Loading…
FloCon 2017 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

General Session [clear filter]
Tuesday, January 10
 

9:00am

Finding the Needle in the Haystack
With all the information available via NetFlows, finding the "Needle in the Haystack" (the bad actor in NetFlows), can be somewhat difficult at best. Methods to discover illegitimate traffic can be as simple as looking at TCP flags, to more complex procedure such as defining thresholds for number of flows with ratios to unique destinations. There are other methods available, but I will be focusing on these thresholds and ratios and why this approach turns the needle into a goal post. The CPU cycles needed for this analysis are reduced by implementation of AVL trees (Balanced Binary Trees), and knowing the bottleneck to process the data is based on reading the data from disc. The algorithm used takes less then a second to process 3 million flows collected over a 5 minute time span. Both inbound and outbound, as well as local, traffic needs to be considered. Inbound analysis will help protect against external threats, outbound traffic protects yourself from external With all the information available via NetFlows, finding the "Needle in the Haystack" (the bad actor in NetFlows), can be somewhat difficult at best. Methods to discover illegitimate traffic can be as simple as looking at TCP flags, to more complex procedure such as defining thresholds for number of flows with ratios to unique destinations. There are other methods available, but I will be focusing on these thresholds and ratios and why this approach turns the needle into a goal post. The CPU cycles needed for this analysis are reduced by implementation of AVL trees (Balanced Binary Trees), and knowing the bottleneck to process the data is based on reading the data from disc. The algorithm used takes less then a second to process 3 million flows collected over a 5 minute time span. Both inbound and outbound, as well as local, traffic needs to be considered. Inbound analysis will help protect against external threats, outbound traffic protects yourself from external embarassment, and local analysis identifies local problems that can lead to bigger problems., and local analysis identifies local problems that can lead to bigger problems.

Speakers
JJ

Jonzy Jones

University of Utah
Jonzy has been an employee at the University of Utah for more than 30 years.  He started out as email Postmaster and moved into security after a system breach. Prior to getting into security he was the author of Jughead, now called Jugtail, which was a search engine in Gopher space... Read More →



Tuesday January 10, 2017 9:00am - 9:30am
Great Room V-VIII 7450 Hazard Center Dr.

10:00am

SilkWeb - Analyzing Silk Data through API and Javascript Frameworks
SilkWeb demo will showcase the SilkWeb tool built with API's and some modern Javascript frameworks to analyze SiLK network flow data. SilkWeb creates simple webservices data interfaces which can be used to replace some of the command line queries with webservice request. This opens up a number of opportunities for visualization, integration and automation. A simple setup of jQuery based interfaces will be showcased that will demo the use of Javascript frameworks to visualize Silk data and onboard a junior analyst to understand Netflow. There is also an open opportunity for integration of Silk data to other tools like SIEM using a simple webservices requests over the network. The webserver can
produce this data to number through an interface like REST interface to automate routine tasks.

The demo will showcase the use of this software in ISP to do routine tasks and provide a quick way for network and security personnel to query and navigate netflow data. Some of the use cases that ISP today use this for will be covered in the demo 1. DDOS detection using a number of simple steps to walk through and find offending customers. 2. Abuse misuse detection using a set of criteria to find customers who violate policy and increase risk to the ISP environment 3. Detection of malicious probes into the server networks using anomalous network traffic.

These will be demonstrated from an ISP who uses SiLK and SilkWeb to meet these needs.

Speakers
avatar for Vijay Sarvepali

Vijay Sarvepali

Senior Member of the Technical Staff, CERT Division - Software Engineering Institute
Vijay Sarvepalli is a senior member of the technical staff for the CERT® Coordination Center in the CERT Program at the Software Engineering Institute (SEI). As a member of the Monitoring and Response directorate, he supports sponsors in multiple areas from enterprise architecture... Read More →



Tuesday January 10, 2017 10:00am - 10:30am
Great Room V-VIII 7450 Hazard Center Dr.