How open source security solutions can solve your problem

thank you thank you very thank you very much for coming out like she said I work at Mozilla we like open source stuff and we're here to talk about open source and specifically open source security solutions and how they play in an enterprise role so the agenda here basically we're talking about you've only got so much money for things like blinky boxes consults and stuff like that so seem like open source could help here right so what's working what's holding people back and mostly what this is a precursor for as mozo is working on a set of initiatives to help kind of curate a set of open source solutions to common security problems and so these

are some of the items that we hit on in this talk so we have some problems things like money we're gonna talk about where commercial stuff may win we're talking about open source there are some places or open source clearly is winning they were also talking about problems with open source potential solutions I'm gonna hit on five projects you may not know about that probably could help you maybe today maybe tomorrow when you get back in the office or Monday when you get back in the office then last we're gonna wrap up with with how you can how you can help first I have to talk about how this is not a talk about browsers yes I work at

a company that makes browsers this is a presentation being made from a browser and they're great but this is not to talk about browsers we're going to talk about everything except browsers so this summer I got a new boss this is a picture of my boss this is not a picture of my boss but he asked me what Mozilla could do to help solve the world's security problems he's a kind of a big big thinker using open-source Mozilla loves open source so this is Mozilla github repo you can see the frightening numbers that we have there the 1900s something repositories have been roughly a thousand people some of whom work and was a listen don't foreign or something

team so we do open source by default matter of fact our default data classification in Mozilla is public because everything you create is public stuff so that's great we like open source but how can we help here exactly right so my boss and I agreed to use the remaining bits of 2018 to do some experiments bring some science to this work and do some focus work in 2019 to help kind of curates open source to crazy solutions so thanks your your open me keep my boss happy and helping me keep on track for 2019 and also help to kind of figure out exactly what curate really means this is nice it sounds like a nice word nice little definition but

what does it really mean to do this kind of work and more importantly what does open-source need in order to be to be successful so we all have budgets to operate and I'm curious of things not working at all so I'm curious how many people would say that they've got essentially $0 like they have no impact on their budget it's just like money that happens somehow and then they're stuck with it's like nothing nothing there's a couple people raise their hands in there so I'm curious how many people would say in the middle of this they got like enough money they have everything they need they're happy and satisfied okay nice smattering and then any of the spectrum there how many

people say they have too much money I wish I could give my money to somebody else and I wouldn't have to worry about spending it at the end of the year it comes up I gotta go find new ways to spend money I have to invent things don't even exist problems that aren't the real question here is that open source is the end-all be-all how come everyone isn't using it and saving all the money that they would spend on blinky boxes and vendors and consultants and go do something more fun like take exotic vacations things like that there are some clear police clear spaces though when you look at kind of the inventory of open source stuff where

there seems to be very little open source coverage and so therefore commercial stuff clearly wins so things like database security there are some packages that kind of help with database security but nothing's as complete as the commercial stuff that's out there email security especially not spam assassin sort of stuff I mean it wins there is but it's become vendor packaged but things like DCAM stuff like that there's nothing really that kind of can take that space and email and then there's probably a debate about the AV antivirus space we'll get into some survey results that talk about that specifically so if we're gonna talk about problems with open source we first need to understand or if we're going to

talk about solving problems with open source we first need to understand the problems with open-source it's a symbiotic relationship so when the easiest ways to find out what folks are struggling with was to ask them we've got this program at Mozilla that I was lucky enough to be able to help kind of kick off we call it a culture of experimentation somebody said once I'm gonna mess up the quote but if you're not doing controlled experiments on a subset of your users you are by definition doing an uncontrolled experiment on the entirety of your user base and so the culture of experiments is all about shifting the needle of that so you're doing small things you can fail quickly you can get

some insights then you can do larger versions of those things and hopefully not upset your entire user base all at once just because you thought something was a great idea so one of the things that came out of that is a survey surveys are cheap and they are a great way to get data if you have no idea where to start just ask people because they'll tell you they've got lots of information especially in this space the open source people beat their head against problems for a long time and they wish someone asked them so we did a survey looking for like what's in news but it's not it's sort of barriers and stuff we're out there this is just a

smattering of this and so the first thing that we found out is the open source definitely is in play I was expecting these numbers to be way way way more skewed than they are in this slide it's pretty much 50/50 we went back and forth depending on the kind of the communities that I that I queried in there so I sent this out mostly just to kind of my social circles like so mailing lists slack channels Twitter that kind of stuff so very scientific right but it was interesting I think we got some good information so the curious part of this is that it wasn't just open source right do you use nmap I think

probably everybody is I used n accounts as an open source but this the question was more about do use open source as a significant part of your information security program meaning you are relying on open source to give you some capability and you made a purposeful decision to not choose a commercial vendor product as a result like you said it's kind of a 50/50 sort of split so there are some some definitely some some winners or some things that are used and useful in open source and so how that kind of breaks out you've got your your IDs categories so bro which by the way has changed its name to Zeke so if you've been saying

bro you don't have to learn instead like Zika you shall find snore so the ideas of the world especially we're well represented in that in that list of folks who do use open source stuff and then there's kind of the loggia scenario right how do you get logs from one place to another syslog actually was never mentioned even though it's open source and it's probably the place all this stuff that comes from syslog syslog-ng our syslog those kind of things but the things that kind of grab that and make it into something like oak log shipper got mentioned in there so log categories is another one that people definitely make use of open source which makes sense and then end

point stuff started to show up which was interesting that's kind of where they yeah the antivirus question comes into play so his query was mentioned a lot there's a thing that people use Gore came up surprising I hadn't really heard of many people with a successful implementation but it did come up and then there were some mentions in there also of clamavi specifically as a virus implementation and then there was a there was some mention of sub can I got lumped together and like the scanner or sort of category right so Nick doe in Maps app just like a kind of one-off sort of scanner sort of thing so it's interesting because you've got you've

got everything down from like a kind of thing you'd have to implement and know this can be up 99% of the time like a bro or an idea sort of system to a one-off thing I'm just gonna a map scam something so you can say open source is being successful in all the various categories so one of the really interesting things as sergeant asked people what their challenges are so this was the the question right so what do you think the greatest barriers are felt by enterprises and considering using open source scenarios and there and so this is the way the the questions went out there and the results were super interesting so we've got everything from

fortune ality gaps to don't know what what kind of things exist out there not surprisingly lack of support was one of the the top things and there one of the respondents noted that open source is sometimes more of a science experiment or it's like it's not exactly something that's fully baked and especially starts to fall over if you try to implement it at some kind of scale beyond what the author happened had access to so if somebody wrote in they were an environment it's an people that premise works for ten people and it won't work for anything else so we're not gonna dive into the the support issue specifically here I think the probably the next thing to

do is actually take each one of these and break them out into their own survey to figure out you know exactly what kind of issues people are dealing with now that we know the general categories and how they play also the ones that that kind of didn't show up at all like how to do feature customizations or how to contribute to projects didn't show up that kind of stuff but let's dive into some of the specific challenges they're here so survey respondents noted that a part of the problem is knowing what exists so long-standing projects like snort Bros ricotta and map Metasploit we've all heard of those things right and they benefit from having sort of a

tribal knowledge when we come to conferences like this we can talk to people about hey what are you doing with bro or Zeke or server kata and as well as there's some coverage of all of those tools and various certifications to go to the sans class you're going to learn about some of that kind of stuff for example new projects they have some maybe some exposure for things like demo labs at Def Con or there's the Arsenal series at blackhat but they'll get almost no coverage from the press unless they're backed by some large company so if you're a Facebook or a Google when you open source something that comes with a press tour and a briefings

announcements and those kind of things but if you're just you know someone wrote a thing put it on github those are really your only chances to get something out there so if you're an open source project that's solving a unique problem you've got a high barrier before even folks understand that you exist right what's out there so what we do tend to do an open source is make lists let's see if my slide thing works this time nope so the one on the top there's the one that at least when I ran into it look the most feature completes its nowhere net they have a little bit of a split personality it's a great site I'm not going to cite

at all but they talked about penetration testing security auditing tools in cyberpunk but they'll also cover sort of defensive stuff and all that and I should say these slides everything's not working the bottom actually has the address for the slides which is on my website anyways we'll get this stuff out this is actually already live on the internet which is why I'm presenting from a browser so anyways all the stuff will be available is available now just make sure the links and stuff get out so the second one begins the list of Awesome lists there's this whole awesome list section on github so the second one on there is awesome incident response and then we've got two awesome machine

learning even for cybersecurity then we've got one specializing an awesome threat detection then we get into awesome forensics we get into more general awesome security that gets more general as we go down there's just the awesome list everything that's awesome and then there's the list of lists just to kind of round it all out so what we do for open source security is definitely we make a list we make lists of lists we make awesome lists so one thing we don't do in open source a lot of in the commercial space a lot of product reviews will come with in-depth reviews comparisons right we'll dove to kind of do a deep dive SC magazine for

example exists it seems like solely to review yet another project our product then compare them against each other or compare me there's the previous year that sort of thing then you've seen things like this that take take it to an extreme and they'll add categorizations take all the vendors and kind of you know lay them out just like this sans even has in the back of their posters that they send out they get a way to categorize all the vendors into various categories and tools and things like that seems like a thing that that we're missing so maybe what we should do in open source is build upon things like this to help maybe some add some

framework so this is the cyber defense matrix does anyone heard of the cyber defense matrix just a couple okay this is really cool this is an O ASP project from Sunil I think is that Bank of America he's one of the ones behind it so it's simply a framework right it's a way to organize your thoughts it's not a way to solve security by any means what it does do is just take the NIST cybersecurity framework identify protect detect respond recover lays that out across the top and then lays across the site angle things that you were talking about so if you are a person trying to plan out your security program you could use

this to say do I have a tool do I have a way to identify devices I have a way to identify things on my network right then you could move across that to kind of identify other gaps in your particular security program all right so do I need something to help me detect whatever data crossing my network or whatever so you can use that to sort of plan out either gaps in your thing and your security program or places that you need to improve or talk about your successes that kind of things just the framework can we get there so maybe one of the first things this is idea it's totally experimental like I said my boss wants

me an experiment so here we are experimenting so they were the first things that mozilla could help with is two Curie open-source solutions is to inventory them alright so here's a work in progress application this is a director level code here so don't expect anything great to catalogue open-source tools so the idea was taking the existing list we've got plenty of lists we know where all the open source stuff is and then maybe add some tags in there to allow them to categorize the function you'll notice the function that identify recover things like that according to the cybersecurity matrix and then maybe get a better idea not necessarily a vendor logo map sort of thing but at

least a searchable kind of thing that would help you figure out oh I was heard about siphon at a security conference what's it do oh it does these things and maybe we could detail some other stuff about the stack and maybe uses Redis or or it's written in Java or Python or things like that then you've got more information rather than just a list that these things are all awesome they're all in the same list because they're all super awesome and then the idea and the way the app works this app is live as well and if it wasn't having these problems of slide it would show you a little bit more but some video

issues but the idea is that you can then use all those things to tag or to select the things that you're looking for and then you get a list right so it's like hey I want to find anything that's in these categories and then you can get a list of all the stuff that's out there so the other thing that the respondent said one of the big bar items on the list is that super hard to tell in open sport and Saurus if a project is healthy enough to use and rely on so great you can find the code awesome I got the code what's next right is this the thing that I'm gonna plan my whole security program

around is this the thing I need to uh to need some help I need some love it's got some issues where as it sits on the spectrum so here's an example of what I think is a healthy project right so this is just the github sad stuff if you breathe down in the readme way way they blowed and it doesn't include actual references to production employments there's some fortune X you know level companies using it but if you look at just the github stats itself it's got 191 releases that's amazing that's a lot of releases it's got active commits like two hours ago or two days ago something like that it's got plenty of stars if you like

stars it's got plenty of Forks if you like Forks it's got branches it's got everything it's even got issues it's got all the kinds of stuff going on so here's another one and this one is harder to tell right it's not as much it has zero releases it has the last commit was six years ago but maybe it's done maybe it's feature complete maybe this thing it's just a honeypot program so maybe this one wrote the best honeypot you've ever seen and it's perfect right out of a batch there's only had one one or three commits to it and it's perfectly done super hard to tell right whether something is maybe unloved maybe also it doesn't work I don't know sort

of - so the other part the other idea for this catalog of apps is that github as a rich API or a most open source projects are in github so maybe this way to make use of that to go figure out you know are things like releases commits is there a healthy balance of open closed issues and I'm curious a few folks have ideas about about that sort of thing so here's an example of using that that API to maybe rate the health of a project based on the number of releases that's a very simple idea or something else and if you are a data science the sort of person I would love your ideas about how

to do that in a more non director code so and so then the idea is that with this health rating as well you could also use something like that super easy table kind of thing to not only filter by the rating the function that you want but also get an idea of the health of the potential solutions that that you may be looking at and so this is the this is the project that we're talking about like I was gonna do a demo but and I'm scared of them of a a be set up so this is the projects out there and github of course you'll have a really hard time telling how healthy it

is there's like four commits there's no releases there's also no issues so maybe it's a completely feature complete so if you want to help contribute to this by all means please do and again the slides and stuff will be out you can find all this stuff afterwards or feel free to have come talk to me afterwards okay so we took a look at the the challenges and potential solution areas to do some more work in so let's pivot a bit and we're gonna take a look at some open source projects that you might not be aware of you may be aware of them but probably not and potentially help you in your information security program so this is

a no particular order this isn't a beauty contest this is my top 5 list by any means these are just things that that I've run into over the course of time that I don't think are completely knowledgeable in the community not everyone knows about it I think they do hold a place and I think in a lot of playing a lot of cases they're unique they do a thing that no commercial tool does yet so the first one we're going to talk about is a cloud mapping tool so this Larry is called cloud mapper it's from duo Labs dual labs is kind of like I says the labs are do like I says it's super easy to kind of point this at

your AWS environment downloads a bunch of information about your AWS environment and then shows it to you I can't away that I don't think I've ever seen anything show it to you at all they've got a demo sites if we could see the top of the URL we could see where the demo site is but we can't anyway so you can go play with this without actually having to point it at your AWS account so where this is useful as if for example whatever you trying to figure out that CloudFormation template that you just stood up did actually create things that you wanted it to make did the intern spit up Bitcoin miners they didn't bother to tell you about and then

left the company did you remember to turn down that stack of expensive ec2 instances that you wanted to do just for a demo or for a one-off thing or just to see if those things are actually worth it that kind of stuff or if you're doing instant response it's useful if you're brought into an AWS account you have no idea you're trying to get context right an easy way to just do that and get maybe a visual idea of something that that would have been a lot harder to do just clicking around the never-ending AWS endless list of icons right the next one we're gonna talk about those cloud mapper from do labs next one we're gonna

talk about is TLS fingerprinting anyone familiar with the concept TLS fingerprinting just a couple okay so we'll dive into so what it does and this is ja3 from Salesforce so there's implementations of it Salesforce seems they have the one that's kind of captured the mind share if you will so the idea is that this is this is a client hello or it's a clients initiating SSO connection to a server these are all the things that go on in there so the idea between behind a ja3 fingerprint is that you take the combination of things listed across here session cipher all that and make it into a fingerprint that uniquely identifies the client that's making that that

connection no two clients have different are the same same signature there so here's an example of some just to kind of give you some context for what you can do so here's the first one is the fingerprint for the standard tor client so if you're trying to find tor in your network that's what you would look for for to see a tor client making an ssl connection to somewhere similar there's one for the dry Dex malware and then of course Metasploit right can do the same thing if it's connecting out to SSL this would be the ja3 fingerprint that you would see for that so it's useful for finding not only bad things but also

finding good things so let's say you had an app like a mobile app and you had an API on the end of that and you wanted to know what sort of things we're talking to your API is it always your app is it someone doing account checking just checking for username passwords that kind of stuff are there old versions of your app that may not be valid anymore or maybe you want to just monitor your own infrastructure for rogue traffic like this so and if you've got this kind of J 3 comes in Sorocaba Zeke I get used to saying Zeke as well so if you're taking that stuff and throwing it in like in this case

elasticsearch it's very easy to just find it you can either just search one off like this case we're just searching for a week's or the traffic to see if we got in that case it was Metis points interpreter J three fingerprint and nothing so that's great or you can set alerts obviously on if you see that kind of traffic in your environment as well so it's super useful for that kind of thing and not a thing I think you can get from from commercial doing necessarily they're actually just implementing re-implementing J III so this next one this is not unique I'm African of the speaker earlier was talking about this so but there are a

couple things unique about this implementation that I thought it would pick up so this is check pone so this is checking against have I been poned database for either email or password exposures the unique thing about this is written in rust so rust if you haven't looked at it it's super cool new language it's becoming the core of a lot of what I said I wasn't gonna talk about browsers but it's the only thing I will talk about browsers become the core of a lot of what Firefox is built on it's a super great language it is obtuse and really tough to pick up if you haven't actually tried to do anything you're a long way to go before we can write a

program I think the reason I'm bringing this up is that this is a great example of a task and once you see it implemented in trust you start to understand rust a lot better right so if you're looking to understand rust this is a great way to do it just look at the source code for this app because it's really well-written and it accomplishes something that's useful right so you can take this just like it says you can kind of one-off to either passwords or you can do email addresses or you can do a list a file full of email addresses and just have it do it is like a cron job sort of thing every

day no just go out and search to see if you've got any new breaches on that stuff so this is super useful tool it never sends your password out if you're worried about that uses the K and anima T mathematical properties so it takes a hash of your password as you type it in takes the first thing as five characters of that sends that off then gets back anywhere from like I think it's 30 to 300 different sets of hashes that could match and then on the client side is where it does that magic so it's also a super interesting thing to see how that gets implemented in rust as well so again I bring up learning it's a really

great project to take a look at so the next one we'll talk about here and I think this is a fifth one so there's a project called binary alert from our friends at her B&B so airbnb not only will rent you a place to also make great security software no they do a couple of things that people are familiar with like stream alert but I thought I'd pick on binary alert because it's a really useful thing so the idea is that if you've got a set of files and you need to go through those files with Yarra for signatures great idea about doing stuff in AWS right to do is kind of one-off tasks necessarily always have to do it

so what binary ler does is help tame the sort of Rube Goldberg machine that AWS is it makes it easy to send files to s3 buckets and then scan those things against analyze set up Yarra signatures that either you have or you made up because you found an infection somewhere or maybe you've got a threatened tail feed of your signature is coming your way and do a bunch of different stuff with it so you can either just send emails to you about it you can send alerts through a variety of things that but nice super easy way to to get that kind of fairly complex AWS infrastructure set up without knowing what you're doing and just living off

the benefit of sorry more to go so next I'll bring up is Falco so Falco is a syscall monitoring tools what we're talking about so this calls down at the audits sort of level of the Linux Linux system right so you open a network port or talk to a file or open a session or that kind of thing so assisting we'll have a commercial and they have an open-source tool this is the open source version of it Falco's meant to monitor containers so if you've got like a kubernetes infrastructure running a bunch of containers you run one falco instance it monitors all those containers simultaneously and the neat thing about falco is they've got a

really great set of rules written against that so what you can see at the top is just the Falco instance and then the bottom is someone using a container and you can see the rule is firing as they go on so it'll loop back around here in a second but you can see everything from just there was a session and then on the container opened so if a developer gave you a container and like I don't need access to it that's just fine I'll never need to look at the thing at all and you catch him log on to the thing then you can start to hook this up to rules to say if everyone ever logs into a

container kill it when a market has tainted never use it again or you can let that kind of stuff go and you can say alright let you get on the box but if you start doing things like padding out it's a password or replacing LS with some stuff and also rules written for that it has a really extensive rule set it goes on and on and on it's kind of amazing when you look at it the amount of things that they've they've covered they've even covered for like vulnerability scanners and what they do when they get onto a machine of whitelist and some of those kind of things so it's a real good kind of

Kickstarter if you need something to monitor containers on there and then again you can run that infrastructure as well I should say the other thing the other thing is that you also don't need to modify the containers to do that so I said five but everybody likes a bonus Jonas so will recover a 6-1 and I'll go a little bit old-school if this is not a new tool by any means but it's called geo tail so as in OpenGL and the idea is very very simple if you can SSH into a thing and you can tail a file you can get a OpenGL visualization of it so in this case this is just the authors

visualization he's just SS aging into his web server and then looking at his traffic as it flows across the screen so if you need a simple way to impress your boss like maybe you have a new boss and you need a simple way to impress your boss just find a really busy file somewhere that you can SSH into and just pull this up on your monitor every time he goes by and you'll have a duly impressed boss for sure it's really great use a long time ago I think there's even a I think I wrote a plug-in to do it for network firewall logs that kind of stuff so super easy to modified to so if it's not just web servers

really is literally anything you can tale you can so this is again it's a preview of work that Mozilla is considering doing for 2019 along with some recommended open source projects to take for a spin if you'd like to help we'd love some feedback on problems or solutions so if you want you can help me with this crazy catalog idea either flush it out whether this is a good idea or get off the ground from the director level sort of code into some actual user interface sewer level code if you like the tool just as is you can start adding stuff to it help so a crowd source of inventory tags some stuff give some

ideas about that and if you are in need in 2019 consider an open source project there's a whole bunch of them that we covered during the course are here people are definitely using open source now you know which ones are in use which ones are actually useful and you've got yourself a road map for 2019 so with that thank you very much

and since I couldn't do a demo we got lots of time for questions other questions

ya know so at the bottom there is the is the address so Jeff my comm slash besides PDX 2018 is there you go there the slides there's also speaker notes you can replay everything I just said I guess that's right here actually I could I couldn't do this demo thing I got it written up there so this is the the actual app itself so this is the address for the app would say catalog security Allison orgasm is Mozilla spelled backwards it's our development site

security it's also in the will demo quickly so this is this code written in in meteor which if you're not familiar with meteors it's one of my favorites tools mostly because so what I want you to notice is the the top line there were it says psyphon sim triage system so I've got this same address on my phone I'm gonna type in a thing and you're gonna see B type so the meteor is a tool that does sort of reactive maybe you guys see me type

demo of failure never had a demo fail before I know what to do anyways what's supposed to happen is that you would see whatever I typed the never show up in real time but meters failing me today anyways that's the address for the for the catalog of open-source security solutions

it's just Jeff Brenner comm be sighs PDX 2018 okay yeah it's probably tweeted also any other questions Microsoft only github yeah that's an interesting question what to think about Microsoft own and github yeah I don't know what to think it's a real conundrum right it's like a bit of a mind especially for a company like Mozilla obviously it's so invested almost 2,000 repos on there like moving anytime soon we do have to compete and get along with Microsoft and compete and get along with Google and compete and get along with a lot of people at the same time so the internet it's a collaborative place we have the question was have we deployed open-source security tools at Mozilla

yes we're kinda in the same category so Zeek is a big one for us Erick gotta sericata as well Nihao presents kia my team has done a bunch of presentations on what we've got it was like a 40 gigabit per second infrastructure just built on commodity hardware that does all that kind of pack in capturing reporting and all that stuff as well as we've written some other tools so mig is a client-side solution that we've written that takes privacy into account so it never retrieves anything off the endpoint system we can just kind of ask it questions hey are there systems out there that have a file that matches this hash it'll just answer yes or no it

doesn't actually get the file from those systems so it's maybe a unique case for us I don't know other companies have that same same sort of problem but definitely a problem that we have and then most of our sim is probably the one that rely on the most all that information comes back into to do a vulnerability management it's a response alerting that kind of stuff yeah so yeah we're all about deploying open source and an oddity of course kind of like the Falco stuff is across all of our Linux environment to report back everything on there which is super useful is really nice avail just have every command every run on every Linux server ever at your fingertips

other questions okay great thanks very much thank you

you