On this edition of Enterprise Security Weekly, Rapid 7 makes a strategic integration, should you use artificial intelligence in your enterprise to replace your workforce?, what is your DDoS mitigation strategy?, a big social media company sets out to create an open-source project that will stick it to Cisco, and Amazon sucking it in the cloud, but not like that. All that and more so stay tuned!
Enterprise Security Announcements
ITPro.TV Annoucenment: "Quick announcement, ITProTV has updated their course library to include:
CompTIA Project+ DNS Tech Skills CyberPatriot Training CyberSecurity Analyst+ Installation, Storage, and Compute with Windows Server 2016 Networking with Server 2016
- Mention the Online Survey*
Enterprise Security Weekly News
http://globenewswire.com/news-release/2016/11/03/886360/0/en/Rapid7-Nexpose-Vulnerability-Management-Solution-Integrates-with-McAfee-ePolicy-Orchestrator-and-McAfee-Data-Exchange-Layer.html - Through Nexpose integrations with both McAfee ePO and McAfee DXL, mutual customers will have extended visibility into each asset on their network, increasing the ability to manage risk with automated response to threats including malicious file infections. Nexpose provides live vulnerability monitoring, allowing customers to automatically collect data and analyze network exposure as it changes. Using this data, Nexpose prioritizes risk based on customer environments and attacker behavior, and then streamlines remediation by aligning IT and security workflows.
https://www.cbinsights.com/blog/cybersecurity-artificial-intelligence/ - First, the demand for cybersecurity professionals is outstripping the supply of qualified personnel, as the number and severity of attacks rise. Second, previously unknown attack types, known as “zero-day attacks” are also on the rise.
https://www.flashpoint-intel.com/recommended-ddos-attack-mitigation-strategies/ - One such mitigation strategy is to use an Anycast DNS provider. This would enable an organization to maintain control of its own DNS servers while using the same management methods and processes. The only difference is that Anycast DNS providers would block all inbound traffic to the organization’s DNS servers and only allow incoming connections from the provider’s systems. The provider will perform a periodic zone transfer for the organization’s domain records and then publish the records from the provider’s DNS servers, which are “Anycasted” and hosted in multiple locations around the world.
http://www.bizjournals.com/sanjose/news/2016/11/02/facebook-rattles-cisco-s-cage-with-new-open.html - The device, dubbed Voyager, features four ports, each capable of sending 200 gigabits of data per second over fiber. Voyager’s open-source, “white box” design would allow customers to load their own networking software on the device, setting it apart from competing products from companies like Cisco, which come pre-bundled with proprietary management software.'
http://fortune.com/2016/10/31/amazon-cloud-migration/ - For companies that rely on Windows or Linux computer servers running in their own data centers, the Server Migration Service, announced last week, will theoretically make it easier to move them to AWS servers. This move comes just weeks after AWS and VMware announced a way for VMware, a big rival, to run its data center software on—you guessed it—AWS servers.
Using Bro In The Enterprise
Description: Bro is a fantastic open-source tool, capable of analyzing packets at high speeds and big bandwidth. Learn how you can implement this open-source tool in your enterprise today, for the win!
Do you see that an MSSP selling SOC services could build new services or incorporate Bro into the existing service offering especially without purchasing support for Bro (which I think is available in some form)? Do you have first-hand experience on whether SMB or large enterprises are fine with it for whether they tend to walk away from open-source solutions? Or should they even be able to care about it (i.e. using Bro under the hood - "sell the service, not the tool")?
There actually used to be a snort2bro script where you could port snort sigs to bro alerts, but it was removed because it explicitly doesn't fit with the bro model. https://github.com/bro/bro/blob/ Before a internal web proxy? Pardon my ignorance, but it seems this is geared to a more physical network. How well would this aid in a network all in NSX? Do you have to run the Security Onion setup to get the pcap configured?
- For nsx just configure a span port on the vswitch and dump it to your brobox
- Good write up on mirroring a port on a vswitch: http://www.routereflector.com/2014/07/port-mirroring-on-vmware-vswitchdvswitch-dvmirror/
how much space should you plan to have for Bro to have enough room for ingest, and how much offline should you keep?
- also helpful for new users of bro - they have a web portal to try out different versions of bro online, without having to install it at all. http://try.bro.org/#/?example=hello
Will Security onion handle vlan tags without issue if, say you want to mirror a trunk?
- can Bro be used to baseline network traffic using NetFlow; to get visiblity on anomalies like an internal SQL server all of a sudden talking outbound on port 22/tcp
Past couple of days I've been trying to figure out how to parse what traffic is going to certain home devices when the cable's router/modem is using 10.0.0.X and my home router is using 192.168.0.X for all devices. My tap sits between the cable modem and home router.
what is bro advantage over splunk ? How much storage needed for home environment? Pardon my ignorance here, can Bro essentially fill the role of a netflow collector more or less? Thanks in advance bro. How much overlap is there with something like PVS?
- A cheaper alternative to Gigamon are Arista switches with the Z-license, specifically take a look at their 7150-S (and netoptics)
Is bro capable of decrypting ssl traffic to fetch user agents from https requests for example? Does Bro support SSL Decryption for more indepth logs on HTTPS traffic? Can we get people off the lawn? Are you aware of any websites/resources we can use to verify known bad user agents? for a SMB would you recommend security onion as a consolidated security tool? we dont have an ids or SIEM. IF you are using a CASB that acts as a MiTM and proxies traffic outside of your enterprise, what is the impact of that?
- You stated, place before your proxy, and also stated after your firewall (ie, on the inside of your network). What if you are running proxy service on the firewall, which is common in SMB environments. What is the best place in that setup.
are there any current SANS classes with hands on work with Bro?
We have bro in our network, but we typically see our AD DNS servers IP address searching for the malware site. Do you know of a way to get the source IP address of the client, not the DNS servers IP address?
Info for your future webcasts: If you compile the latest version of BRO you can specify .json output. This feeds the ELK stack directly without NINJAs and the result is amazing. Full tabulation capabilities on the structured data. Just be aware ELK has no native security. [Use IPsec and scope your firewall.]
what's the difference between bro and tshark? How would this work with something like pi-hole or other DNS wide blockers?
What would you say the key differences between Bro and those "enterprise grade" security analytics products *such as RSA and BlueCoat) that collect full packet and network metadata. Trying to sell the benefits can be challenging when C-levels are being blinded by the flashy lights of these solutions.
- There are multiple brocons - this is the right one https://www.bro.org/community/brocon2016.html
Bro will still log information about the TLS handshake which is very helpful in scenarios like POODLE, CRIME, etc. - you could pull out protocols uses (SSL 3.0 vs TLS 1.0, 1.1, 1.2) and ciphers supported (RC4, DES, etc.). It makes it helpful to find things that may have been exploited without active scanning
what about capturing DNS, in a distributed environment that uses AD to forward the requests out, should it be placed before the AD server?
How tall do you need to be to ride the Bro ride? How do you know when you're ready for Bro and Hunting?
Where is the best spot for RITA Install in a security onion deployment? Master server,Sensor, separate box?
VT helps identify known helping free up resources to look for bad in truly unknown Is there a good resource for hardware sizing for Bro?
What about endpoints other than Windows?