De-Coder’s Ring

Consumable Security and Technology

Category: cybersecurity (page 2 of 7)

Network Monitoring on the Cheap

I’ve regularly blogged about Suricata, Logstash and Elasticsearch.  Shoot, I’ve built multiple successful commercial tools using that technical stack.  The thing that made us successful wasn’t the tech, but it was how we used the tech to solve a problem that our customers had at that moment in time.

Now it’s time for me to share the secret on how to do it.

Ok, not a secret at all.  If you google, you can figure it out.

With this podcast, I want to introduce the topic to put some context around why those tools are the right tools.

I want to evangelize the idea of EVERYONE monitoring your home or work network with basic rules from places like Emerging Threats.  It’s free, and it’s invaluable to finding/stopping malware/viruses on your network.  Do it now!

Suricata

https://www.elastic.co/

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output

https://rules.emergingthreats.net/open/suricata-1.3/

Subscribe here : https://fauie.com/feed/podcast

Suricata – Detecting the (false positive) things

Suricata is a fantastic IDS, and can be used as an IPS

Intrusion Detection System

Intrusion Prevention System

The challenge with making it an IPS, comes with the false positives.  I’ve spent countless hours troubleshooting IDS rules that come from external intelligence.   This is not a knock on Suricata, this is not a knock on shared threat intelligence, they’re both critical components of a mature cybersecurity system.

A few critical points of validating your threat intelligence before throwing it into an IPS:

  1. Make sure it’s not google.com
  2. No private IP addresses
    1. 10.0.0.0/8 IP addresses: 10.0.0.0 — 10.255.255.255
    2. 172.16.0.0/12 IP addresses: 172.16.0.0 — 172.31.255.255
    3. 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255
  3. Watch out for IP addresses in general (WHAT?!), especially when they’re owned in a share host (Google, Azure, AWS).. those IPs get recycled SO frequently
  4. Watch out for CDNs.  Specific URLs are fine, but domains that are CDN (cdn.whatevr.com, etc), or anything related to cloud front, that isn’t a specific url, isn’t good.
  5. Prefer host names over IPs, but, make sure URLs are better.

It takes work, it’s hard, but it’ll be worth it.

Tuning is essential.  Tune your rules.

 

Podcast – Breaches

Affected by Equifax?  Yahoo?    What do you do now….

a little bit of recent news, and some tidbits on how to deal with it.

 

Subscribe here : https://fauie.com/feed/podcast

Podcast: Interview with Wes Spencer

You can not miss this!  Wes Spencer is a seasoned CISO (Chief Information Security Officer) who’s currently working at Perch Security.  In this podcast, we talk about some tips and tricks for security organizations of all sizes.   Wes has some invaluable information for security technology buyers, so this is a must hear!

For more information on Wes, and to find items we refer to in the podcast,  please feel free to follow the links below.

Wes on Twitter

Rise and Fall of Silk Road (Youtube)

 

Connect with me to recommend a future interviewee or volunteer as one!

Subscribe here : https://fauie.com/feed/podcast

Where’s my industry’s threat intel?

Over the past 18 months, I’ve had the pleasure of working on a platform that allows companies access to Threat Intelligence in a way they’ve never had before.  Instead of using a tool like Soltra Edge to just download intelligence, now, customers can use the Perch solution to also detect and triage any sort of alerts that come from their intelligence communities.  Intelligence communities appear in many different forms.  From the ‘informal’ e-mail or IRC channel groups that you’ll never know about, to the hyper formal ISACs (Information Sharing and Analysis Center) that are mandated by the US federal government.  I’ve written previously about community threat intelligence.

Cybersecurity: The Value of Community Threat Data

Tackling Expensive and Complicated Information Security

 

Yet I haven’t touched on a topic that plagues a lot of companies and industries.  

What if their industry doesn’t have a sharing center?

What if the companies don’t know about their industry sharing center?  

What if the company doesn’t know how to use the intel?

Worst of all, What if the community doesn’t have any intel!?!?!

To help work through some thoughts here, I wanted to invite my first ever guest write on my blog.  Curtis Davis.  I first met Curtis when he was investigating the Perch security solution.  Over time, we got to work together, including co-presenting a talk on Security Automation and Detection at the LegalSec2017 conference.   I found it fitting to continue our co-creation of thought provoking (hopefully) content around cybersecurity, with a topic related to this question.   

 

(logistics, Chris is on the left)

(Curtis is on the right, italics )

Where’s my industry’s threat intel?

Continue reading

Older posts Newer posts

© 2017 De-Coder’s Ring

Theme by Anders NorenUp ↑