New to flow analysis and command-line interfaces? Most tools that help you work with flow, such as SiLK, make heavy use of a command-line interface instead of the more familiar point-and-click systems many of us are used to. To harness the full capability of flow analysis, you also need some command-line proficiency. In this early-morning boot camp, Tim will get you up to speed on the command line and set you on your way to taking full advantage of the power it has to offer for flow analysis.
No prior experience is required; however, you will need to bring your own laptop.
Security Onion is a well known linux distribution used for network security monitoring. It includes a large number of tools in one place that make it an excellent classroom resource. In this workshop attendees will learn how Security Onion can be used in the classroom. Attendees will be given an overview of the tools available in Security Onion and be provided a demonstration on how open source data can be used to create challenging labs for classroom use. Some sample labs will be used in the class by attendees.
This course introduces you to network flow analysis using the CERT open source SiLK tool suite. Network flow analysis enables retrospective analysis of a network’s traffic to help with forensic analysis, passive network profiling, and threat discovery.
Network flow analysis benefits from the very long retention of flow data due to the extremely small size of flow records, allowing examination of traffic going back much further in time than is possible with analysis of full-packet capture. Network flow analysis also helps you solve many privacy issues inherent in packet analysis. The SiLK tool suite is uniquely suited to analyzing extremely large networks with massive amounts of traffic.
No prior knowledge of network flow analysis is necessary, but familiarity with IP, TCP, and UDP is required.
As part of participating in hands-on labs, you will be provided with a copy of the Linux based tools and data needed in the training; however, you must bring your own laptop. An introductory Linux tutorial will be offered prior to the SiLK training for those who want it.
Suricata, the world’s leading IDS/IPS engine, provides the most versatile network security tool available today. Developed and maintained by a core team of developers and an open source community, Suricata is the “Swiss Army Knife” for network security monitoring. This training will demonstrate the latest in Suricata’s dynamic capabilities including:
At the completion of this training, attendees will gain a greater understanding of Suricata’s versatility and power. They will also have the unique opportunity to discuss any questions directly with members of the Suricata development team.
This course introduces you to network flow analysis using the CERT open source SiLK tool suite. Network flow analysis enables retrospective analysis of a network’s traffic to help with forensic analysis, passive network profiling, and threat discovery.
Network flow analysis benefits from the very long retention of flow data due to the extremely small size of flow records, allowing examination of traffic going back much further in time than is possible with analysis of full-packet capture. Network flow analysis also helps you solve many privacy issues inherent in packet analysis. The SiLK tool suite is uniquely suited to analyzing extremely large networks with massive amounts of traffic.
No prior knowledge of network flow analysis is necessary, but familiarity with IP, TCP, and UDP is required.
As part of participating in hands-on labs, you will be provided with a copy of the Linux based tools and data needed in the training; however, you must bring your own laptop. An introductory Linux tutorial will be offered prior to the SiLK training for those who want it.
Analysis of IP flow records from Internet peering points provides some interesting challenges. The total volume is large to say the least, the number of hosts very large and diverse and the number of flows per Gbps of bandwidth is larger than most enterprises. The traffic is all asymmetrical and the infrastructure seems to be always evolving. The challenges are all surmountable and the analysis is effective and useful. The infrastructure seems to be always evolving so that just when the evolution from SONET cores to everything Ethernet is completed the introduction of orchestrated NFVs begin. The new infrastructures again provide some challenges but they also provide some opportunities for new approaches using orchestrated Security Functions Virtualization (SFVs or SNFVs). The orchestration capabilities can enable scheduled surveillance of traffic and network elements.
In an IT environment where more and more enterprise IT is located outside the physical confines of enterprises, security data collection and sensing has to follow. “Cyclops" is the US Department of Defense’s solution to migrate the collection of unsampled flow data, network metadata, and security analysis to the "cloud." Sylvia Mapes (DISA), Alan Fraser (CenturyLink), and Greg Virgin (RedJack) will discuss the challenges and solutions of flow data “as-a-service,” including deployment strategies, analysis strategies, and coping with the massive scale of malicious activity on ISP-sized network connections.
Verizon Network Security Services collects netflow from internal devices, edge routers and the Internet backbone. The group is also the central repository for logs in hundreds of formats and thousands of machines, including firewalls, IDS engines, web proxies, SNMP managers, BGP aggregators, DNS servers and desktops. Deriving useful information from all this data is a task shared by the data owners, repository operators and security analysts.
In this presentation we will go over the growth of the Verizon Network Security data repository; the infrastructure in place that receives and processes 100GB of data an hour, including two billion flows. We will also cover some of the open source, commercial and homegrown software that helps the security, network planning, and network performance teams gain insight into the current state of networks from local offices to the Internet.
We will also discuss some of the challenges encountered along the way, various attempts to make searching flow faster, and some recent developments using machine learning to identify attacks on the network.
In recent years, many organizations across government, industry, and academia have recognized the need to build an insider threat program (InTP) to protect their critical assets. Insider threat programs fuse information from across traditionally stovepiped portions of organizations (such as HR, IT, and physical security) to identify technical and behavioral activity of concern. In this presentation, we will discuss how modern insider threat programs, work, what they’re designed to prevent, detect, and respond to, and how Netflow analysis can (and should be) incorporated into an insider threat program.
Insider threat analysts look for anomalous behavior and activity across a wide array of data sources – host-based audit logs, human resource management systems, anonymous reporting mechanisms, and even SIEM tools. In this presentation, we will provide examples of how Netflow data can be and has been used to detect anomalous insider behavior and activity, and show how correlating information from other data sources can be used to increase the effectiveness of the Netflow-based indicators.
