WEBVTT

00:00.570 --> 00:05.610
When you collectively look at a lot of the episodes in this series one of things you notice is that

00:05.670 --> 00:10.110
we're always grabbing information from somewhere in our network.

00:10.110 --> 00:15.660
When we talk about MP we're talking about queering different types of boxes on our network when we're

00:15.660 --> 00:17.460
talking about intrusion detection.

00:17.460 --> 00:22.520
We're worried about different devices that are looking for things that we well we don't want to see.

00:22.590 --> 00:29.760
The bottom line is that as a network administrator particularly one with a security bent I am constantly

00:29.760 --> 00:32.720
monitoring the network for all kinds of different stuff.

00:32.790 --> 00:37.920
Now over the years this has become more and more complicated and has actually generated a whole new

00:37.920 --> 00:44.310
universe of technology known collectively as security information and Event Management better known

00:44.340 --> 00:50.650
as SIM SIM really takes all of these different disparate types of monitors and puts it together in a

00:50.790 --> 00:51.950
single package.

00:52.140 --> 00:56.130
So when we talk about Sims there's two things for us that are most important.

00:56.130 --> 01:02.730
Number one is aggregation aggregation simply means that we are grabbing data from different places.

01:02.730 --> 01:05.610
We're collecting this data and then we're storing it.

01:05.610 --> 01:08.950
Secondly it means correlation correlation means.

01:08.950 --> 01:10.550
Now we've got all this data.

01:10.590 --> 01:12.380
Let's go ahead and analyze that data.

01:12.390 --> 01:17.970
And most importantly report it in such a way that these crazy human beings can actually look at the

01:17.970 --> 01:22.140
data understand the analysis and potentially do something about it.

01:22.380 --> 01:23.790
So let's break these two down.

01:23.790 --> 01:26.110
First of all let's talk about aggregation.

01:27.170 --> 01:30.140
Now aggregation has a lot of different pieces to it.

01:30.140 --> 01:34.820
Now of course you're going to have sensory devices laying around that are going to be actually grabbing

01:34.820 --> 01:35.700
the data.

01:35.870 --> 01:41.750
But more important that is that just putting all this data into one pile is a terrible terrible idea

01:42.200 --> 01:46.880
because you need data that you can actually deal with certain things become very important for example

01:47.090 --> 01:52.550
time synchronization if you want to know something is going through a firewall about the same time that

01:52.550 --> 01:56.020
somebody is attacking one of your servers behind the far wall.

01:56.090 --> 02:01.190
Those two different types of collection devices have to be on the same time.

02:01.310 --> 02:03.350
So time synchronization is big.

02:03.410 --> 02:06.100
The other big issue is event duplication.

02:06.200 --> 02:10.850
A lot of times you'll have a whole bunch of devices that also has the same problem and they start pouring

02:10.850 --> 02:12.200
into the log files.

02:12.260 --> 02:14.020
Basically the same information.

02:14.150 --> 02:18.920
So sim actually works very hard to deal with these types of issues.

02:20.130 --> 02:24.590
The last thing I wanted to talk about is normalization normalization is kind of interesting.

02:24.590 --> 02:28.400
So take a look at this example database that I have here.

02:29.590 --> 02:35.580
Now you see it's only got a little bit in there but what it's doing is you're seeing information in

02:35.580 --> 02:40.760
such a way that if I lost any of these records I'd be in trouble.

02:40.770 --> 02:43.370
Normalization is a pretty straightforward idea.

02:43.410 --> 02:48.620
Normalization will actually create multiple tables or whatever you might need.

02:48.720 --> 02:54.300
So the data can become more efficient and allows our analysis and reporting tools to work a little bit

02:54.300 --> 02:54.920
better.

02:54.920 --> 02:59.220
Now keep in mind the other big thing about aggregation is logs.

02:59.400 --> 03:04.020
So you're always pouring all of this stuff into one type of log or another.

03:04.020 --> 03:08.440
Now without seeing these logs can be very disparate and all over the place.

03:08.460 --> 03:12.440
So a big part of this is to be able to put these logs together.

03:12.450 --> 03:15.730
Now there is one phrase on the security plus it actually amuses me.

03:15.900 --> 03:19.740
But for completeness I'm going to mention it and that is the word worm.

03:19.930 --> 03:25.470
Write once read many the concept being is that log files are precious and a lot of times you might want

03:25.470 --> 03:31.170
to look at them in an archive way so that we can use optical media like worm drives to store them.

03:31.340 --> 03:32.660
So a little bit of a dated thing.

03:32.670 --> 03:37.380
Don't worry I'm going to call a company to see if we can take care of that particular issue today really

03:37.380 --> 03:39.740
with the price of mass storage.

03:39.780 --> 03:43.130
Logs are stored for the most part on hard drives.

03:43.200 --> 03:46.100
Lots and lots of big high capacity hard drives.

03:46.140 --> 03:46.880
OK.

03:47.010 --> 03:48.940
So that's our aggregation part.

03:48.960 --> 03:51.690
Now the next part of this is correllation.

03:51.690 --> 03:56.820
So the big thing about correlation is number one we have to have some form of alerting and triggering

03:57.360 --> 04:02.670
if something's going bad if the IDF notices something if one of our switches suddenly one of the port

04:02.670 --> 04:03.960
starts going nuts.

04:03.990 --> 04:10.860
If an individual host detects a piece of malware we need some kind of alerting system and Sim is designed

04:10.860 --> 04:12.590
to do this from the ground up.

04:12.930 --> 04:17.400
Secondly we're going to have to have triggering that when we talk about triggering really what we're

04:17.400 --> 04:19.980
saying is what sets an alert off.

04:19.980 --> 04:27.090
So usually using tools like MP we can go into devices and into software and say look if this certain

04:27.090 --> 04:30.370
bad thing hits this certain threshold that's a trigger.

04:30.510 --> 04:35.550
And we want to get some information not only in a log but also in some kind of alarm or something that

04:35.550 --> 04:40.910
can show up on my screen right now so I know that these things are taking place.

04:40.920 --> 04:45.650
OK so that's the basic concept of how all of this goes together.

04:45.780 --> 04:51.330
What I want to do right now is take a moment and go through some examples of some popular sim software.

04:51.340 --> 04:56.460
Now keep in mind I'm not listing them all there's probably thousands of these but these are a few of

04:56.460 --> 04:58.390
the big names that I want to mention.

04:58.410 --> 05:05.700
First what I'm probably going to mention is Splunk spokesmen around for a while this is a spente but

05:05.700 --> 05:11.670
powerful piece of software that is well-represented all over the world.

05:11.880 --> 05:15.360
Here's a couple of screens just to give you an idea what Splunk looks like.

05:15.360 --> 05:21.390
Notice a big thing that we're looking at when you see screens like this is that we're generating interfaces

05:21.390 --> 05:26.610
we're generating graphs and things like that that people can use in a real time basis to see if there's

05:26.610 --> 05:27.780
any problems.

05:28.400 --> 05:31.270
Second I'm going to do ArcSight sites.

05:31.280 --> 05:32.890
Also a very popular one.

05:33.020 --> 05:38.540
And while I'm not quite a big fan of the screens that you can get with ArcSight Here's a couple of examples

05:38.960 --> 05:44.240
just to give you an idea of what the interface looks like when we're actually looking at what this thing

05:44.240 --> 05:45.590
is reporting to us.

05:46.580 --> 05:53.510
Probably my personal favorite though is the only freeware one that I'm mentioning and that is elk.

05:53.510 --> 05:59.550
Elk stands for three very different programs elastics search logs stash and Cad Bhana.

05:59.660 --> 06:04.670
Now Gabon is really the reporting part of this so let me throw up a couple of screens.

06:04.670 --> 06:05.490
I don't know about that.

06:05.520 --> 06:06.970
I think Obama is pretty.

06:07.070 --> 06:12.900
And it's also very popular and it's also completely open source.

06:12.920 --> 06:16.010
They got to be careful about people you don't know.

06:16.040 --> 06:20.630
Why would I spend a gazillion dollars on something proprietary when I've got this elk thing which is

06:20.630 --> 06:21.700
totally free.

06:21.950 --> 06:28.180
Well the reality is is when you get into larger and larger enterprises free ain't necessarily so.

06:28.250 --> 06:34.370
And a lot of situations the amount of support you get with proprietary tools the amount of systems that

06:34.370 --> 06:37.820
work with these more proprietary tools makes it a lot easier.

06:37.820 --> 06:41.380
So when you're thinking about what you need there's going to be a lot of research.

06:41.390 --> 06:46.140
But keep in mind if you're anything but the smallest network you're going to need some.

06:46.540 --> 06:50.850
And

06:53.680 --> 06:58.460
and

07:01.550 --> 07:05.390
and.