1. Scanners Inventory all machines on site; 12,000+ nmap farm All machines usually twice a day Find critical vulnerabilities and issue blocks Nessus Homegrown tools

2. IDS Bro cluster on 10 gig spans Snort on 1 gig switch Specific sigs used for Snort due to scalability and false positive issues State based is more attractive than signature based

3. Sig based IDS Used for point solutions Simply not terribly effective @Fermi Question: How would you operate in an ISP's environment? Answer: Umm... :-)

4. State based IDS Used for “everything else” Example Alert if HTTP connection to this server Followed by GET of a non-PHP file Followed by SSH outbound connection If all of that happens in a short time frame Sig based IDS cannot do this

5. Netflow Real-time collection of netflow Real-time DNS name resolution of all IPs Historical searches through netflow during incidents Searches done via Splunk

6. Netflow Primarily used for incident response Valuable for telling who a badguy talked to Tells us whether we need to investigate further and, if so, how much further

7. Log collection Collecting from 189 hosts 13 billion log entries, and growing, are searchable ~37.3 Gig a day intake Will be pushing 60 gig a day with netflow

8. Log collection Central syslog-ng available to all machines Collection of central web logs Searches via splunk Integration of search into enterprise programming API; CST API

9. Darknets and Tarpits Monitoring all unallocated address space; class B Valuable for detecting worms and software misconfiguration If it touches these networks, it is suspect

10. Scanners

11. Log collection