A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Applied Detection and Analysis Using Flow Data - (BSides Nashville 2015) (Hacking Illustrated Series InfoSec Tutorial Videos)

Applied Detection and Analysis Using Flow Data

Jason A. Smith

BSides Nashville 2015

While network flow data isn't a new concept, it is easily one of the most powerful data types you can have in your arsenal as a network defender. It is incredibly low overhead, easy to setup and maintain, and provides tremendously flexible capabilities for network security monitoring (NSM) detection and analysis. In this presentation, we will take a look at flow data from the perspective of the NSM analyst. To begin, we will harness the power of statistics to demonstrate how flow data can be used for detecting both structured and unstructured threats using techniques that go beyond simple signature matching. Next, I will discuss the concept of friendly intelligence and how flow data can be used to profile devices on your network so you can understand what normal communication looks like. Finally, I will describe how flow data can be used to augment the analysis of network security events that are detected by other mechanisms. During this presentation, I will also demonstrate FlowPlotter, an open source tool I've developed to aide in visualizing flow data for detection and analysis. I'll also introduce and demonstrate FlowBAT, a graphical flow-based analysis tool that Chris Sanders and I developed to break the significant barrier of entry into Flow Analysis. Every concept I discuss in this presentation will be demonstrated with practical, real-world scenarios complete with real data using the SiLK toolset. You will leave this talk with techniques you can apply to your network immediately with incredibly low overhead and high impact, and scripts to get everything running in minutes.

Bio: Jason A. Smith Twitter: @automayt appliednsm.com flowbat.com

 Jason Smith is an intrusion detection analyst by day and junkyard engineer by night. Originally from Bowling Green, Kentucky, Jason started his career mining large data sets and performing finite element analysis as a budding physicist. By dumb luck, his love for data mining led him to information security and network security monitoring where he took up a fascination with data manipulation and automation. Jason is the co-author of Applied Network Security Monitoring, creator of FlowPlotter, and co-developer of FlowBAT. Jason has a long history of assisting state and federal agencies with hardening their defensive perimeters and currently works as a Security Engineer with Mandiant. As part of his development work, he has created several open source projects, many of which have become best-practice tools for the DISA CNDSP program.

Back to BSides Nashville 2015 list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast