Unity Makes Strength

Welcome to my talk. A few minutes ago, Unity was trying to tell me that when we spoke about the movie from Ubuntu, something completely different. And also, I just realized this morning that my time slot was 30 minutes, and now my time slot is 1 hour. So I will try to read as much as possible. What's the goal of the presentation? First of all, my name is... The countries were important for the rest of the world. That's really what people did. I do it all day. But in fact, That's my daily job, like a lot of you, so you can check off any customers and they will also borrow stuff, right? I would like to explain the usage of all the secret

controls on Maniz today because by default we don't use all the features and I will try to demonstrate the truth and try to use them after the episode. Why? Belgium was important. Belgium is a very nice country. So the people here are also wonderful. They're eating french fries, it's a nice conference. So if you have the opportunity to go to a small country, it's very nice. Belgium is also known for its official languages: French, Dutch, German. Germany is a very small language. Thanks to the last year that I was in France, I always find new ways to travel. What's also funny is that the Belgian model is in French "l'union phénomène d'extrême". That's exactly it. So that's

the question: can we apply the same to information? Because today we have 3D companies, we have system admins, network admins, and devices. So why don't you try to apply this model, unity of extrême, to information? Classic situation, so what we have today: so we work based on firewalls, firewalls take an action, draw a packet, logs, we have IDS, and IDS may also take an action, so IDPS may also block some traffic. We deploy proxies, we have malware-inducing tools, and so on, and so on, and so on. All those different, but in their civil. And they try to block the log. So a few years ago, all the logs, so generally the macro, the devices and solutions were sent

We also have static configuration. So we configure the files. So, like I said, we have a unique system.

We have tools that work like this for years. So why do we change the way we work? Because we did like this for years. So we have also to make information on data. Tools data are important value. So we have IP addresses for example. We have usernames for usernames. An extra important point because usernames can be used like personal information. So it means that based on the username it's quite dangerous to take an action. Can we consider that a C-level bears in a dangerous way compared to LightingEye, compared to StarRiver user? We also have URLs, so we have plenty of data stores, but we can also have other sources. We have other resources, because the team can

put a list of malicious files. We have also automatic process because we collect information from different sources like GitHub and so on and so on. to integrate. And basically, there is nothing new. When you learn IT at school, you learn that IT is based on the input data with the process, the process of creating the data to create the result. It's expensive. We have some useful improvements or useful thoughts. It's nothing new. So what I will explain later, so the different examples, is nothing new. And one of my first computers was a Commodore Media. Who knows this kind of computer? It was really nice to implement. At this time, there was Rx, which was the definition of the implement. Rx was a language in

87, that's crazy. And only at this time it was possible to make interactions between programs. So a program had an Rx interface and it could write a script to interact automatically with the program, to inject it into action, to script it into a program. Why not do exactly the same with all of them?

The first step is to read the manual because security is a big market. So you buy a solution, it's very expensive because the security vendors, they try to sell you new. With this device, the new generation of devices will be fixed. You will be safe at 100%. But in fact, I like to go to Microsoft Office Effect. Only 10%, or less than 10% in Microsoft. When you use Microsoft Office just write the text but Office has plenty of nice emails you can send to the page but you have to feed the interviewer they just write the text like a book so that's my answer also you have to understand how to learn all the devices

on the device usually you ask for a good response and during this process I try to abuse the system to check how can I interact and how can I explain so that's the reason for hacker learn all the words and then the goal is to protect your infrastructure. Several times since this morning, people say that it's very important to know your infrastructure, where are your assets, where are your data. Once again, it's the same advice. If you know exactly what you're looking for, what you would like to protect, just change the way you define the future of your product. I will explain a bit with just two remarks. The first, I stick all the names on this slide and be more informative with the customer.

A pre-sales guy came with a tech guy, so two different people. They came to take us a nice product, very expensive, but it works. And the sales guy said, "So, you will need a new appliance, so I'm buying it next to the other one to extend the service we provide, this is an interception and so on." And after the point, the techie guy, they said, "Yeah, but you only have product from a different vendor. If you enable this interface, this option in, you just send to the original box the name and it will do the job for you. You can imagine the face of the pre-sale guy. So it was very very hard. The data vibration was very high. So we also have

a lot of APIs in the window. We have command-line interface. Please don't rely on the web. Who's to see, right? I was here and I command-lined for it. But you also have web API. Not XML, it's send to databases. We are scripting with Doit. Just sometimes we still have a setup and so we can interact with it. So we have plenty of work. We also have plenty of work on HTTP, JSON, XML, borders kind of. I'm a VDI, so I need to automate stuff. It's boring when I need to. So it's also a plus. Create different products, just do it. And as a friend of, he said, so that's why I don't need this. I

wouldn't say lazy or ink, I'd pose for minimal return. So in fact, we have limited resources, so optimize your time. In some cases, take two days to invest in developing a script with the right different product. Maybe it will solve you hours and hours of boring job later. So try to automate. Automation is a piece of programs, Python, Perl, Bash, so you can automate everything. UseX is a bit of a bonus, it's a non-example, You just start SSA session, user had post, you expect password, you send them, you can automate the whole process. And based on the new architecture, so remember the slide in the CLO, we still have all the different devices, the CLO, they send, but based on this, and

the tool box can inject data and inject configuration and to share, to share value between the HTTPS, For example, it's a 2700 request. I think it's a Palo Alto Firebolt. Just an example. Palo Alto has a nice REST API. And if you use the devices, you get configurations and new items. So you get a request to the... We can generate smart codes. If you have an IDS, base or other sources, you can generate a specific smart code. EFMAP is another one. It's a protocol used in specific appliances like the The Infoblox devices, when you can map information in it, you can say that if to the username "John", the value was good, relation, and you can increase the

value instead. What? Because you have plenty of IP. It's used for years and years. So not only to monitor boxes, your bandwidth, CPU level, space, etc. So you can, for example, change on a Cisco router, you see, it's the same thing. About Cisco Routers, they also have a nice language, TCL Event Manager. And you can also, for example, in case of specific event, you can generate, you can execute script. So if you have specific messages, like you can trigger a TCL script, and TCL script can notify. Again, you can interact with all the events. And to achieve this, one of my favorite tools today for your Cisco S/C which is a local source of local management solution but it does a lot

of stuff. So not only it collects logs and stores everything in the database but there is a very nice feature called active response. Based on alert, you can trigger the usual script and based on this we can implement a lot of action unlike to replace action by reaction. So this is a simple example. It's just matched if I have an access denied for a frequency of 5. So if a specific amount of time I have 5 access denied, Active Response will leave, trigger a script which will block the user. So it's amazing. All my SSH, my server, my SSH team, if a guy tries to brute force me, automatically I will put this offender or the address. Simple. Let me show you some examples.

If the domain

We have also Mac2 matching and check checkbox The goal is simply to change the configuration It's something that we developed at the customer We have the Firehack set up in Splunk Splunk is generating some nice reporting and using Python which is a lot of firewalls Why is it interesting? This box is very very expensive So if you deploy on your main site where you get a lot of traffic you can deploy smaller firewall on the branch offices and in a few minutes you can say in all your network this IP address this level is managed so the goal in this case is to have more productivity but also to reduce the cost we can use more the dynamic user backlist we are

based in this case so the resign is based on the system concentrator osc how is it working if we need to make a ssh via system we need to take it that we have a lot of

We can just activate active response on OSX and you can on the fly using LDAP modified block or change the password. We cannot block the IP address but we can just change the password and it will be possible for the game to connect. Another one, a little bit for samples. In this case, we will use Postfix. I call QQ, miss a lot of nodes. That's why I'm not accepting Postfix. I'm using a lot of spam, so I have spam tools. I can interact with my IOCs present or not. So you see that we have to use a lot of tools to get... If you have no IOCs collected via Pro, via Postfix and so on in

Lisp, you can use, of course, those IOCs to using MISC OSSEC. We can generate a list of issues files. So it's generated from MISC. And those files are used by the check feature of OSCEC, which is also which is a if we have malicious files inside the organization. So how it works, MISC is sending the data to OSSEC using my mobile script. And OSSEC is sending those to the agents using the MoonCheck. Then we check the file system. And if we have malicious files, we get an alert.

Next one, MySQL self-defense. In this case, we use MySQL proxy, which is very nice. The MySQL UDF log. In fact, MySQL has a feature we can add our base, we can add features in MySQL. And the MySQL UDF log just adds the logic features of MySQL to log works. In this case, we have MySQL. the clients select something from the table we send this to a proxy the proxy change the request and add some commands which is doing right to a file which we don't want to use and if we send it to the company we trigger an alert against it some quick example so about the controls of course we try to improve the security You have to be careful because

when you interact with a lot of tools like this, you can also break the security. Because you have access to the admin interface, you can make a lot of unexpected IP addresses. Just imagine that your firewall decides, you just inject in the firewall the IP address, your DNS, your domain control, and so on, you will have deep troubles. So you have to implement strong controls. Also check who has access to the APIs, so the best way to secure I think that Alex is the growth, the test of the ULS used by your customers. If you block Facebook, it can be a revolution inside your blog. So don't block Google, Facebook, Microsoft, or Raider. What's also nice, using Splunk, you can generate the top Google sites. So every

day, you generate the list of the most visited websites by your customers. But you have to try to avoid URLs from this list because they are constantly being used. Of course, don't block your website. And also, a good idea is to on external sources, all the lists of domain names, all of this. If they, they, they copy the list, I will do it so long. So, conclusions, don't pack just a box, because it's nice to put a box to wrap it, connect it, install it, or the address, control it, and take time to do it. Don't be afraid to do this. Extend the features into a separate direction between. Thank you very much. I hope that's a good answer. I

don't like to give names because I would like to be from any brand and so on but I will make an exception I used the stack ELK for years don't like it because for me it was two times Because every time I had disk full because I was out of indexes, I needed to reset all those stuff. So I switched to Splug. I'm very happy with Splug because it just works. So simply you just deploy it, it works. Splug by default is limited to 500MB per day, which for me is not enough. But it's very easy to get a developer license for free and you have 10MB a day of So I'm using Splunk a lot. So

Bro, Splunk, and Bigos. Also, the first Splunk you cannot, you have limited features. Automated mobile. So yes, Bro, OSX. Big fan of OSX for years. Windows-based, small frame, a small stack of rows. It depends on the environment. Do you use Bro for behavior analysis? For behavior analysis on traffic? Not really. I use Splunk for this. Yeah. So you just collect all the data to Splunk and Splunk does this for you? In fact, I'm trying to put as much as possible in Spring. For example, I'm also... So I'm... It's not the goal of this session, but I'm also collecting a lot of data. I'm a big fan of ASD and so on. So I'm collecting this. I'm collecting linked information, so database of

passwords and so on, and everything is in this Spring. I'm looking for... domains, passwords and so on, hash, I have one big database so I can generate behavioral analysis based on this data. So you prefer strategy to keep the IDS as simple as password, behavioral or stuff like that? That's the question. Collecting everything at the data logic level and then analyze it out loud? This question arises every time. It's not the first time I've had that. In fact, the first time I did it, it was 2012. And I updated and so on. But I'm still giving a presentation because there are no suggestions. People are working in silo and so on. So I couldn't do a event today. But the

question arises every time. Some people say that for me, it's best to keep it simple and stupid. So an idea is to do an idea, nothing else. A firewall, nothing else and so on. And to avoid to... because one of the side effects you increase the kind of feature and the guy which is low down steps so your pressure is relevant it's also a way to work keep it simple and smooth correlation are being at this flat now yeah and also splunk you can run plenty of script on splunk for example the whole pass gas splunk so splunk is free so I put a sign you have to be process output, split is the process output. Maybe I should provide an

example for everyone's benefit. If you have a, that does a DNS request, to find its CNC and so on, which actually can be done, that's in principle what it was designed to do. It's main difference to Snort, because Snort is signature based. Grow was designed to do this type of behavioural analysis. there's something here that does DNS request and not it does this because it has a language that describes these states so what we're discussing here is that maybe we should make the broad scripts minimal and make it just collect simple stuff and then do the big correlation the big picture at the end at this flat level honestly the way I'm using it to

collect in my case so I don't have to use it's broad For me, Brawl is just a nice feature because on the fly I can extract .exe files, .ptf files from the .xcp streams, I store them and I have a script wrapper to check the file in Fiverr and all this stuff as well. My opinion depends on my opinion of the player. So if you are supporting playing Slav, if you have a network of 100,000 or so, you have deployed all of the money, you should send Slav all the money and do the analysis in the spline. So what I personally do is I make a ball, so you use the features of the ball to make the detection of DNS talent, for example,

and you send the spline to the alert. So, for a specific event, you possible other source. And the same, in my opinion, can happen with other tools that you have on the source. Because the spline, in the same way as a commercial VM, I will not disclose some of them, I know my own customers, some of them are my customers, of course I will not disclose to my customers The remark is great. It's a question of resources, license. I think that we've already worked five or six times. Know your asset, where you will demand some reside and you can optimize and you can automate. I will never recommend all of them directly to a transfer. Just do some

shopping. This one looks interesting. I will investigate it this way. I don't use MySQL, I don't want to use MySQL, it's too critical, so I will never change a type of MySQL because it's very touchy. It's just to raise awareness. So, there's a few other tools that you can use. I think it was asking about workflows. I've been playing around a lot with it. So, in Elasticsearch, you can do essentially what Splunk does in 3D. And that's where it gets expensive. In all of this, if you go into the enterprise level, it's the hardware that becomes expensive. If you can get around licensing, it's a public source. So at one point in time, you're going to run into

the practical limitation of how much data do I store and what am I collecting? The hard reality in life, it's like we're generating so much data now that we're not going to put it in. We should not understand it. So we're based by this question of business, which sometimes is a management decision. In some companies, the management says no, free tools, no. Just select the best tool to match. That's my advice for any customer asking, what do you find more A? Find the model that matches your business requirements, your so-and-so. So simply, don't buy a brand that results in a huge