GE s Enterprise Sensor Grid

Size: px

Start display at page:

Download "GE s Enterprise Sensor Grid"

Diana Oliver
6 years ago
Views:

1 GE s Enterprise Sensor Grid It s not the size of your network, it s how well you monitor it. David J. Bianco Incident Handler GE-CIRT David.Bianco@ge.com

2 [Network Security Monitoring is] the collection, analysis and escalation of indications and warnings to detect and respond to intrusions. Richard Bejtlich 2 /

3 NSM in a Nutshell NSM is a methodology, not a product Integrates different sources into a single view Easier to understand Speeds the research process 3 /

4 A Good NSM Collects as much information as practical Presents it to the analyst in ways that make sense Optimizes an analyst s time! 4 /

5 NSM Sucks in All Kinds of Data IDS alerts Network session data Full packet content DNS / WHOIS Specialized/homebrew sources VPN or Proxy logs Application level audit logs Anything else you might have handy 5 /

com) Open source network traffic analysis software ( & others) Focus on connections to Internet,

6 ESG: GE s NSM Enterprise Sensor Grid (ESG) is a network of in-house appliances, consisting of: Network sensor: Off-the-shelf Dell R710, 1TB 6TB RAID5 Network tap ( Open source network traffic analysis software ( & others) Focus on connections to Internet, then internal locations Currently 173 sensors online, and that s just phase 1! Approximately 265TB of distributed PCAP storage 6 /

7 Project Overview Open Source Developed by Bamm Vischer since 2002 Name comes from Snort GUI Client Tcl/Tk GUI for Unix/Linux/OS X/Windows Server & Sensors Unix/Linux only Tcl glue code around individual monitoring utilities 7 /

8 s 3-Tiered Architecture MySQL DB Sensors Server Security Analysts 8 /

9 Sensor Components IDS: Snort Network Session Data: SANCP Full Packet Capture: Daemonlogger 9 /

10 Server Components daemon Loader daemon MySQL database 10 /

11 ESG Investigation: Malicious PDF

12 12 /

13 13 /

14 14 /

15 15 /

16 16 /

17 17 /

18 18 /

19 19 /

20 20 /

21 21 /

22 22 /

23 23 /

24 Additional Material

25 Snort World s most popular IDS! Open Source & well-supported by other tools Signature-based detection ( like AV for network ) We use a combination publicly-available and locally-written rules. 25 /

26 SANCP Security Analyst Network Connection Profiler Summarizes network traffic into sessions Open Source Who talked to who, for how long, and how much data did they send? 26 /

27 Daemonlogger Captures full network packets and writes them to disk for later retrieval Open Source, written by Snort s creator, Marty Roesch Other options exist, but this is the smallest, which translates to reliability 27 /

28 Daemon Accepts connections from clients Coordinates access to data on the sensors and in the database Single-threaded! 28 /

29 Loader Daemon Receives SANCP data files from sensors Buffers these on disk Loads them into the database Multi-process 29 /

30 MySQL Database World s most popular Open Source DB Sophisticated SQL language and data management capabilities Dead easy to program for Good performance with our staggering data load requires a lot of resources 30 /

31 MySQL Database We use this to store IDS Alerts (snort) Network session records (SANCP) user information Audit info for each event Other useful information (e.g. alert payloads) 31 /

32 Data Flow Sensors collect IDS & session data, which are forwarded to server and deleted from sensor. server inserts IDS & session data into DB. IDS alerts are sent in real time to all connected clients Packet capture data stored on sensors until requested, then cached by the server on it s way to the client. 32 /

33 IDS Data Flow MySQL DB Sensors Server Security Analysts 33 /

34 IDS Data Flow IDS Alert!! MySQL DB Sensors Server Security Analysts 34 /

35 IDS Data Flow IDS Alert!! MySQL DB Sensors Server Security Analysts 35 /

36 IDS Data Flow IDS Alert!! MySQL DB Sensors Server Security Analysts 36 /

37 IDS Data Flow IDS Alert!! MySQL DB Sensors Server Security Analysts 37 /

38 SANCP Data Flow MySQL DB Sensors Server Security Analysts 38 /

39 SANCP Data Flow Network Session MySQL DB Sensors Server Security Analysts 39 /

40 SANCP Data Flow Network Session MySQL DB Sensors Server Security Analysts 40 /

41 SANCP Data Flow Network Session MySQL DB Sensors Server Security Analysts 41 /

42 SANCP Data Flow MySQL DB Sensors Server Security Analysts 42 /

43 SANCP Data Flow MySQL DB Sensors Server Security Analysts 43 /

44 SANCP Data Flow MySQL DB Sensors Server Security Analysts 44 /

45 SANCP Data Flow MySQL DB Sensors Server Security Analysts 45 /

46 Packet Capture Data Flow MySQL DB Sensors Server Security Analysts 46 /

47 Packet Capture Data Flow MySQL DB Sensors Server Security Analysts 47 /

48 Packet Capture Data Flow MySQL DB Sensors Server Security Analysts 48 /

49 Packet Capture Data Flow MySQL DB Sensors Server Security Analysts 49 /

50 Packet Capture Data Flow MySQL DB Sensors Server Security Analysts 50 /

51 Intrusion Analysis is a Series of Questions 1. Was this an actual attack? 2. Was the attack successful? 3. What other systems were also attacked? 4. What activities did the intruder carry out? 5. What resources did the intruder gain access to? 6. How should GE contain, eradicate and recover from this intrusion? 51 /

Network Security Monitoring: An Open Community Approach

Network Security Monitoring: An Open Community Approach IUP- Information Assurance Day, 2011 Greg Porter 11/10/11 Agenda Introduction Current State NSM & Open Community Options Conclusion 2 Introduction