SlideShare une entreprise Scribd logo

Safely Drinking from the Data Waterhose

Jan Schaumann
Jan Schaumann

An ingite talk given at DataGotham 2012 about how we extract security related events and alerts from our logs. I repeated the same talk at DevOpsDays NYC 2013.

TechnologieDesign
1  sur  20
Télécharger pour lire hors ligne
Safely Drinking From The Fire Hose @jschauma Jan Schaumann Señor Network Security Engineer jschauma@etsy.com B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
I <3 logs! @jschauma web logs mail logs system logs vpn logs 2 08/28/12
Log Bongzilla, aka Splunk @jschauma Logs go in… Is this how Octocat came to be? ts come ler out ri ty a secu 2 08/28/12
Splunk Alerts FTW! @jschauma YO DAWG, I HERD YOU LIKE LOGS SO I PUT SOME LOGS IN YOUR LOGS SO YOU CAN SPLUNK WHILE YOU SPLUNK 2 08/28/12
sudo make me a sandwich @jschauma 2 08/28/12
Know your patterns. @jschauma VPN Connections July 4th was a Wednesday People making up for People slacking off early last week? on a Friday, eh? 5 08/28/12
That was unexpected… @jschauma
XSS detection @jschauma Announcement of Bug Bounty program: http://is.gd/UTZ5wD code push to address reported vulnerabilities 6 08/28/12
Geolocate all the things! @jschauma 3 08/28/12
XSS detection @jschauma IP : 79.182.16.1 - bzq-79-182-16-1.red.bezeqint.net Geolocation : Even Yehuda, 02, IL Whois : *SE4-DRP*, RIPE, BEZEQINT-BROADBAND Requests : 146 Method : GET URL : /suggest_username.php?first-name=test&last-name= onerror%3Dalert(0)%3E&email=shai%40exploit.co.il 13 minutes after we announced our security bug bounty program http://is.gd/UTZ5wD Method : POST URL : /your/profile Data : u'fb_avatar_url=&gender=female&city3=&new_city= "><img src=x onerror=prompt(1);>&new_region=&new_countrycode= &new_latlon=,&city3_dup="><img src=x’ […] 6 08/28/12
SQLi detection @jschauma IP : 216.185.114.219 – unknown Geolocation : Jurong East, 00, SG Whois : ThePlanet.com Internet Services, Inc., ARIN, NET216 Requests : 20 Method : GET URL : /listing/102946830/womens-shirt-beige-tunic-womens- blouse?ref=999999.9%27+union+all+select+0x313032353438303035 36%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2 C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31 830303536%2C0x31303235343830303536%2C0x31303235343830 303536%2C0x31303235343830303536%2C0x31303235343830303 536+and+%27x%27%3D%27x Method : GET URL : /category/furniture?page=499999%27%20union%20 select%20unhex(hex(version()))%20 […] 6 08/28/12
Know when people can’t log in… @jschauma 2 08/28/12
High number of failed logins @jschauma Admin : <username> (<internal login>, <site login>) IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net Geolocation : Brooklyn, NY, US Whois : ETSY Inc, ARIN, NET64 # of failed logins : 13 doesn’t know what he’s doing; do not trust! Admin : jschauma (jschauma, jschauma) IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr- avec.ny.cable.rcn.com Geolocation : New York, United States Whois : RCN Corporation, ARIN, NET207 # of failed logins : 16 6 08/28/12
Geolocate all the things! @jschauma 4 08/28/12
“Unexpected” login detection @jschauma Admin : <username> (<internal login>, <site login>) IP : 83.160.48.31 - a83-160-48-31.adsl.xs4all.nl Geolocation : Rotterdam, 11, NL Whois : XS4ALL Internet BV, RIPE, DEMON-NL-DSL Admin : <username> (<internal login>, <site login>) IP : 217.192.56.102 – unknown Geolocation : Zurich, 25, CH Whois : The Hub Zuerich Assoc., RIPE, THE-HUB-ZUERICH-NET Admin : <username> (<internal login>, <site login>) IP : 24.231.49.240 - unknown Geolocation : Nassau, 23, BS Whois : Cable Bahamas, ARIN, CABLEBAHAMAS-NET Admin : <username> (<internal login>, <site login>) IP : 200.49.191.120 - map120.network49.191.tigo.net.gt Geolocation : Guatemala City, 07, GT Whois : COMCEL GUATEMALA S.A., LACNIC 6 08/28/12
I said: “Please insert girder!” @jschauma
Identify scrapers. @jschauma Admin : <username> (<internal login>, <site login>) IP : 50.17.73.70 - ec2-50-17-73-70.compute-1.amazonaws.com Geolocation : Ashburn, VA, US Whois : Amazon.com, Inc., ARIN, NET50 Provider : Amazon AWS Count :7 Admin : <username> (<internal login>, <site login>) IP : 207.228.237.110 – unknown Geolocation : New York, NY, US Whois : HopOne Internet Corporation, ARIN, NET207 Provider : HopOne Count :1 6 08/28/12
Re-re-re-re-re-CAPTCHA @jschauma source=”info.log" reCAPTCHA status="incorrect" | transaction ip | where eventcount > 50 | table ip,eventcount | sort -eventcount 6 08/28/12
Of Liars and Outliers (good book, btw) @jschauma wtf happened here? Ooh, right… this: http://is.gd/fognju http://is.gd/0hRDLY http://is.gd/WxcA0r 6 08/28/12
This talk was too long! @jschauma Log it now, log it all. Geolocate all the things. Build profiles. (Creepy, I know.) Reduce false positives. (Whitelists!) Have defined reactions to all alerts. Notice the outliers. Explain them. That’s all, folks! Thanks! 2 08/28/12

Recommandé

HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsHTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsJesse Cravens
 
Fancy pants
Fancy pantsFancy pants
Fancy pantsJan Schaumann
 
Development is Production Too
Development is Production TooDevelopment is Production Too
Development is Production Toojgoulah
 
WCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookWCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookAssespro Nacional
 
April 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketApril 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketCity of San Angelo Texas
 
Memcached Presentation @757rb
Memcached Presentation @757rbMemcached Presentation @757rb
Memcached Presentation @757rbKen Collins
 
Gerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanGerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanJuliano Atanazio
 
Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Eric Van 't Hoff
 

Recommandé

HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsHTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsJesse Cravens
 
Fancy pants
Fancy pantsFancy pants
Fancy pantsJan Schaumann
 
Development is Production Too
Development is Production TooDevelopment is Production Too
Development is Production Toojgoulah
 
WCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookWCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookAssespro Nacional
 
April 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketApril 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketCity of San Angelo Texas
 
Memcached Presentation @757rb
Memcached Presentation @757rbMemcached Presentation @757rb
Memcached Presentation @757rbKen Collins
 
Gerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanGerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanJuliano Atanazio
 
Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Eric Van 't Hoff
 
PGP for Smarties
PGP for SmartiesPGP for Smarties
PGP for SmartiesJan Schaumann
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4allIPv6 Summit 2010
 
Simple Log Analysis and Trending
Simple Log Analysis and TrendingSimple Log Analysis and Trending
Simple Log Analysis and TrendingMike Brittain
 
12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQLKonstantin Gredeskoul
 
Ipv6 basics
Ipv6 basicsIpv6 basics
Ipv6 basicsJan Schaumann
 
英文 Rc heli
英文 Rc heli英文 Rc heli
英文 Rc helitiffanysrc
 
Scaling postgres
Scaling postgresScaling postgres
Scaling postgresDenish Patel
 
Cybersecurity nl
Cybersecurity nlCybersecurity nl
Cybersecurity nlMark Johnson
 
Scaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightScaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightRoss Snyder
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)Djuwarsjah Linnus
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...Ben Kilmer
 
Talk talk talk 2
Talk talk talk 2Talk talk talk 2
Talk talk talk 2Trần Thanh Hảo
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLFrom Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLKonstantin Gredeskoul
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)LiGhT ArOhL
 
Etsy Case Study
Etsy Case StudyEtsy Case Study
Etsy Case StudySlideShare
 
88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88gibraltar
 
Design for Continuous Experimentation
Design for Continuous ExperimentationDesign for Continuous Experimentation
Design for Continuous ExperimentationDan McKinley
 
Netflix marketing plan
Netflix marketing plan Netflix marketing plan
Netflix marketing plan Evelyne Otto
 
The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
OpSec101
OpSec101OpSec101
OpSec101Jan Schaumann
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingJan Schaumann
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkJan Schaumann
 

Contenu connexe

En vedette

Simple Log Analysis and Trending
Simple Log Analysis and TrendingSimple Log Analysis and Trending
Simple Log Analysis and TrendingMike Brittain
 
12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQLKonstantin Gredeskoul
 
英文 Rc heli
英文 Rc heli英文 Rc heli
英文 Rc helitiffanysrc
 
Scaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightScaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightRoss Snyder
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)Djuwarsjah Linnus
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...Ben Kilmer
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLFrom Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLKonstantin Gredeskoul
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)LiGhT ArOhL
 
Etsy Case Study
Etsy Case StudyEtsy Case Study
Etsy Case StudySlideShare
 
88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88gibraltar
 
Design for Continuous Experimentation
Design for Continuous ExperimentationDesign for Continuous Experimentation
Design for Continuous ExperimentationDan McKinley
 
Netflix marketing plan
Netflix marketing plan Netflix marketing plan
Netflix marketing plan Evelyne Otto
 

En vedette (18)

PGP for Smarties
PGP for SmartiesPGP for Smarties
PGP for Smarties
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4all
 
Simple Log Analysis and Trending
Simple Log Analysis and TrendingSimple Log Analysis and Trending
Simple Log Analysis and Trending
 
12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL
 
Ipv6 basics
Ipv6 basicsIpv6 basics
Ipv6 basics
 
英文 Rc heli
英文 Rc heli英文 Rc heli
英文 Rc heli
 
Scaling postgres
Scaling postgresScaling postgres
Scaling postgres
 
Cybersecurity nl
Cybersecurity nlCybersecurity nl
Cybersecurity nl
 
Scaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightScaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went Right
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
 
Talk talk talk 2
Talk talk talk 2Talk talk talk 2
Talk talk talk 2
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLFrom Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
 
Etsy Case Study
Etsy Case StudyEtsy Case Study
Etsy Case Study
 
88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure
 
Design for Continuous Experimentation
Design for Continuous ExperimentationDesign for Continuous Experimentation
Design for Continuous Experimentation
 
Netflix marketing plan
Netflix marketing plan Netflix marketing plan
Netflix marketing plan
 

Plus de Jan Schaumann

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingJan Schaumann
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkJan Schaumann
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.Jan Schaumann
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolJan Schaumann
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Jan Schaumann
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsJan Schaumann
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsJan Schaumann
 
Headless Host Scanning
Headless Host ScanningHeadless Host Scanning
Headless Host ScanningJan Schaumann
 
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingL3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingJan Schaumann
 
Building better tools
Building better toolsBuilding better tools
Building better toolsJan Schaumann
 

Plus de Jan Schaumann (15)

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS Baggage
 
OpSec101
OpSec101OpSec101
OpSec101
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat Modeling
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might Work
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In School
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)
 
Defense at Scale
Defense at ScaleDefense at Scale
Defense at Scale
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet Operations
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted Locations
 
Headless Host Scanning
Headless Host ScanningHeadless Host Scanning
Headless Host Scanning
 
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingL3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
 
Building better tools
Building better toolsBuilding better tools
Building better tools
 
Useless use of *
Useless use of *Useless use of *
Useless use of *
 
DST @ Yahoo!
DST @ Yahoo!DST @ Yahoo!
DST @ Yahoo!
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Dernier (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Safely Drinking from the Data Waterhose

  • 1. Safely Drinking From The Fire Hose @jschauma Jan Schaumann Señor Network Security Engineer jschauma@etsy.com B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
  • 2. I <3 logs! @jschauma web logs mail logs system logs vpn logs 2 08/28/12
  • 3. Log Bongzilla, aka Splunk @jschauma Logs go in… Is this how Octocat came to be? ts come ler out ri ty a secu 2 08/28/12
  • 4. Splunk Alerts FTW! @jschauma YO DAWG, I HERD YOU LIKE LOGS SO I PUT SOME LOGS IN YOUR LOGS SO YOU CAN SPLUNK WHILE YOU SPLUNK 2 08/28/12
  • 5. sudo make me a sandwich @jschauma 2 08/28/12
  • 6. Know your patterns. @jschauma VPN Connections July 4th was a Wednesday People making up for People slacking off early last week? on a Friday, eh? 5 08/28/12
  • 8. XSS detection @jschauma Announcement of Bug Bounty program: http://is.gd/UTZ5wD code push to address reported vulnerabilities 6 08/28/12
  • 9. Geolocate all the things! @jschauma 3 08/28/12
  • 10. XSS detection @jschauma IP : 79.182.16.1 - bzq-79-182-16-1.red.bezeqint.net Geolocation : Even Yehuda, 02, IL Whois : *SE4-DRP*, RIPE, BEZEQINT-BROADBAND Requests : 146 Method : GET URL : /suggest_username.php?first-name=test&last-name= onerror%3Dalert(0)%3E&email=shai%40exploit.co.il 13 minutes after we announced our security bug bounty program http://is.gd/UTZ5wD Method : POST URL : /your/profile Data : u'fb_avatar_url=&gender=female&city3=&new_city= "><img src=x onerror=prompt(1);>&new_region=&new_countrycode= &new_latlon=,&city3_dup="><img src=x’ […] 6 08/28/12
  • 11. SQLi detection @jschauma IP : 216.185.114.219 – unknown Geolocation : Jurong East, 00, SG Whois : ThePlanet.com Internet Services, Inc., ARIN, NET216 Requests : 20 Method : GET URL : /listing/102946830/womens-shirt-beige-tunic-womens- blouse?ref=999999.9%27+union+all+select+0x313032353438303035 36%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2 C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31 830303536%2C0x31303235343830303536%2C0x31303235343830 303536%2C0x31303235343830303536%2C0x31303235343830303 536+and+%27x%27%3D%27x Method : GET URL : /category/furniture?page=499999%27%20union%20 select%20unhex(hex(version()))%20 […] 6 08/28/12
  • 12. Know when people can’t log in… @jschauma 2 08/28/12
  • 13. High number of failed logins @jschauma Admin : <username> (<internal login>, <site login>) IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net Geolocation : Brooklyn, NY, US Whois : ETSY Inc, ARIN, NET64 # of failed logins : 13 doesn’t know what he’s doing; do not trust! Admin : jschauma (jschauma, jschauma) IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr- avec.ny.cable.rcn.com Geolocation : New York, United States Whois : RCN Corporation, ARIN, NET207 # of failed logins : 16 6 08/28/12
  • 14. Geolocate all the things! @jschauma 4 08/28/12
  • 15. “Unexpected” login detection @jschauma Admin : <username> (<internal login>, <site login>) IP : 83.160.48.31 - a83-160-48-31.adsl.xs4all.nl Geolocation : Rotterdam, 11, NL Whois : XS4ALL Internet BV, RIPE, DEMON-NL-DSL Admin : <username> (<internal login>, <site login>) IP : 217.192.56.102 – unknown Geolocation : Zurich, 25, CH Whois : The Hub Zuerich Assoc., RIPE, THE-HUB-ZUERICH-NET Admin : <username> (<internal login>, <site login>) IP : 24.231.49.240 - unknown Geolocation : Nassau, 23, BS Whois : Cable Bahamas, ARIN, CABLEBAHAMAS-NET Admin : <username> (<internal login>, <site login>) IP : 200.49.191.120 - map120.network49.191.tigo.net.gt Geolocation : Guatemala City, 07, GT Whois : COMCEL GUATEMALA S.A., LACNIC 6 08/28/12
  • 16. I said: “Please insert girder!” @jschauma
  • 17. Identify scrapers. @jschauma Admin : <username> (<internal login>, <site login>) IP : 50.17.73.70 - ec2-50-17-73-70.compute-1.amazonaws.com Geolocation : Ashburn, VA, US Whois : Amazon.com, Inc., ARIN, NET50 Provider : Amazon AWS Count :7 Admin : <username> (<internal login>, <site login>) IP : 207.228.237.110 – unknown Geolocation : New York, NY, US Whois : HopOne Internet Corporation, ARIN, NET207 Provider : HopOne Count :1 6 08/28/12
  • 18. Re-re-re-re-re-CAPTCHA @jschauma source=”info.log" reCAPTCHA status="incorrect" | transaction ip | where eventcount > 50 | table ip,eventcount | sort -eventcount 6 08/28/12
  • 19. Of Liars and Outliers (good book, btw) @jschauma wtf happened here? Ooh, right… this: http://is.gd/fognju http://is.gd/0hRDLY http://is.gd/WxcA0r 6 08/28/12
  • 20. This talk was too long! @jschauma Log it now, log it all. Geolocate all the things. Build profiles. (Creepy, I know.) Reduce false positives. (Whitelists!) Have defined reactions to all alerts. Notice the outliers. Explain them. That’s all, folks! Thanks! 2 08/28/12