Log Management and Log Aggregation

what's up everyone how you doing hey everyone learned something today yeah that's the fourth thing so here we go I talked problem the boss Olympic Nick something you probably shouldn't kind of focus magic solution just one way just get the solution is long Mandarin variation I display my autopsy appreciation I owned a network of my lawyer beeps I follow the law all about me insurance needs I graduated Southern Illinois University Carbondale in 2011 it's wherever I really got interested in security they had a computer security and networking degree I did like Colgate cyber defense competition Red Team Blue Team Blue Team of college kids red team was one professional pen testers that destroyed us at every competition a lot of fun

intern with the Oklahoma State Information experience he learned a lot about how the real world compared to what I was taught in academia to security and also how of state government runs super slow compared to everything else then I came in Kansas City because the Cerner I was slow engineer for four five years a lot of one I was basically a sysadmin for slunk Enterprise chef and that it learned a lot of ups and how that all works and I thought it was normal how this was working but apparently it's not so it was a lot of fun pretty sweet currently this year actually I jumped ship and went to a company called the fence point

security they do federal contracts for federal agencies they focus in on like the renting it's tough but they also have a they're also a swamp partner so we help those ops Punk instances federal agencies I needed also certified market actually impacts which could really create the lab and tax since Jen the to the over here I requested some hiring the official the roster boss the boss boss boss boss they're going to want to connect some random device there the company network says they saw it online or their friend the golf course had it super cool and awesome for this talk I'll just be talking about built used by bulbs you know the cool icons that can change colors and you can use

your cell phone turn off and on Super Bowl II love coolest thing ever but obviously they're kind of hard secure so we'll be talking about maybe one approach how to get them and wraps also how you should respond to the boss's boss boss which the next slide will tell us how much does one respond fuckness will have to say yes eventually are a replacement say yes to the boss's boss the loss and then Q&A if you guys have any questions but like I said our first response would you know someone ask them without a case-knife despite a few device that do you know nothing about I know none I've spent on this cool Chinese website I won't plug into

network no well you know what that that's all diving that's the top right there with your all the homes journée because whatever it is I mean security we were the know people were the no-fun police were we make sure that we're a roadblock on everything maybe that's not nothing you know what legitimately we got some legitimate threats on why won't it could have never compromised firing it'll off via PCI our PII you get that daily about because you plus some random thing into your network who's going to get blamed you will not your boss boss boss that's for sure I also say okay if you're he'll fortune 500 company and your sales data gets leaked out you might be in trouble

so popular interest yeah sure no problem if you don't really care anyway because you're leaving in two weeks so let's take that route yeah we can plug that - no problem also sure that's against company policy nice safe way you know what company policy backs you up you have everything under control and with that Pro general run if you don't get a dime just keep that in oh the best way and probably way to do a lot of stuff is I would be happy to look at you find a way that they can happen and keep us secure of us you hear that boss you're helping us keep be secure it's great we get to connect your little

device the network can still be secure it's a win-win how are we going to do that basically we'll do log management lawyer issue so first thing I want to do you have a log aggravator she's looking to solve example Bayou swampy papaya I got the most of salt you can use anything else Elk logstash great log also since long as it just ripped log really really feel adventurous I'm at a minimum you should probably have this book anyway just look there for its essentialize letter logging being able to keep track water stuff it's just a good policy in general they need to consider found your risk cost some people think smoke is really expensive some people think it's not

expensive do you have people to manage your longer duration system do you have if you have like ten interns that aren't doing anything you know what they can build up and help staff and get all the dashboard you want the fancy shebangs or maybe users have one overworked sis and then you're just going to add another thing to implicit difficult things to do what does your customer leadership actually do they want vampy dashboard to see what their light bulbs and maybe they want to see in the color use the most of their fancy light bulb that they're putting in place and they want to fancy to ask for that show plan what solutions do that if you just do syslog

you might have to be tying some other stuff into it might help also considering one of the devices they will connect to big sphere like when they reach out to the magical file what are they connecting to you are they connecting to you like just Amazon Web Services fill two special servers or they connect me up to the Russian mafia that's you know collecting data from your fancy life on there yeah what other reasons you might need to help you the set up so the thing you need to remember is like deep these things have to talk out so basically there's networking are you in every expert do you have networking experts that is your you have

a separate file the team that manages the firewall so they do their long getting the correct experts in role to help you sort out all the law of the information so if you have some viral logs that's great but now you have Starbucks well the fire world I know or blogs or the networking guy two of us our lives so getting the correct people to help you out is another good good thing to keep in mind also features obviously like I said you could do syslog and just have at this web server and grip or like I said you want fancy dashboards all that stuff also like whenever you're putting things together like how can you control this device

like can you block certain features what forces listen to the whitelist possible all the thumbs up also I found out my my clothes while I plug them in my my phone appliquéd there's a new firmware version app you want to update anomaly sure that sounds great so I updated my lightbulb firmware it was great and exciting really yes it's because sometimes you'll get these Chinese novel esta they will never see a firmware update ever so you got to keep that in mind on what you're plugging in you know keep keep all that in check oh this is those you to have your VIPRE this is just a Google router top and just show you that as soon as I plug it

in hey look at that DHCP shows up it's a Philips uses okay here's life users here's the magnet dress it's great some other servers and stuff I have connected on network and then down here into my phone which is connected to the Wi-Fi here's a basic diagram I have set up of everything that I was working on for this lab also I had to burn down my lab in the middle need trying to work on this so I have to rebuild it and this is the end result fails hard drives are no fun you will lose your BM so if a samsung phone has an IP address 101 Wi-Fi router and suppose is a physical

PSF box ahead set up this is where I had all my blogging takes place bill cheesebridge was plugged into one of the port's dedicated the NSF box and then another one with just a dumb switch that was plugged into the router and then also I had an ESX server set up and I achieve en set up a bump server and it's this box over by original attack which have also best practices for logging for Swamper syslog is taking the PSF this one and sent a standard syslog server storing a locally having log rotation program set in place with a book drive stuff up that that's the best recommended path and then taking this buck agit which is also

called a bump border and then sending those logs to spawn that will be on for nine nine nine seven by default syslog for this five one four by default the big thing to keep in mind most syslog is UDP so I don't really care if you actually get the logs I just want to keep sending it so whenever you upgrade some stuff to your sponsor if it goes down and you're sending while via UDP directly to the server you will Braille drop this block because it doesn't care that amazing that's why whenever you use the syslog server they can store their own hard read this book age itself you'd like payout on sends to the phone server

oh you're down I'm going to wait so long I want to try again and then it will queue up all the data on servers and then once the servers ones that go then I'll be like okay and then send all the new data I got perfect you can also have crazy setups with this off server for this lab single instances so what data should be monitoring and this will change based on each IOT device you have or what you're actually wanting to put in but logging this traffic that you know sometimes you might still be isolating it out and finding out what exact doing messages for what to do in your chance of the pod

is it trying to connect to other devices or like eh open and all s1 stuff also basically using your networking resources and you set VLANs spiral rules all that stuff like it again what are you expecting this IOT devices do this is Alexa device that need to attempt to Amazon services are you going to lose that Alexa devices to connect to your lightbulbs so you can control your light bulbs be a voice because that sounds really cool and I think that sounds pretty awesome but I didn't get to set up yet for this plant because so also should you be wondering secretary Rice's this cell phone has an app to control my light bulbs does this device now need to

be in your scope of you need to monitor this device or just your executive just want to control light bulbs in his own office and you can use like a standard tablet that's not traveling with them because now you have another device you that control monitor look at you might already be doing this but it's something else to consider also what other outside accounts are connected so from our light bulbs so locally I could use it without having to sign up for account but if I wanted to use it remotely I have to plan it for a my view account and then once I find it for the count like okay now when you walk away from your house your life

will flip off for you or when you get to a certain location pain will love it on a course now you've got you IP location on your phone but you know what your they won all that stuff he wants to walk into that office and he wants to see the lights flip on as soon as he walks in coolest thing if he didn't ask you anything but you know what that's something else to consider what other fights can access IOT device vice-versa are you separating this often segmenting its own special network or you just you know just plug in the corporate network we care as a female what other servers over there stuff like that it's also is this something I are

in talk about something only is equities or will everyone else needs is so like it's been a conference room does anyone who has an ability to book the conference room be able to you know speak to the light bulbs and turn them on with their voice or is this something only the executive gets access to so that's something else to keep in mind basic stuff rules can buy it I mentioned some of this for ivy table rules subtracting does your device have you know telnet open at this age all that thumbs up is it trying to like reach out the internet on those ports as well also like I said got the MAC address on it

I'll talk a little bit later about that having part of the mechanism abut the router picked it up just fine so you can filter our MAC address so if you have some random MAC address running around your IOT network heyo how did this like it also if Wi-Fi is needed so for the light bulbs to work I needed to have Wi-Fi already set up and have it connect via Wi-Fi to pull I didn't get a second ap set up to see if I could do like multi Wi-Fi access point stuff like that but I'm sure that's possible as well now also access control whenever you're saying is fu done as I said for boosting gain access that the big things like if

you're logging the specific information on these IOT list should actually look into these law or being able to do you only want security to be able to see these logs that you know IMC devices connect amp or maybe your developers should actually have as well is there something about developing for this and that's why the executive ones have it things like that to keep in mind also a lot of those facility so it uses basically API calls to talk saliva over HTTP yes HTTP the great HP for aging all right Nick same to keep them well I know I have to go after say you prepared bring them into this bring into the network just like any other BYOD device

it manage them all they're connected because I mean it's only a matter time for people other I but you like this but you got to make sure you can control these algae license if you don't they're just going to start wandering around your network and eventually they'll start poking stuff they've really really shouldn't so the other thing that security people like is policy pathologies you have in place do you have a BYOD policy where people can bring their own device and use on the corporate network maybe you do maybe you don't cell phones can we bring them on the cell phone should that be the same policy do you have to build a specific iot policy we're like it's this item

falls under this was considered IOT device and it needs to be vetted by security it needs to be approved by you know two or three managers ba-ba-ba-ba you're exactly what's going to get that all that information anyway so maybe have a policy in place to you know keep it in check as i was mentioning this negros under your issue it's only a matter of time before you know what tools they walk in walk into the office all sudden your phone connects to the internet tells your coffee maker that you just walked into his office building now your coffee maker is your favorite favorite cup of coffee as soon as you often see people there it is

your cup of coffee is done ready and you your to you or your boss in the street magic here's example of the app there's not much on the air except I want to point out that the ie was actually the last set the last six digits of acted rest which I found this terrific also you can't see it but it also gives a model number and an actual version number on the Philips the cube hub itself and then on light bulbs they're also a version number and this changed whenever you do the firm rocker this space to the firmware version auto light bulb I never use the stuck at bulb because I wanted to get all my money in

place correct and tracking so I could figure out what it would do plus the second light bulb in and then find out what it does the first time you get plug content network but like I said I just didn't get a good chance if it set up I'm going to get set up probably next month the way I'm going and then here basically here you control each light bulb individually all I use you know push the line flips non flips off these control brightness and all that fun stuff too it's basically all from the device in your hand which is your cell phone here here's a just a small example as a basic search from the PSS bar was the host and

then searching for 101 which is my cell phone so basically it can see that are the 101 it was actually the hub no.11 was my cell phone 110 sorry about that but here face you can see standard log that's just highlighting and that finds IP here's the host name this is basically where the logs are coming from over here in the interesting field I'll talk about a little bit later in the next couple slides it's just the way one gets set up in some other log aggregator systems and they will actually pull out specific fields like this one safety and source IP what port numbers all that cool stuff that's just off the side you click a button oh I can see all

the 480 traffic click it all the subtle scope down to anything that called port 80 on sir certain time frame pretty neat stuff here I brought in some the snort logs that I got from PSN I don't know anything about snore and I was trying to learn during this as well but quick Google search Tulsa this is all useless and I should just you know not have snort login at all but I think I couldn't interesting it's basically showing the cellphone reaching out to the house of 480 and here's some more just wipe that random HP header bears for it so here's another this is our stream from the firewall portion of PSS so times dance post name Delta log isn't

CSV data cool thing about funk is actually break up your CSV data into like what I said earlier so that way you can search for just you know firewall rules that are passed to this IP apartment block and then it will also say what the rule number is what pour all unstuff so that way you can dig down and see exactly what's getting blocks and what's passing so if you see a rule that's asking maybe of the funny any-any rule that you really should have you know sending stuff to your IOT device because the russian mafia has now you don't trick take away just because just because IOT devices are terrible and they will be a risk to your

network they should be treated like any BYOD derives you could polish this procedure around them so he is the near Network so your boss is happy you can actually get that promotion or you just don't get fired trail to that person know what you normally do being able to the information from the logs from devices they in control so your switches your firewall firewall other routers all the stuff that you can get stuff table you should use that to correlate and be able to control this IOT device iOS you ice can't log into and the next stage or any of that stuff but you can control the circle around and make sure that it doesn't just go off random direction any

questions you the pudding it would be

and for windows specifically so technically you could set up same as the Sun I think there's a syslog and it's called Kiwi some people use these chicken has had yes but it doesn't affect a good yes so maybe you cannot don't use DVD but I mean that's a thing even if you got Windows service the same kind of situation like spunk installed on Windows as well so you could use the same concept taking logs from devices installing it on a Kiwi server as your central repo for your log and then just using special spunk the border agent sending it to the swamp server just still getting the same laws and all that stuff the big thing deep mind is like

firewall rules in between the Windows servers I probably cheated one day - I put a pharaoh wide log or getting my spawn server they turn on a firewall and was blocking the ports that needed to be open so it's stuff like that that you got to keep in mind - twelve so but same kind of rounded constant view before we just services giving laws into one place and then sending them to another server so any other questions thank you here's all our awesome sponsors I don't know does they wanna know what this love it okay the third bedroom at night oh this is the coolest logo ever look addictions dropping for true sir yes yes also like I says feedback let me

know I did I want to I want to keep doing this this is a lot of fun hopefully I'll get better at it any any helpful hints or criticism I will definitely appreciate stay for the conference these guys has that's been around for years so I'm sure they're learning as well and we want to make this a better conference for I'm sure next year and anything else thank you guys who's ready for some areas there you all right there