SlideShare a Scribd company logo

Safely Drinking from the Data Waterhose

Jan Schaumann
Jan Schaumann

An ingite talk given at DataGotham 2012 about how we extract security related events and alerts from our logs. I repeated the same talk at DevOpsDays NYC 2013.

TechnologyDesign
1 of 20
Download to read offline
Safely Drinking From The Fire Hose @jschauma Jan Schaumann Señor Network Security Engineer jschauma@etsy.com B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
I <3 logs! @jschauma web logs mail logs system logs vpn logs 2 08/28/12
Log Bongzilla, aka Splunk @jschauma Logs go in… Is this how Octocat came to be? ts come ler out ri ty a secu 2 08/28/12
Splunk Alerts FTW! @jschauma YO DAWG, I HERD YOU LIKE LOGS SO I PUT SOME LOGS IN YOUR LOGS SO YOU CAN SPLUNK WHILE YOU SPLUNK 2 08/28/12
sudo make me a sandwich @jschauma 2 08/28/12
Know your patterns. @jschauma VPN Connections July 4th was a Wednesday People making up for People slacking off early last week? on a Friday, eh? 5 08/28/12
That was unexpected… @jschauma
XSS detection @jschauma Announcement of Bug Bounty program: http://is.gd/UTZ5wD code push to address reported vulnerabilities 6 08/28/12
Geolocate all the things! @jschauma 3 08/28/12
XSS detection @jschauma IP : 79.182.16.1 - bzq-79-182-16-1.red.bezeqint.net Geolocation : Even Yehuda, 02, IL Whois : *SE4-DRP*, RIPE, BEZEQINT-BROADBAND Requests : 146 Method : GET URL : /suggest_username.php?first-name=test&last-name= onerror%3Dalert(0)%3E&email=shai%40exploit.co.il 13 minutes after we announced our security bug bounty program http://is.gd/UTZ5wD Method : POST URL : /your/profile Data : u'fb_avatar_url=&gender=female&city3=&new_city= "><img src=x onerror=prompt(1);>&new_region=&new_countrycode= &new_latlon=,&city3_dup="><img src=x’ […] 6 08/28/12
SQLi detection @jschauma IP : 216.185.114.219 – unknown Geolocation : Jurong East, 00, SG Whois : ThePlanet.com Internet Services, Inc., ARIN, NET216 Requests : 20 Method : GET URL : /listing/102946830/womens-shirt-beige-tunic-womens- blouse?ref=999999.9%27+union+all+select+0x313032353438303035 36%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2 C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31 830303536%2C0x31303235343830303536%2C0x31303235343830 303536%2C0x31303235343830303536%2C0x31303235343830303 536+and+%27x%27%3D%27x Method : GET URL : /category/furniture?page=499999%27%20union%20 select%20unhex(hex(version()))%20 […] 6 08/28/12
Know when people can’t log in… @jschauma 2 08/28/12
High number of failed logins @jschauma Admin : <username> (<internal login>, <site login>) IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net Geolocation : Brooklyn, NY, US Whois : ETSY Inc, ARIN, NET64 # of failed logins : 13 doesn’t know what he’s doing; do not trust! Admin : jschauma (jschauma, jschauma) IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr- avec.ny.cable.rcn.com Geolocation : New York, United States Whois : RCN Corporation, ARIN, NET207 # of failed logins : 16 6 08/28/12
Geolocate all the things! @jschauma 4 08/28/12
“Unexpected” login detection @jschauma Admin : <username> (<internal login>, <site login>) IP : 83.160.48.31 - a83-160-48-31.adsl.xs4all.nl Geolocation : Rotterdam, 11, NL Whois : XS4ALL Internet BV, RIPE, DEMON-NL-DSL Admin : <username> (<internal login>, <site login>) IP : 217.192.56.102 – unknown Geolocation : Zurich, 25, CH Whois : The Hub Zuerich Assoc., RIPE, THE-HUB-ZUERICH-NET Admin : <username> (<internal login>, <site login>) IP : 24.231.49.240 - unknown Geolocation : Nassau, 23, BS Whois : Cable Bahamas, ARIN, CABLEBAHAMAS-NET Admin : <username> (<internal login>, <site login>) IP : 200.49.191.120 - map120.network49.191.tigo.net.gt Geolocation : Guatemala City, 07, GT Whois : COMCEL GUATEMALA S.A., LACNIC 6 08/28/12
I said: “Please insert girder!” @jschauma
Identify scrapers. @jschauma Admin : <username> (<internal login>, <site login>) IP : 50.17.73.70 - ec2-50-17-73-70.compute-1.amazonaws.com Geolocation : Ashburn, VA, US Whois : Amazon.com, Inc., ARIN, NET50 Provider : Amazon AWS Count :7 Admin : <username> (<internal login>, <site login>) IP : 207.228.237.110 – unknown Geolocation : New York, NY, US Whois : HopOne Internet Corporation, ARIN, NET207 Provider : HopOne Count :1 6 08/28/12
Re-re-re-re-re-CAPTCHA @jschauma source=”info.log" reCAPTCHA status="incorrect" | transaction ip | where eventcount > 50 | table ip,eventcount | sort -eventcount 6 08/28/12
Of Liars and Outliers (good book, btw) @jschauma wtf happened here? Ooh, right… this: http://is.gd/fognju http://is.gd/0hRDLY http://is.gd/WxcA0r 6 08/28/12
This talk was too long! @jschauma Log it now, log it all. Geolocate all the things. Build profiles. (Creepy, I know.) Reduce false positives. (Whitelists!) Have defined reactions to all alerts. Notice the outliers. Explain them. That’s all, folks! Thanks! 2 08/28/12

Recommended

HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsHTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsJesse Cravens
 
Fancy pants
Fancy pantsFancy pants
Fancy pantsJan Schaumann
 
Development is Production Too
Development is Production TooDevelopment is Production Too
Development is Production Toojgoulah
 
WCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookWCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookAssespro Nacional
 
April 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketApril 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketCity of San Angelo Texas
 
Memcached Presentation @757rb
Memcached Presentation @757rbMemcached Presentation @757rb
Memcached Presentation @757rbKen Collins
 
Gerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanGerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanJuliano Atanazio
 
Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Eric Van 't Hoff
 

More Related Content

Viewers also liked

Simple Log Analysis and Trending
Simple Log Analysis and TrendingSimple Log Analysis and Trending
Simple Log Analysis and TrendingMike Brittain
 
12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQLKonstantin Gredeskoul
 
英文 Rc heli
英文 Rc heli英文 Rc heli
英文 Rc helitiffanysrc
 
Scaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightScaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightRoss Snyder
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)Djuwarsjah Linnus
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...Ben Kilmer
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLFrom Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLKonstantin Gredeskoul
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)LiGhT ArOhL
 
Etsy Case Study
Etsy Case StudyEtsy Case Study
Etsy Case StudySlideShare
 
88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88gibraltar
 
Design for Continuous Experimentation
Design for Continuous ExperimentationDesign for Continuous Experimentation
Design for Continuous ExperimentationDan McKinley
 
Netflix marketing plan
Netflix marketing plan Netflix marketing plan
Netflix marketing plan Evelyne Otto
 

Viewers also liked (18)

PGP for Smarties
PGP for SmartiesPGP for Smarties
PGP for Smarties
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4all
 
Simple Log Analysis and Trending
Simple Log Analysis and TrendingSimple Log Analysis and Trending
Simple Log Analysis and Trending
 
12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL
 
Ipv6 basics
Ipv6 basicsIpv6 basics
Ipv6 basics
 
英文 Rc heli
英文 Rc heli英文 Rc heli
英文 Rc heli
 
Scaling postgres
Scaling postgresScaling postgres
Scaling postgres
 
Cybersecurity nl
Cybersecurity nlCybersecurity nl
Cybersecurity nl
 
Scaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightScaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went Right
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
 
Talk talk talk 2
Talk talk talk 2Talk talk talk 2
Talk talk talk 2
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLFrom Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
 
Etsy Case Study
Etsy Case StudyEtsy Case Study
Etsy Case Study
 
88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure
 
Design for Continuous Experimentation
Design for Continuous ExperimentationDesign for Continuous Experimentation
Design for Continuous Experimentation
 
Netflix marketing plan
Netflix marketing plan Netflix marketing plan
Netflix marketing plan
 

More from Jan Schaumann

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingJan Schaumann
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkJan Schaumann
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.Jan Schaumann
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolJan Schaumann
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Jan Schaumann
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsJan Schaumann
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsJan Schaumann
 
Headless Host Scanning
Headless Host ScanningHeadless Host Scanning
Headless Host ScanningJan Schaumann
 
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingL3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingJan Schaumann
 
Building better tools
Building better toolsBuilding better tools
Building better toolsJan Schaumann
 

More from Jan Schaumann (15)

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS Baggage
 
OpSec101
OpSec101OpSec101
OpSec101
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat Modeling
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might Work
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In School
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)
 
Defense at Scale
Defense at ScaleDefense at Scale
Defense at Scale
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet Operations
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted Locations
 
Headless Host Scanning
Headless Host ScanningHeadless Host Scanning
Headless Host Scanning
 
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingL3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
 
Building better tools
Building better toolsBuilding better tools
Building better tools
 
Useless use of *
Useless use of *Useless use of *
Useless use of *
 
DST @ Yahoo!
DST @ Yahoo!DST @ Yahoo!
DST @ Yahoo!
 

Recently uploaded

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - AvrilIvanti
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 

Recently uploaded (20)

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - Avril
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 

Safely Drinking from the Data Waterhose

  • 1. Safely Drinking From The Fire Hose @jschauma Jan Schaumann Señor Network Security Engineer jschauma@etsy.com B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
  • 2. I <3 logs! @jschauma web logs mail logs system logs vpn logs 2 08/28/12
  • 3. Log Bongzilla, aka Splunk @jschauma Logs go in… Is this how Octocat came to be? ts come ler out ri ty a secu 2 08/28/12
  • 4. Splunk Alerts FTW! @jschauma YO DAWG, I HERD YOU LIKE LOGS SO I PUT SOME LOGS IN YOUR LOGS SO YOU CAN SPLUNK WHILE YOU SPLUNK 2 08/28/12
  • 5. sudo make me a sandwich @jschauma 2 08/28/12
  • 6. Know your patterns. @jschauma VPN Connections July 4th was a Wednesday People making up for People slacking off early last week? on a Friday, eh? 5 08/28/12
  • 8. XSS detection @jschauma Announcement of Bug Bounty program: http://is.gd/UTZ5wD code push to address reported vulnerabilities 6 08/28/12
  • 9. Geolocate all the things! @jschauma 3 08/28/12
  • 10. XSS detection @jschauma IP : 79.182.16.1 - bzq-79-182-16-1.red.bezeqint.net Geolocation : Even Yehuda, 02, IL Whois : *SE4-DRP*, RIPE, BEZEQINT-BROADBAND Requests : 146 Method : GET URL : /suggest_username.php?first-name=test&last-name= onerror%3Dalert(0)%3E&email=shai%40exploit.co.il 13 minutes after we announced our security bug bounty program http://is.gd/UTZ5wD Method : POST URL : /your/profile Data : u'fb_avatar_url=&gender=female&city3=&new_city= "><img src=x onerror=prompt(1);>&new_region=&new_countrycode= &new_latlon=,&city3_dup="><img src=x’ […] 6 08/28/12
  • 11. SQLi detection @jschauma IP : 216.185.114.219 – unknown Geolocation : Jurong East, 00, SG Whois : ThePlanet.com Internet Services, Inc., ARIN, NET216 Requests : 20 Method : GET URL : /listing/102946830/womens-shirt-beige-tunic-womens- blouse?ref=999999.9%27+union+all+select+0x313032353438303035 36%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2 C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31 830303536%2C0x31303235343830303536%2C0x31303235343830 303536%2C0x31303235343830303536%2C0x31303235343830303 536+and+%27x%27%3D%27x Method : GET URL : /category/furniture?page=499999%27%20union%20 select%20unhex(hex(version()))%20 […] 6 08/28/12
  • 12. Know when people can’t log in… @jschauma 2 08/28/12
  • 13. High number of failed logins @jschauma Admin : <username> (<internal login>, <site login>) IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net Geolocation : Brooklyn, NY, US Whois : ETSY Inc, ARIN, NET64 # of failed logins : 13 doesn’t know what he’s doing; do not trust! Admin : jschauma (jschauma, jschauma) IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr- avec.ny.cable.rcn.com Geolocation : New York, United States Whois : RCN Corporation, ARIN, NET207 # of failed logins : 16 6 08/28/12
  • 14. Geolocate all the things! @jschauma 4 08/28/12
  • 15. “Unexpected” login detection @jschauma Admin : <username> (<internal login>, <site login>) IP : 83.160.48.31 - a83-160-48-31.adsl.xs4all.nl Geolocation : Rotterdam, 11, NL Whois : XS4ALL Internet BV, RIPE, DEMON-NL-DSL Admin : <username> (<internal login>, <site login>) IP : 217.192.56.102 – unknown Geolocation : Zurich, 25, CH Whois : The Hub Zuerich Assoc., RIPE, THE-HUB-ZUERICH-NET Admin : <username> (<internal login>, <site login>) IP : 24.231.49.240 - unknown Geolocation : Nassau, 23, BS Whois : Cable Bahamas, ARIN, CABLEBAHAMAS-NET Admin : <username> (<internal login>, <site login>) IP : 200.49.191.120 - map120.network49.191.tigo.net.gt Geolocation : Guatemala City, 07, GT Whois : COMCEL GUATEMALA S.A., LACNIC 6 08/28/12
  • 16. I said: “Please insert girder!” @jschauma
  • 17. Identify scrapers. @jschauma Admin : <username> (<internal login>, <site login>) IP : 50.17.73.70 - ec2-50-17-73-70.compute-1.amazonaws.com Geolocation : Ashburn, VA, US Whois : Amazon.com, Inc., ARIN, NET50 Provider : Amazon AWS Count :7 Admin : <username> (<internal login>, <site login>) IP : 207.228.237.110 – unknown Geolocation : New York, NY, US Whois : HopOne Internet Corporation, ARIN, NET207 Provider : HopOne Count :1 6 08/28/12
  • 18. Re-re-re-re-re-CAPTCHA @jschauma source=”info.log" reCAPTCHA status="incorrect" | transaction ip | where eventcount > 50 | table ip,eventcount | sort -eventcount 6 08/28/12
  • 19. Of Liars and Outliers (good book, btw) @jschauma wtf happened here? Ooh, right… this: http://is.gd/fognju http://is.gd/0hRDLY http://is.gd/WxcA0r 6 08/28/12
  • 20. This talk was too long! @jschauma Log it now, log it all. Geolocate all the things. Build profiles. (Creepy, I know.) Reduce false positives. (Whitelists!) Have defined reactions to all alerts. Notice the outliers. Explain them. That’s all, folks! Thanks! 2 08/28/12