.729,0:26:18.540
as a new operating system to

0:26:18.540,0:26:23.110
watch this yes

0:26:23.110,0:26:27.950
so the question was do I stay on the Intel platform

0:26:27.950,0:26:30.750
I actually bring up that point in my forensics talks

0:26:30.750,0:26:32.780
I am on an Intel platform

0:26:32.780,0:26:34.370
for my sensors

0:26:34.370,0:26:37.250
however

0:26:37.250,0:26:40.130
depending on how you want to do forensics for
example

0:26:40.130,0:26:43.710
I have done cases where I had one tax stack
where I’ve got

0:26:43.710,0:26:46.730
you know Intel Windows

0:26:46.730,0:26:48.180
Toolex

0:26:48.180,0:26:48.780
whatever

0:26:48.780,0:26:51.119
and in another platform where I’ve got

0:26:51.119,0:26:52.559
Power PC

0:26:52.559,0:26:53.420
Debian

0:26:53.420,0:26:55.560
blah blah blah blah blah and something completely different

0:26:55.560,0:26:58.740
and I will say by the way

0:26:58.740,0:27:04.310
I don't run the one system I expose in my home lab 
is not an Intel system

0:27:04.310,0:27:06.940
it's a Mac Mini

0:27:06.940,0:27:08.550
and it’s running Debian on top

0:27:08.550,0:27:11.789
I tried to put on BSD I had a problem
I don’t know what that was

0:27:11.789,0:27:13.109
probably user error but

0:27:13.109,0:27:15.310
so Debian is running on that and what’s 

0:27:15.310,0:27:18.529
nice about that is do you remember when the Debian
the SSL stuff when was that

0:27:22.789,0:27:24.340
that happened recently

0:27:24.340,0:27:27.360
all of the pre-compiled exploits for that

0:27:27.360,0:27:30.570
%uh and all of the pre-compiled keys

0:27:30.570,0:27:34.230
they shell code was all wrong because I was running
Power PC

0:27:34.230,0:27:36.240
and like when I did my 

0:27:36.240,0:27:38.050
update or whatever I was like oh

0:27:38.050,0:27:39.110
I wonder if I’m affected by that

0:27:39.110,0:27:42.160
and it kept saying I wasn't even though I knew
I was because the

0:27:42.160,0:27:44.270
you know I had the vulnerable library version

0:27:44.270,0:27:46.809
I was like that's right this isn’t an Intel box

0:27:46.809,0:27:48.170
it's a Power PC box

0:27:48.170,0:27:52.120
so I do use that diversity argument in very very
limited situations

0:27:52.120,0:27:55.180
but it would be really expensive for me to say buy

0:27:55.180,0:27:57.639
you know eighty

0:27:57.639,0:28:01.710
I don't know I’m not even sure what I would use these days
it would be tough to find that I could get

0:28:01.710,0:28:03.070
a good price and everything

0:28:03.070,0:28:06.460
so I have to make some compromises there

0:28:06.460,0:28:10.419
but that’s not a bad idea if you have to have some kind of
like central server that was going to like watch everything maybe

0:28:10.419,0:28:12.559
you need to go that extra step to make it

0:28:12.559,0:28:15.580
even more diverse

0:28:15.580,0:28:18.380
alright so I’d like to talk just for a minute
about what I do

0:28:18.380,0:28:21.320
like to deploy

0:28:21.320,0:28:23.190
um what’s my time here

0:28:23.190,0:28:29.300
so I'm involved with this open source project called SGUIL
S-G-U-I-L

0:28:29.300,0:28:32.780
SGUIL doesn't stand for anything officially

0:28:32.780,0:28:38.180
but it originally when we first wrote it in like by the way 
Bam Busher is the lead developer he’s probably actually the
only developer

0:28:38.180,0:28:42.360
the rest of us are just lamers

0:28:42.360,0:28:43.820
that's what the L means

0:28:43.820,0:28:46.660
originally it was snort GUI for lamers

0:28:46.660,0:28:48.900
%uh but then a couple people who got it

0:28:48.900,0:28:52.490
well we didn't get the joke they got a software
like I’m not a lamer I’m not going to use your software

0:28:52.490,0:28:54.220
well I don’t care if you use it or not

0:28:59.890,0:29:01.540
yeah right

0:29:01.540,0:29:04.060
But we felt okay that’s kind of

0:29:04.060,0:29:09.860
we’ll just call it SGUIL it doesn’t mean anything

0:29:09.860,0:29:13.670
So I’m going to talk to you about SGUIL but the thing about
SGUIL to remember is

0:29:13.670,0:29:15.310
it's open source it runs on 

0:29:15.310,0:29:16.460
you know Picker

0:29:16.460,0:29:18.080
Distrobe Choice 

0:29:18.080,0:29:19.970
or Flavor whatever you want

0:29:19.970,0:29:22.080
it's more about the data and less about the tool

0:29:22.080,0:29:24.690
so you could potentially implement this with your own tools

0:29:24.690,0:29:26.850
%uh even commercial if you wanted to

0:29:26.850,0:29:29.350
%um it’s really 

0:29:29.350,0:29:32.419
about way of getting data and thinking about it and less
about the actual

0:29:32.419,0:29:37.020
the actual tool

0:29:37.020,0:29:38.400
you know this guy it’s Elvis

0:29:38.400,0:29:44.900
you know what martial art he studied

0:29:49.720,0:29:51.000
so here’s Elvis

0:29:51.000,0:29:53.750
and Elvis is the patron saint of this system

0:29:53.750,0:29:56.380
I don't know why it's been a long time

0:29:56.380,0:29:57.230
but %uh

0:29:57.230,0:30:00.609
I love Elvis because he’s in his Kenpo karate stance

0:30:00.609,0:30:02.480
and his stance is like this

0:30:02.480,0:30:08.860
which it would take him like a week to get out
of his fight stance to do anything

0:30:08.860,0:30:12.610
I actually won some concert tickets by stumping
an Elvis expert on a radio station here

0:30:12.610,0:30:13.399
in DC-

0:30:13.399,0:30:16.120
I called and said what style of martial arts did he

0:30:16.120,0:30:18.590
he’s like oh karate I’m like what style

0:30:18.590,0:30:20.080
oh I don't know

0:30:20.080,0:30:21.070
Kenpo karate well

0:30:21.070,0:30:22.559
who was his masters’ name

0:30:22.559,0:30:23.670
uh Ed Parker

0:30:23.670,0:30:29.540
and they were like oh you just won those tickets you stumped
the Elvis expert

0:30:29.540,0:30:34.540
so here you have Elvis I’m going to contrast these two methods
of doing investigations right

0:30:34.540,0:30:35.870
so you’ve got Elvis

0:30:35.870,0:30:38.640
he’s your analyst you don’t want to piss him off

0:30:38.640,0:30:40.289
he’s Elvis

0:30:40.289,0:30:43.799
he’ll hit you with his magic karate shot

0:30:43.799,0:30:47.580
he gets an alert via some system right well not these days he’s looking trim man

0:30:47.580,0:30:50.900
by the way if you’ve ever watched him in concert

0:30:50.900,0:30:53.970
he’s doing Kenpo like throughout the concert all the moves

0:30:53.970,0:30:55.910
he’s doing

0:30:55.910,0:30:56.269
he’s doing Kenpo

0:30:56.269,0:30:59.089
you zoom in he’s got a Kenpo patch on whatever
he's wearing

0:30:59.089,0:31:01.279
you look at his guitar it’s got the Kenpo patch on it

0:31:01.279,0:31:05.300
like once you’re exposed to the fact that he did this style it's
everywhere

0:31:05.300,0:31:06.470
in fact there was one

0:31:06.470,0:31:11.210
he did a concert once actually he didn't
do a concert he attended somebody's else concert

0:31:11.210,0:31:15.190
and I don't know who it was like Johnny Cash or something
but he saw him in the audience

0:31:15.190,0:31:16.370
he’s like Elvis do you want to come up here

0:31:16.370,0:31:17.910
you know do a song with me

0:31:17.910,0:31:19.800
and he’s like oh sorry you know

0:31:19.800,0:31:22.880
I'm under contract I can only perform at
this 

0:31:22.880,0:31:23.570
one casino

0:31:23.570,0:31:27.360
but I’ll tell you what I’ll come on stage and do karate

0:31:30.100,0:31:32.190
so this guy is doing his performance and Elvis is just jumping on doing karate

0:31:32.190,0:31:34.530
I’ve got to find a video of that that would be great

0:31:34.530,0:31:36.720
so anyway Elvis is here

0:31:36.720,0:31:39.440
and his job is to find intruders

0:31:39.440,0:31:41.150
so he gets his console and he gets and alert

0:31:41.150,0:31:41.990
and he looks at it and he’s like

0:31:41.990,0:31:43.520
alright well

0:31:43.520,0:31:45.230
I’ve got to figure out if this matters

0:31:45.230,0:31:48.470
so what do I have to work with

0:31:48.470,0:31:50.960
well I have other alerts like a picture in front of some Cisco device

0:31:50.960,0:31:53.870
like in that range or whatever they are these days

0:31:53.870,0:31:56.940
so he creates the database and he gets more alerts

0:31:56.940,0:31:59.800
and he says well this is nice but I can’t tell if any of this matters

0:31:59.800,0:32:02.770
so that's the end of the line

0:32:02.770,0:32:05.940
right at this point he’s got two options he can either ignore it

0:32:05.940,0:32:10.240
or he can satisfy his 15 minute SOA that his customer
pays $3,000 a month 

0:32:10.240,0:32:10.860
for

0:32:10.860,0:32:11.940
call the customer and say

0:32:11.940,0:32:13.059
I saw this

0:32:13.059,0:32:14.650
I don't know what it means

0:32:14.650,0:32:17.110
ball is in your court goodbye

0:32:17.110,0:32:21.360
so I don't how many of you have you had that experience with an
MSSP but that’s very very common

0:32:21.360,0:32:22.869
so to me this is

0:32:22.869,0:32:27.620
that's completely worthless so this is the
alternative I propose

0:32:27.620,0:32:30.550
so see already you can see there’s more lines so that
must be good right

0:32:30.550,0:32:32.030
so you got Elvis

0:32:32.030,0:32:35.319
he queries his data he get’s an alert he queries the
database he gets the same alert

0:32:35.319,0:32:39.050
but now the difference is he has some data to look
at

0:32:39.050,0:32:42.499
so in other words it’s no just an IDS or whatever
generate alerts

0:32:42.499,0:32:44.470
there’s some evidence to review

0:32:44.470,0:32:46.880
and the key idea behind NSM is

0:32:46.880,0:32:47.869
the evidence

0:32:47.869,0:32:51.700
is collected whether or not it has security
value

0:32:51.700,0:32:55.110
that's not quite right what I mean is you’re
always collecting data

0:32:55.110,0:32:57.350
because you don't know what is useful

0:32:57.350,0:32:58.430
in other words

0:32:58.430,0:33:00.360
if you knew what was bad

0:33:00.360,0:33:03.159
why don't you just stop it

0:33:03.159,0:33:05.709
that is the whole fallacy of security right
like

0:33:05.709,0:33:07.359
the whole thing IDS was

0:33:07.359,0:33:11.350
if you could detect it why can’t you prevent it oh yeah

0:33:11.350,0:33:14.860
right so you invent this whole IPS category
which is a silver bullet which

0:33:14.860,0:33:17.270
did really nothing

0:33:17.270,0:33:21.780
but the idea is yeah you can detect it’s bad why don’t you just
stop it well of course that makes a lot of

0:33:21.780,0:33:22.219
sense

0:33:22.219,0:33:24.840
so you have a lot of stopping bad stuff

0:33:24.840,0:33:28.250
but then there’s other bad stuff that’s happening because
you don't know it is bad right now

0:33:28.250,0:33:29.899
I mean

0:33:29.899,0:33:34.140
I learned these techniques dealing with

0:33:34.140,0:33:35.820
intruders

0:33:35.820,0:33:38.399
I’ll date myself but in 1998

0:33:38.399,0:33:39.509
intruders in China

0:33:39.509,0:33:41.049
who had written their own

0:33:41.049,0:33:44.010
virtualization platform on top of Solaris

0:33:44.010,0:33:46.159
who were doing stuff we were like holy cow

0:33:46.159,0:33:48.540
because we had no idea that they could do
that sort of thing

0:33:48.540,0:33:51.879
so there was no system that was going to detect
because we didn't even know it existed

0:33:51.879,0:33:54.530
but guess what we were keeping track of everything
that was happening

0:33:54.530,0:33:56.330
and once we knew what to look for

0:33:56.330,0:34:00.380
we checked our data like holy crap they’ve been in
here since two years ago

0:34:00.380,0:34:03.230
right this slide that I showed you here

0:34:03.230,0:34:07.240
when we started putting out these sensors there was
huge resistance

0:34:07.240,0:34:08.459
this was like

0:34:08.459,0:34:13.399
oh man we’re the air force we just defeated Iraq the
fourth biggest army in the world we kick ass

0:34:13.399,0:34:15.739
there can’t be anybody inside of our network and we’re like

0:34:15.739,0:34:19.460
please please can we put a few sensors out there and they’re
like all right but you guys are wasting your

0:34:19.460,0:34:20.029
time

0:34:20.029,0:34:23.690
so we put our sensors out and what do you think
what did we find

0:34:23.690,0:34:24.720
we were owned

0:34:25.650,0:34:26.230
everywhere

0:34:26.230,0:34:27.569
up down left right

0:34:27.569,0:34:29.499
it was terrible right we were completely owned

0:34:29.499,0:34:31.329
because nobody was watching

0:34:31.329,0:34:33.129
and then after that

0:34:33.129,0:34:37.159
boom that’s when everything took off

0:34:37.159,0:34:40.859
so the key here is that you get your alert but then you 
have data to look at and the two

0:34:40.859,0:34:43.939
%uh well I should say three main forms of data you collect

0:34:43.939,0:34:45.370
we collected alerts but

0:34:45.370,0:34:46.269
we’re also

0:34:46.269,0:34:47.780
just logging all the flows we see

0:34:47.780,0:34:50.779
we call it session data but it’s just flows

0:34:50.779,0:34:52.999
and we deploy our own software to log the flows

0:34:52.999,0:34:56.460
but the key is we don't log the flows that are associated
with the alert we log

0:34:56.460,0:34:57.789
all flows

0:34:57.789,0:34:59.689
so you don’t have to know what support beforehand
 
0:34:59.689,0:35:01.619
you just keep track of everything

0:35:01.619,0:35:02.840
and once you know what to look for

0:35:02.840,0:35:04.259
you go look for it

0:35:04.259,0:35:08.739
I kind of liken it to the Splunk model like I
how many people have used Splunk

0:35:08.739,0:35:10.609
right Splunk is really awesome right

0:35:10.609,0:35:13.719
Splunk is the place you go when you know
what to look for

0:35:13.719,0:35:15.740
you generally don't have Splunk tell you stuff

0:35:15.740,0:35:16.679
I mean you can

0:35:16.679,0:35:18.150
but for the most part

0:35:18.150,0:35:21.910
you want to be there when you need to ask the question
and have some response

0:35:21.910,0:35:24.470
it's the same thing with this once I know what to look for

0:35:24.470,0:35:25.309
I need a place to go look

0:35:25.309,0:35:28.169
so I query my sessions and I’m like oh well look

0:35:28.169,0:35:29.040
this guy 

0:35:29.040,0:35:32.709
just reached out via FTP and grabbed his tools

0:35:32.709,0:35:35.109
guess what most hackers these days still do this

0:35:35.109,0:35:36.189
right they aren’t like

0:35:36.189,0:35:38.319
STP-ing out or whatever 

0:35:38.319,0:35:40.489
yeah go grab their tools over FTP

0:35:40.489,0:35:41.439
excuse me well

0:35:41.439,0:35:43.280
they grab their tools over FTP

0:35:43.280,0:35:45.939
while they’re doing that I’m logging all the packet data

0:35:45.939,0:35:51.379
and a lot of people used to say oh Bejtlich you’re
crazy who can log packet data on all their gateways

0:35:51.379,0:35:52.829
the NSA does

0:35:52.829,0:35:55.639
so guess what we can too right it’s not that tough

0:35:55.639,0:35:58.500
%uh most network connections are

0:35:58.500,0:36:00.079
DS3s or less

0:36:00.079,0:36:03.509
at least the outbound ones to the internet

0:36:03.509,0:36:05.579
so you could log a lot of packet data

0:36:05.579,0:36:07.809
I mean hard drives are cheap

0:36:07.809,0:36:12.589
they're cheap so you can grab a lot of data

0:36:12.589,0:36:18.589
yeah question what do you use to dump all the data I’ll walk
you through all of it yup yes my question is so I’m located
my servers are in Maryland  

0:36:20.819,0:36:23.099
yes I’m an ISP what happens when I get stuff from
Massachusetts or California and they’re going you can’t do that

0:36:27.329,0:36:28.269
yes okay so there’s two things 

0:36:28.269,0:36:32.709
the first thing I thought you were going to go down was
I’m an ISP do I do this for my

0:36:32.709,0:36:33.949
customers the answer would be no

0:36:33.949,0:36:37.429
%uh I would do this for my infrastructure

0:36:37.429,0:36:40.489
as far as the privacy stuff goes

0:36:40.489,0:36:44.589
we're we’re wrestling with ourselves and what
I end up doing is typically

0:36:44.589,0:36:46.899
scaling back to what the law will allow

0:36:46.899,0:36:50.660
and then showing that it's either adequate
or not adequate

0:36:50.660,0:36:56.319
and then I take it to the lawyers and say we have to
somehow push back against this

0:36:56.319,0:36:57.630
%uh but okay

0:36:57.630,0:37:00.229
so imagine that you do the full content though

0:37:00.229,0:37:06.089
and by the way this isn’t theoretical we do this all the time
I have a reverse engineer on my staff who

0:37:06.089,0:37:10.589
when we see machines mission going down pulling their binaries
when the machines are owned

0:37:10.589,0:37:12.399
I pass in the traffic

0:37:12.399,0:37:14.219
he pulls out the

0:37:14.219,0:37:15.260
exe

0:37:15.260,0:37:19.160
he reverses it figures out what it does
and now we go into the next stage of insert-response

0:37:19.160,0:37:21.249
so it can be done

0:37:21.249,0:37:24.869
so then we say oh shoot it uses this back door we
go back and look in the sessions and we say

0:37:24.869,0:37:27.879
oh I see this back door let's go and look at the
traffic

0:37:27.879,0:37:29.350
and it just keeps going so

0:37:29.350,0:37:36.350
the idea is that this isn’t the end of the investigation
it’s the beginning the investigation

0:37:36.579,0:37:37.369
sure

0:37:37.369,0:37:39.059
can it be done

0:37:39.059,0:37:41.209
it’s easy to do and can be done completely free

0:37:41.209,0:37:42.249
yes

0:37:42.249,0:37:44.220
yes and that is very true

0:37:44.220,0:37:45.249
everything that I’ve shown here

0:37:45.249,0:37:48.249
you could literally walk out of here

0:37:48.249,0:37:50.619
go into the FreeBSD ports tree find a SGUIL ports

0:37:52.119,0:37:54.840
do your make I mean the ports are a little ugh

0:37:54.840,0:37:58.029
I'm not

0:37:58.029,0:37:59.730
you don’t want to slam a guy who 

0:37:59.730,0:38:01.190
volunteers and makes ports right

0:38:01.190,0:38:05.700
but there’s still a decent amount of work that you have
to do once the ports are installed it’s good for basically

0:38:05.700,0:38:09.880
satisfying dependencies and so forth

0:38:09.880,0:38:12.879
so this is the implementation we use as far as software stack

0:38:12.879,0:38:14.699
for %uh alert data

0:38:14.699,0:38:17.459
we use Snort

0:38:17.459,0:38:22.799
I’m starting to I’ve used Bro a little bit
I’m starting to integrate Bro though

0:38:22.799,0:38:26.949
full content data I tend to use Demon Logger

0:38:26.949,0:38:29.029
it’s Marty Rush’s implementation of Packet Logger

0:38:29.029,0:38:30.069
for session data

0:38:30.069,0:38:34.539
I use SANCP which is sort a friend of Myrobe which you can
sort of see some other options there

0:38:34.539,0:38:36.469
and then statistical data

0:38:36.469,0:38:38.939
you know think MRTGA type of thing
that

0:38:38.939,0:38:40.949
shows you traffic over time or whatever

0:38:40.949,0:38:45.979
%um and the nice thing is SGUIL is the interface to a lot
of this and you know

0:38:45.979,0:38:47.619
I’m going to show you what that looks like

0:38:47.619,0:38:50.709
by the way so this is it in a picture

0:38:50.709,0:38:52.289
so what is SGUIL well

0:38:52.289,0:38:54.949
okay yes this is a Windows screenshot

0:38:54.949,0:39:00.159
it shows that you can run your BSD back
end on the servers and then have your boss uses Windows

0:39:00.159,0:39:00.769
GUI

0:39:00.769,0:39:02.189
and log into it

0:39:02.189,0:39:03.159
and %uh

0:39:03.159,0:39:07.559
again this isn’t about the tool as much as
the data and the way you investigate it but

0:39:07.559,0:39:08.989
here’s the screenshot so

0:39:08.989,0:39:11.890
you can see we have a console here

0:39:11.890,0:39:16.509
and these are our store alerts coming in and by the way it can
be other things we've got it

0:39:16.509,0:39:20.469
this isn't a sim incidentally we were talking
just a few minutes ago like

0:39:20.469,0:39:22.380
the way we describe it is

0:39:22.380,0:39:23.259
with a sim

0:39:23.259,0:39:26.170
you could put ABCD all the way through W

0:39:26.170,0:39:27.200
into a sim

0:39:27.200,0:39:28.819
and it’d still be garbage

0:39:28.819,0:39:31.449
but with this we pick the X Y and Z that we

0:39:31.449,0:39:34.109
think give you the best value

0:39:34.109,0:39:37.619
so for us those are alert sessions and and full content

0:39:37.619,0:39:39.650
so you’ve got your interface here

0:39:39.650,0:39:43.670
and we try to present as much information
on one screen without having to do a bunch of window

0:39:43.670,0:39:44.889
management

0:39:44.889,0:39:46.839
yes it is TCL/TK

0:39:46.839,0:39:50.599
we started this back in 2001

0:39:50.599,0:39:54.009
but it works it you know it’s fine it’s platform

0:39:54.009,0:39:56.349
so here’s the packet that caused the alert

0:39:56.349,0:39:58.349
here is the of

0:39:58.349,0:40:00.100
the rule that caused the alert

0:40:00.100,0:40:02.160
and in most systems this is what you would
get

0:40:02.160,0:40:05.079
right you're left deciding if it's okay

0:40:05.079,0:40:09.039
in an HTTP transaction

0:40:09.039,0:40:12.460
for someone to have put through what looks like the
output of an ID command on Unix

0:40:12.460,0:40:14.779
where the result was

0:40:14.779,0:40:16.179
UID 0

0:40:16.179,0:40:19.529
is that good or is that bad I mean you’d probably say that sounds bad 

0:40:19.529,0:40:24.219
but once you do the analysis you’ll find out it's
not the question is you have to make that decision

0:40:24.219,0:40:25.760
and every vendor that I’ve met

0:40:25.760,0:40:26.839
they leave you here

0:40:26.839,0:40:28.399
and they abandon you

0:40:28.399,0:40:29.479
they say

0:40:29.479,0:40:31.439
good luck I’ve given you the packet

0:40:31.439,0:40:33.329
like you’ll talk to the source buyer guys they’re like

0:40:33.329,0:40:36.199
I gave you the packet what more do you need

0:40:36.199,0:40:37.639
I need to know if it matters

0:40:37.639,0:40:41.569
and you’re like well

0:40:41.569,0:40:42.889
I

0:40:42.889,0:40:46.549
can give you the packet look

0:40:46.549,0:40:48.680
yeah packet so what it’s a packet

0:40:48.680,0:40:52.439
I can tell there’s a packet here yes there’s a packet and yes
it’s nice that you gave me a nice open rule so I can tell how it

0:40:52.439,0:40:55.140
came to its decision unlike you know a closed system

0:40:55.140,0:40:56.150
you can't tell

0:40:56.150,0:40:58.240
but I have to tell if this matters for me

0:40:58.240,0:40:59.859
what do you do next

0:40:59.859,0:41:03.769
we could do a couple things one thing you
can do is build transcript

0:41:03.769,0:41:05.550
the transcript is

0:41:05.550,0:41:06.510
all of the

0:41:06.510,0:41:08.380
session in this case

0:41:08.380,0:41:12.719
rendered through in this case we use TCP flow so we say 

0:41:12.719,0:41:13.789
literally right-click

0:41:13.789,0:41:15.379
give me your transcript

0:41:15.379,0:41:16.740
system goes out to the sensor

0:41:16.740,0:41:18.369
pulls back the P cap data

0:41:18.369,0:41:20.319
renders it in TCP flow

0:41:20.319,0:41:21.259
colors the blue 

0:41:21.259,0:41:24.249
%uh the source the red is the destination

0:41:24.249,0:41:26.079
so you can see that my system

0:41:26.079,0:41:31.009
visited the www.testmyids.com site

0:41:31.009,0:41:32.320
and it replied

0:41:32.320,0:41:34.009
with the content

0:41:34.009,0:41:36.159
so 

0:41:36.159,0:41:37.679
there is no like

0:41:37.679,0:41:39.289
back door on port 80 here

0:41:39.289,0:41:40.689
this is a

0:41:40.689,0:41:47.119
by the way the other thing that’s nice is that I came
through this proxy and whatever

0:41:47.119,0:41:50.779
if I’m dealing with a binary protocol like let’s say
SNB or RPC or something that doesn’t 

0:41:50.779,0:41:52.249
render well as text

0:41:52.249,0:41:56.849
that's same right-click you can instead choose to
dump it into Wireshark

0:41:56.849,0:41:58.099
so here’s the Wireshark data

0:41:58.099,0:42:00.829
and you can use anything you want to do for Wireshark
at this point

0:42:00.829,0:42:01.900
this is fast right

0:42:01.900,0:42:05.699
I don’t know how many of you have had to do this by
hand

0:42:05.699,0:42:08.570
you know you SSH out to the sensor find a pcat file

0:42:08.570,0:42:10.709
come up with a BPF in your head

0:42:10.709,0:42:12.119
you know run it

0:42:12.119,0:42:13.890
copy it someplace no this is

0:42:13.890,0:42:15.359
right-click right-click right-click I’ve got all my data 

0:42:17.130,0:42:20.909
if you want to see well have I ever gone to this IP address
before

0:42:20.909,0:42:23.219
I query for my sessions and I say

0:42:23.219,0:42:27.459
you know in this case it’s a sequel query on that desk IP

0:42:27.459,0:42:30.770
and by the way you can right-click and do a default query
or else if you know what the schema looks like you can just
modify it by hand

0:42:37.369,0:42:40.139
and I think that’s it

0:42:40.139,0:42:41.820
so if you want to try any of that

0:42:41.820,0:42:44.889
like I said %uh the ports exist

0:42:44.889,0:42:49.399
I maintain some really really really
really lame scripts that automate this

0:42:49.399,0:42:52.190
but I need to install it on my home gateway or something
like that

0:42:52.190,0:42:56.319
They’re more of just a reference

0:42:56.319,0:42:57.140
but that’s what I do on BSD as far as network security
monitoring goes

0:42:57.140,0:43:03.609
I’d be happy to answer any questions

0:43:03.609,0:43:09.139
yes

0:43:09.139,0:43:14.049
what additional features are you looking for in the future I
would say for SGUIL for new features the first thing is resolve

0:43:14.049,0:43:15.700
intellectual property

0:43:15.700,0:43:16.140
because

0:43:16.140,0:43:19.469
I hired Bam as my lead incident handler at GE

0:43:19.469,0:43:20.439
so

0:43:20.439,0:43:21.780
we need to figure out

0:43:21.780,0:43:24.940
if he works on it at work

0:43:24.940,0:43:27.640
can we release it well first of all can he even work
on it at work

0:43:27.640,0:43:29.130
and secondly if he does

0:43:29.130,0:43:33.189
can we release so we're trying to work
out those I think it'll be resolved positively

0:43:33.189,0:43:35.119
because we're GE’s actually fairly pro-open-source

0:43:36.849,0:43:41.189
I told the CEO of the company that this thing
used my sequel as a back end and

0:43:41.189,0:43:42.229
he’s like I love my sequel

0:43:42.229,0:43:43.680
okay

0:43:43.680,0:43:45.470
he’s like you’ve got your money I’m like oh

0:43:45.470,0:43:47.089
okay that’s all I had to say great

0:43:47.089,0:43:50.969
%uh he hates Microsoft he hates the company

0:43:53.819,0:43:58.789
so we wanted once we get that result we want
to probably introduce other data sources

0:43:58.789,0:43:59.549
so introduce like Bro plugin

0:44:01.090,0:44:02.240
some other agents

0:44:02.240,0:44:03.799
they could accept other data

0:44:03.799,0:44:05.470
%uh we need to have

0:44:05.470,0:44:07.789
some kind of reporting mechanism

0:44:07.789,0:44:08.610
because people don't know

0:44:08.610,0:44:11.589
what comes out once you put it in

0:44:11.589,0:44:16.329
there's been some talk about making this turn
into a Splunk base application

0:44:16.329,0:44:18.119
so all the data goes into Splunk

0:44:18.119,0:44:25.119
I mean you could you'd do like use Splunk as the interface
so that's a possibility

0:44:28.909,0:44:33.859
yeah Splunk is remarkably cheap for an enterprise
app though we’ve bought like giant licenses

0:44:33.859,0:44:34.669
that have not

0:44:34.669,0:44:38.399
I mean they've been like five-figure purchases which is
really good considering how many gigabytes of data  

0:44:38.399,0:44:39.489
we’re indexing

0:44:39.489,0:44:41.789
%uh but you know for the

0:44:41.789,0:44:46.170
situation here it would be an option because the free Splunk
is 500mb a day

0:44:46.170,0:44:49.229
so it's not that

0:44:49.229,0:44:56.229
any other questions
 
0:45:02.480,0:45:04.219
yeah I think Bro if you’ve never heard of Bro bro-ids.org

0:45:04.219,0:45:08.279
in fact I’m going to Bro training next week
in Berkeley which is just going to rock I’m so excited

0:45:08.279,0:45:10.629
about that

0:45:10.629,0:45:12.469
Bro I think is a perfect

0:45:12.469,0:45:14.809
a perfect compliment to Snort

0:45:14.809,0:45:17.750
Snort not exclusively but Snort is quite a bit about signatures

0:45:17.750,0:45:21.140
there are some few processors that look for
protocol anomalies and so forth

0:45:21.140,0:45:26.189
but Bro on it’s own is completely the opposite it’s all about
protocol anomalies

0:45:26.189,0:45:27.939
Snort has kind of like real

0:45:27.939,0:45:30.999
hackish type state keeping using flow bits

0:45:30.999,0:45:32.739
Bro is all about state

0:45:32.739,0:45:35.160
so you put the two of them together you might say

0:45:35.160,0:45:37.499
shoot I really need to know when such and such
happens

0:45:37.499,0:45:41.270
but to do that Snort I’d have to do all this
flow bits and stuff

0:45:41.270,0:45:43.030
whereas with Bro you’re like oh

0:45:43.030,0:45:43.810
just track the connections and then do this

0:45:43.810,0:45:50.810
so the two of them together I think work really
well

0:45:51.619,0:45:54.980
the questions was does Bro have Snort rule input functionality

0:45:54.980,0:45:57.769
it does to the extent that every

0:45:57.769,0:46:02.059
like hardware vendor accelerator vendor Snort competitor
says that they do

0:46:02.059,0:46:05.079
%uh Snort is the engine is always being
updated

0:46:05.079,0:46:07.880
so generally what when somebody says that
they can

0:46:07.880,0:46:09.880
%uh run Snort rules faster

0:46:09.880,0:46:12.420
they’re usually only talking about content matches

0:46:12.420,0:46:14.519
so they take whatever the the

0:46:14.519,0:46:15.500
content match is

0:46:15.500,0:46:18.829
and implement it quickly in hardware

0:46:18.829,0:46:23.099
so over time the degree to which you can map
real Snort rules fades

0:46:23.099,0:46:24.309
so whereas

0:46:24.309,0:46:26.510
five years ago it might have been like 90%

0:46:26.510,0:46:28.619
these days it's like 25%

0:46:28.619,0:46:35.619
so they probably can pull in a certain percentage
but not a lot

0:46:46.159,0:46:50.020
right right exactly so the question was about retention
of the full content data

0:46:50.020,0:46:53.439
I should mention that for alerts we try to keep for
about a year

0:46:53.439,0:46:56.809
for flows we try to keep about six months

0:46:56.809,0:46:59.529
and alerts and flows are both centralized although

0:46:59.529,0:47:03.059
given the flow volume we’re seeing we might
have to start pushing that back onto the

0:47:03.059,0:47:04.909
sensor

0:47:04.909,0:47:07.549
pcat data it is

0:47:07.549,0:47:10.509
just what we can afford as far as hard drive spaces go

0:47:10.509,0:47:11.769
my last budget

0:47:11.769,0:47:15.319
I could only spend about 2,500
to 3,000 per sensor

0:47:15.319,0:47:18.949
which limited me to about one to

0:47:18.949,0:47:22.139
yeah about one terabyte of disk space with raid

0:47:22.139,0:47:23.809
so %uh

0:47:23.809,0:47:26.279
depending on where the sensor goes that could be

0:47:26.279,0:47:28.809
three months or three weeks

0:47:28.809,0:47:34.189
or or a day or three days or three hours
right

0:47:34.189,0:47:36.259
what I do is I end up 

0:47:36.259,0:47:38.450
I buy up chassis that can

0:47:38.450,0:47:40.960
potentially grow to have a lot more storage once
I have budget

0:47:40.960,0:47:42.509
I put the system out there

0:47:42.509,0:47:43.319
and I say

0:47:43.319,0:47:46.439
look this is look what I found at this location
boss

0:47:46.439,0:47:50.709
if you give me a little more more money I can put in
you know four terabytes of disk space as opposed

0:47:50.709,0:47:51.609
to one

0:47:51.609,0:47:53.209
and then they give me that

0:47:53.209,0:47:55.520
but the pcap data only stays on a sensor

0:47:55.520,0:47:58.049
so what I try to do is I have an analysis
window

0:47:58.049,0:47:59.179
and a pcap window

0:47:59.179,0:48:03.799
and I try to have that pcap window longer than
the analysis window

0:48:03.799,0:48:08.239
so the questions yes

0:48:08.239,0:48:12.269
yeah so any type of encryption on host

0:48:12.269,0:48:14.139
but the funny thing is

0:48:14.139,0:48:17.909
most of the time when I did get type of

0:48:17.909,0:48:19.160
like third-party tips

0:48:19.160,0:48:22.669
it's usually have you seen anybody visiting this IP address

0:48:22.669,0:48:25.919
and if I see the visit to that IP address
even if it’s encrypted

0:48:25.919,0:48:27.669
I know it

0:48:27.669,0:48:29.429
this isn't the whole game right

0:48:29.429,0:48:32.750
usually what I do is I use all of this identify
boxes that problems

0:48:32.750,0:48:34.439
and then I roll in to do 

0:48:34.439,0:48:35.809
host-based forensics

0:48:35.809,0:48:42.809
so that some of the other coin other side

0:48:45.349,0:48:49.310
yeah that is really dependent on the way that

0:48:49.310,0:48:50.729
encryption algorithm is implemented

0:48:50.729,0:48:55.159
some of them are are very friendly to that
others are not

0:48:55.159,0:48:57.339
and others

0:48:57.339,0:48:59.070
that you know in some cases

0:48:59.070,0:49:02.300
it might be better to use another approach
like there's certain proxies that are out

0:49:02.300,0:49:03.829
there like that

0:49:03.829,0:49:05.419
Palo Alto firewall

0:49:05.419,0:49:07.969
you can specify encryption policies so

0:49:07.969,0:49:12.210
and if you go to banks if you go to certain
sites they don’t mess with the SSL

0:49:12.210,0:49:14.150
everywhere else they man it in the middle

0:49:14.150,0:49:16.349
and so you can get access to the logs that
way

0:49:16.349,0:49:18.619
so I try not to do that with the sensors so much

0:49:18.619,0:49:19.659
I try to keep it I try to make 

0:49:19.659,0:49:21.799
the sensor so nobody even knows they’re there

0:49:21.799,0:49:23.529
if at all possible

0:49:23.529,0:49:28.169
yes

0:49:39.739,0:49:43.599
his comment was even if there is four
four three traffic that’s encrypted

0:49:43.599,0:49:45.349
general to be something else that isn’t

0:49:45.349,0:49:48.969
and that's really what all this is about it's
generally about getting a hint that something

0:49:48.969,0:49:49.890
is wrong

0:49:49.890,0:49:53.460
and you don't necessarily know what the hint is until
you’ve been burnt pretty badly

0:49:53.460,0:49:56.609
and then you go back and you figure out the scope
of the incident is

0:49:56.609,0:50:00.119
in no forensic case have I ever worked where I
had a complete picture

0:50:00.119,0:50:01.929
you know I had the guys hard drive I had

0:50:01.929,0:50:04.280
his logs his network traffic it's generally

0:50:04.280,0:50:05.490
you get some piece

0:50:05.490,0:50:08.160
and then you start investigating

0:50:08.160,0:50:10.190
and the reason I do this approach is because it’s cheap

0:50:10.190,0:50:14.099
you know twenty $500 commodity hardware 
open source software

0:50:14.099,0:50:15.820
little bit of experience

0:50:15.820,0:50:17.280
and suddenly I’ve got some

0:50:17.280,0:50:18.220
you know some viable data

0:50:18.220,0:50:22.129
you’d think working at GE I’d have some huge
budget

0:50:22.129,0:50:23.000
no way not at all

0:50:23.000,0:50:24.819
any other questions

0:50:24.819,0:50:31.819
yes

0:50:35.649,0:50:38.709
well to tell you the truth I started using

0:50:38.709,0:50:39.750
FreeBSD specifically

0:50:39.750,0:50:44.710
%uh in 2000 and the reason was our
developers who who were building the ASM sensors

0:50:44.710,0:50:46.659
in the

0:50:47.569,0:50:48.279
they said

0:50:48.279,0:50:52.579
if we’re going to have a good network stack we should
use a BSD base stack as opposed to Linux

0:50:52.579,0:50:53.959
so that's how it started

0:50:53.959,0:50:59.519
%um since then there have been many changes in both
sides Linux within the BSDs and so forth

0:50:59.519,0:51:02.419
so I'm really not in a position to say which

0:51:02.419,0:51:03.319
is better

0:51:03.319,0:51:04.410
I I would say

0:51:04.410,0:51:06.679
I've never had a BSD let me down

0:51:06.679,0:51:08.599
put it that way

0:51:08.599,0:51:10.930
as far as FreeBSD goes specifically

0:51:10.930,0:51:14.229
there’s some like minor things that make my
life better

0:51:14.229,0:51:18.349
one is I know a lot of the network developers
so when there's an issue I can talk to them

0:51:18.349,0:51:19.859
directly

0:51:19.859,0:51:20.919
and they can say

0:51:20.919,0:51:22.420
like some of the 

0:51:22.420,0:51:23.660
I don’t know who’s from the free

0:51:23.660,0:51:26.099
but some of the zero copy stuff that's being
worked on

0:51:26.099,0:51:29.159
like that helps me a lot

0:51:29.159,0:51:32.999
some it's the most stupid things like the
ability that any

0:51:32.999,0:51:33.869
any

0:51:33.869,0:51:35.469
app which 

0:51:35.469,0:51:37.719
is opening up a BPF

0:51:37.719,0:51:40.109
you can track performance with the what was it

0:51:40.109,0:51:41.609
netstat -B

0:51:41.609,0:51:42.400
capital B

0:51:42.400,0:51:45.859
little things like that are helpful too

0:51:45.859,0:51:52.859
there's another question

0:52:03.309,0:52:05.019
yes

0:52:05.019,0:52:09.189
yeah so I don’t know if what you've seen in the news about
like Chinese hackers and all

0:52:09.189,0:52:12.499
this has been going on for a long time it's
just that

0:52:12.499,0:52:14.590
nowadays they're mostly on Windows but

0:52:14.590,0:52:16.269
ten years ago what was popular

0:52:16.269,0:52:20.489
like commercial in the military it was Solaris

0:52:20.489,0:52:25.289
so we were seeing all sorts weird traffic in 
our Solaris boxes that we couldn’t account for

0:52:25.289,0:52:27.439
so these guys had written once we

0:52:27.439,0:52:28.929
started doing some

0:52:28.929,0:52:31.199
forensics and it wasn't the forensics of

0:52:31.199,0:52:33.929
pull the power cord which is what was popular
back then right

0:52:33.929,0:52:35.319
it was you know

0:52:35.319,0:52:37.960
let's take us the actually I think back then we were
doing

0:52:37.960,0:52:40.019
we generated a crash dump

0:52:40.019,0:52:41.139
and then analyzed it

0:52:41.139,0:52:43.899
so these guys were writing

0:52:43.899,0:52:45.089
memory resident

0:52:45.089,0:52:46.289
did not touch 

0:52:46.289,0:52:48.129
did not touch the hard drive

0:52:48.129,0:52:50.240
%uh implementations where

0:52:50.240,0:52:52.029
they built their own 

0:52:52.029,0:52:53.639
like hyper visor and had their own little operating

0:52:53.639,0:52:59.469
system on top of our Solaris
boxes that we couldn't see

0:52:59.469,0:53:01.519
yeah so

0:53:01.519,0:53:04.179
that was back then

0:53:04.179,0:53:06.059
right %uh

0:53:06.059,0:53:08.489
it’s I’ve worked on that side the defensive side

0:53:08.489,0:53:10.929
I’ve also worked on a not defensive side

0:53:10.929,0:53:12.849
I won’t say what that is but

0:53:12.849,0:53:15.159
%uh the stuff I saw here

0:53:15.159,0:53:16.709
that we were doing as contractors

0:53:16.709,0:53:20.369
I was I was like wow this can be done this
is really amazing so

0:53:20.369,0:53:25.279
most of the time if you have an imagination you
can sort of imagine what's happening

0:53:25.279,0:53:27.579
and if you think about it you might think well

0:53:27.579,0:53:30.910
we're not the only ones in the world who can do that
so there’s probably guys on the other

0:53:30.910,0:53:31.649
side

0:53:31.649,0:53:34.789
who can do it so then you have to start
looking for it

0:53:34.789,0:53:36.729
what you see is a progression of

0:53:36.729,0:53:39.009
things that happened at the very high end

0:53:39.009,0:53:41.189
eventually it filters down you know

0:53:41.189,0:53:44.339
really good rootkits used to be the province
of people who wrote them

0:53:44.339,0:53:46.039
but now you can buy them

0:53:46.039,0:53:53.039
find them share them whatever

0:53:59.749,0:54:03.279
sure yeah so the question is do we do any pattern analysis

0:54:03.279,0:54:06.219
there's nothing bad about Latvia

0:54:06.219,0:54:07.679
you asked a good question

0:54:07.679,0:54:11.549
but

0:54:11.549,0:54:14.059
let me put it this way

0:54:14.059,0:54:17.089
I'm creating that the first GE cert

0:54:17.089,0:54:20.400
it's 2099 but yes we just did
up our first cert

0:54:20.400,0:54:25.559
so we are we're not even like crawling yet
we’re like the baby on its back

0:54:25.559,0:54:26.799
oh look I can lift my head up

0:54:26.799,0:54:31.879
so we're still getting our hands around what does it
even mean to operate the cert data we have and

0:54:31.879,0:54:32.549
so forth

0:54:32.549,0:54:36.649
I would expect within the next two years we're going
been doing the kinds of things I would have

0:54:36.649,0:54:37.579
expected

0:54:37.579,0:54:38.769
you know a real

0:54:38.769,0:54:39.649
cert to do

0:54:39.649,0:54:41.320
it now includes things like

0:54:41.320,0:54:47.279
we know our environment so well that when we see
that box doing that that's outside the scope

0:54:47.279,0:54:50.689
it's one of those things where we have ideas
that are probably

0:54:50.689,0:54:52.429
like two years ahead of where we can implement

0:54:52.429,0:54:53.729
but once we do that

0:54:53.729,0:55:00.199
we’ll find stuff like that

0:55:00.199,0:55:04.569
have we gotten people to do their own what

0:55:04.569,0:55:08.579
so the question was I think you probably heard the question

0:55:08.579,0:55:12.139
we are actually collaborating with

0:55:12.139,0:55:16.670
%uh ICIR at Berkeley like Verne Paxon and his guys the Bro guys

0:55:16.670,0:55:18.880
and %uh at New York University so

0:55:18.880,0:55:21.940
there’s two research programs at each and
we're going to be

0:55:21.940,0:55:23.269
probably

0:55:23.269,0:55:25.950
I would guess we’re probably going to ship them data

0:55:25.950,0:55:30.809
because that’s what’s great about our method right we just
collect data so we can sign an NDA ship them data

0:55:30.809,0:55:32.919
and they can apply all their different

0:55:32.919,0:55:34.259
research

0:55:34.259,0:55:36.260
theories against it and find stuff for us

0:55:36.260,0:55:38.299
so yeah I’d expect some of that

0:55:38.299,0:55:45.299
from those guys

0:55:49.229,0:55:54.039
yes 

0:55:54.039,0:55:56.439
yeah so the way I deploy is I use taps where possible
because you can’t screw it up

0:55:56.439,0:55:59.439
I mean you can there are certain fiber types you can
physically connect backwards

0:55:59.439,0:56:02.349
so just enough light will get through so the
traffic follows

0:56:02.349,0:56:04.649
but no light is reflected out to your sensor

0:56:04.649,0:56:06.760
but for the most part if you’re talking copper

0:56:06.760,0:56:07.430
done tap

0:56:07.430,0:56:09.649
it gives you your traffic

0:56:09.649,0:56:13.350
I even prefer that model for like IPS’s 
if you have to use an IPS

0:56:13.350,0:56:15.599
use a bypass switch as opposed to putting it in line

0:56:15.599,0:56:18.539
I don't put anything in line because as soon as
you’re in line

0:56:18.539,0:56:20.599
what happens

0:56:20.599,0:56:24.029
you get blamed so I stay I’m like look I have a dum tap

0:56:24.029,0:56:27.329
pull the power cords it’s not going to affect the network
in the least right

0:56:27.329,0:56:32.129
I have my sensor my sensor could blow up in a ball of fire
and you wouldn’t even notice it

0:56:32.129,0:56:36.609
and all the business owners are like yes

0:56:36.609,0:56:39.239
but if I told them I’m putting this box in line

0:56:39.239,0:56:40.979
anything that happens you’re like

0:56:42.449,0:56:44.469
your box took down my ten million dollar an hour system
I’m going to kill you

0:56:44.469,0:56:45.160
so 

0:56:45.160,0:56:50.029
I don't bother with that

0:56:50.029,0:56:54.879
I’ve got a good track record that’s why I’m still employed

0:56:54.879,0:56:55.469
so far

0:56:55.469,0:56:57.629
the only time I ever took something down

0:56:57.629,0:56:59.429
I was fully authorized to do

0:56:59.429,0:57:00.529
%uh we had

0:57:00.529,0:57:01.729
some script kitty 

0:57:01.729,0:57:03.220
who was

0:57:03.220,0:57:03.969
defacing

0:57:03.969,0:57:05.569
web site after web site

0:57:05.569,0:57:06.869
we had some you know

0:57:06.869,0:57:09.380
Microsoft IS 4 0 websites back in the
air force

0:57:09.380,0:57:10.839
and he was dialing in getting

0:57:10.839,0:57:13.789
a new IP defacing the website

0:57:13.789,0:57:16.260
disconnecting dialing in so he had a new IP

0:57:16.260,0:57:19.590
so we had all our admins trying to block these IPs

0:57:19.590,0:57:20.339
and we’re like this isn’t working

0:57:23.069,0:57:24.959
stupid stupid defensive policies

0:57:24.959,0:57:29.620
this is all like at two o'clock in the morning
eastern time actually no central wherever I was

0:57:29.620,0:57:30.759
in Texas

0:57:30.759,0:57:35.449
and so finally I said this guy is all over the space he’s in
California he's using the UUnet

0:57:35.449,0:57:38.170
the UUnet blocker however they’re signing they’re signing
the IPs

0:57:38.170,0:57:41.390
it's just all over the place we're blocking UUnet

0:57:41.390,0:57:43.799
all of UUnet to the air force

0:57:43.799,0:57:44.790
so

0:57:44.790,0:57:45.369
I was like

0:57:45.369,0:57:49.939
execute that blocking order

0:57:49.939,0:57:51.089
yeah

0:57:51.089,0:57:55.309
I knew there was going to be hell to pay the next morning
so I the next thing I did I was I started writing

0:57:55.309,0:58:00.729
this is why I blocked this whatever and I had
tons of generals why did you I couldn’t check my email

0:58:00.729,0:58:05.439
and I got up in front of the generals and I said sir this is
why I did it I did it to protect air force assets 

0:58:05.439,0:58:09.259
and all that so I was alright

0:58:09.259,0:58:15.639
yeah question

0:58:15.639,0:58:16.719
%um

0:58:16.719,0:58:18.550
yes the sensors are

0:58:18.550,0:58:19.969
scanned all the time

0:58:19.969,0:58:21.669
%uh I use them

0:58:21.669,0:58:26.459
the model I use with the sensors is you don't firewall
all things off like you might with a Windows

0:58:26.459,0:58:26.959
platform

0:58:26.959,0:58:29.139
you disabled things

0:58:29.139,0:58:30.250
I mean you traditionally you don’t turn it on

0:58:31.819,0:58:35.139
so I typically only expose SSH

0:58:35.139,0:58:38.219
the systems reach out they don’t

0:58:38.219,0:58:40.660
all the things you would think is what
I do

0:58:40.660,0:58:42.140
and of course they’re scanned

0:58:42.140,0:58:43.909
people try to brute force them of course

0:58:43.909,0:58:46.179
if I see somebody brute forcing in my sensor

0:58:46.179,0:58:47.119
who are you

0:58:47.119,0:58:49.170
because these are all internally managed

0:58:49.170,0:58:50.450
well who are you

0:58:50.450,0:58:52.649
why do you even know that this box is here

0:58:52.649,0:58:56.229
we're going to come and get you

0:58:56.229,0:58:57.379
the

0:58:57.379,0:59:00.919
sounds better than it is

0:59:04.479,0:59:08.799
we selling our fleet of black helicopters actually

0:59:10.030,0:59:13.449
we don't have a fleet of corporate jets  
like a lot of other companies

0:59:13.449,0:59:16.189
we have net jets accounts

0:59:16.189,0:59:23.189
well I don’t but the CEO does we do have a helicopter I’ve seen it once

0:59:23.869,0:59:26.289
yeah the question was would

0:59:26.289,0:59:27.469
honey pot be of any value

0:59:27.469,0:59:28.969
honey pots are things that are good to run if

0:59:28.969,0:59:32.119
one you’re researcher or two you have a lot of time on your hands

0:59:32.119,0:59:36.039
because I have like a network of 300,000
honey pots

0:59:36.039,0:59:38.479
so

0:59:38.479,0:59:40.230
actually it’s more like half a million now that I think about it

0:59:40.230,0:59:43.139
so yeah at some point

0:59:43.139,0:59:46.959
there’s actually two things one is yeah at some point
you could deploy some honey pots if you see them

0:59:46.959,0:59:47.589
scanned

0:59:47.589,0:59:50.209
but I have enough systems that are

0:59:50.209,0:59:51.839
alive or getting scanned or attacked or exploited

0:59:51.839,0:59:54.169
the second thing we have is

0:59:54.169,0:59:55.510
if you're inside our network

0:59:55.510,0:59:59.869
and if you try to do anything to any any network
that is not explicitly routed by us

0:59:59.869,1:00:01.239
you end up in a sink hole

1:00:01.239,1:00:02.509
so the sink hole

1:00:02.509,1:00:04.589
is an awesome awesome place to find

1:00:04.589,1:00:07.389
misconfigured systems malicious systems and
so forth

1:00:07.389,1:00:09.040
so I have a sink hole router

1:00:09.040,1:00:11.210
and before that I had a sensor that watches that traffic

1:00:11.210,1:00:13.709
so the sink hole routers are a great

1:00:13.709,1:00:14.999
indicator

1:00:14.999,1:00:17.509
source of indicators

1:00:17.509,1:00:20.849
it also keeps a lot of load off of our firewalls

1:00:20.849,1:00:27.289
so you can’t scan Google from inside GE as
for example it goes straight into the sinkhole

1:00:27.289,1:00:29.740
I know Capitol One does that as well

1:00:29.740,1:00:32.109
that's it’s a good trick

1:00:32.109,1:00:34.199
any other questions

1:00:34.199,1:00:34.739
okay thank you very much.