Over the next few months, I plan on doing a big podcast binge on cybersecurity careers and will continue my focus on technology.
This week’s episode, John Lockie and I talk about his background and how it’s not the traditional path into cybersecurity if there really is one. He affirms my beliefs in regards to CISOs with music degrees. You’ll never guess what he says!
I’ve regularly blogged about Suricata, Logstash and Elasticsearch. Shoot, I’ve built multiple successful commercial tools using that technical stack. The thing that made us successful wasn’t the tech, but it was how we used the tech to solve a problem that our customers had at that moment in time.
Now it’s time for me to share the secret on how to do it.
Ok, not a secret at all. If you google, you can figure it out.
With this podcast, I want to introduce the topic to put some context around why those tools are the right tools.
I want to evangelize the idea of EVERYONE monitoring your home or work network with basic rules from places like Emerging Threats. It’s free, and it’s invaluable to finding/stopping malware/viruses on your network. Do it now!
Suricata is a fantastic IDS, and can be used as an IPS
Intrusion Detection System
Intrusion Prevention System
The challenge with making it an IPS, comes with the false positives. I’ve spent countless hours troubleshooting IDS rules that come from external intelligence. This is not a knock on Suricata, this is not a knock on shared threat intelligence, they’re both critical components of a mature cybersecurity system.
A few critical points of validating your threat intelligence before throwing it into an IPS:
Make sure it’s not google.com
No private IP addresses
10.0.0.0/8 IP addresses: 10.0.0.0 — 10.255.255.255
172.16.0.0/12 IP addresses: 172.16.0.0 — 172.31.255.255
192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255
Watch out for IP addresses in general (WHAT?!), especially when they’re owned in a share host (Google, Azure, AWS).. those IPs get recycled SO frequently
Watch out for CDNs. Specific URLs are fine, but domains that are CDN (cdn.whatevr.com, etc), or anything related to cloud front, that isn’t a specific url, isn’t good.
Prefer host names over IPs, but, make sure URLs are better.