ES Episode21

From Security Weekly Wiki
Jump to navigationJump to search

Enterprise Security Announcements

ITPro.TV Annoucenment: "Quick announcement, ITProTV has updated their course library to include:

CompTIA Project+ DNS Tech Skills CyberPatriot Training CyberSecurity Analyst+ Installation, Storage, and Compute with Windows Server 2016 Networking with Server 2016

Enterprise Security Weekly News

Using Bro In The Enterprise

Description: Bro is a fantastic open-source tool, capable of analyzing packets at high speeds and big bandwidth. Learn how you can implement this open-source tool in your enterprise today, for the win!

Do you see that an MSSP selling SOC services could build new services or incorporate Bro into the existing service offering especially without purchasing support for Bro (which I think is available in some form)? Do you have first-hand experience on whether SMB or large enterprises are fine with it for whether they tend to walk away from open-source solutions? Or should they even be able to care about it (i.e. using Bro under the hood - "sell the service, not the tool")?

There actually used to be a snort2bro script where you could port snort sigs to bro alerts, but it was removed because it explicitly doesn't fit with the bro model. Before a internal web proxy? Pardon my ignorance, but it seems this is geared to a more physical network. How well would this aid in a network all in NSX? Do you have to run the Security Onion setup to get the pcap configured?

  • For nsx just configure a span port on the vswitch and dump it to your brobox

how much space should you plan to have for Bro to have enough room for ingest, and how much offline should you keep?

  • also helpful for new users of bro - they have a web portal to try out different versions of bro online, without having to install it at all.

Will Security onion handle vlan tags without issue if, say you want to mirror a trunk?

  • can Bro be used to baseline network traffic using NetFlow; to get visiblity on anomalies like an internal SQL server all of a sudden talking outbound on port 22/tcp

Past couple of days I've been trying to figure out how to parse what traffic is going to certain home devices when the cable's router/modem is using 10.0.0.X and my home router is using 192.168.0.X for all devices. My tap sits between the cable modem and home router.

what is bro advantage over splunk ? How much storage needed for home environment? Pardon my ignorance here, can Bro essentially fill the role of a netflow collector more or less? Thanks in advance bro. How much overlap is there with something like PVS?

  • A cheaper alternative to Gigamon are Arista switches with the Z-license, specifically take a look at their 7150-S (and netoptics)

Is bro capable of decrypting ssl traffic to fetch user agents from https requests for example? Does Bro support SSL Decryption for more indepth logs on HTTPS traffic? Can we get people off the lawn? Are you aware of any websites/resources we can use to verify known bad user agents? for a SMB would you recommend security onion as a consolidated security tool? we dont have an ids or SIEM. IF you are using a CASB that acts as a MiTM and proxies traffic outside of your enterprise, what is the impact of that?

  • You stated, place before your proxy, and also stated after your firewall (ie, on the inside of your network). What if you are running proxy service on the firewall, which is common in SMB environments. What is the best place in that setup.

are there any current SANS classes with hands on work with Bro?

We have bro in our network, but we typically see our AD DNS servers IP address searching for the malware site. Do you know of a way to get the source IP address of the client, not the DNS servers IP address?

Info for your future webcasts: If you compile the latest version of BRO you can specify .json output. This feeds the ELK stack directly without NINJAs and the result is amazing. Full tabulation capabilities on the structured data. Just be aware ELK has no native security. [Use IPsec and scope your firewall.]

what's the difference between bro and tshark? How would this work with something like pi-hole or other DNS wide blockers?

What would you say the key differences between Bro and those "enterprise grade" security analytics products *such as RSA and BlueCoat) that collect full packet and network metadata. Trying to sell the benefits can be challenging when C-levels are being blinded by the flashy lights of these solutions.

Bro will still log information about the TLS handshake which is very helpful in scenarios like POODLE, CRIME, etc. - you could pull out protocols uses (SSL 3.0 vs TLS 1.0, 1.1, 1.2) and ciphers supported (RC4, DES, etc.). It makes it helpful to find things that may have been exploited without active scanning

what about capturing DNS, in a distributed environment that uses AD to forward the requests out, should it be placed before the AD server?

How tall do you need to be to ride the Bro ride? How do you know when you're ready for Bro and Hunting?

Where is the best spot for RITA Install in a security onion deployment? Master server,Sensor, separate box?

VT helps identify known helping free up resources to look for bad in truly unknown Is there a good resource for hardware sizing for Bro?

What about endpoints other than Windows?