2nd Annual SuriCon Agenda

Wednesday, November 9

Ron is the Chairman of the Board of Tenable Network Security and a recognized leader in cybersecurity.

Victor is one of the founders of OISF and a member of its Core Team.

ABSTRACT: Any network security administrator knows how difficult it is to keep the pesky network admins from removing network taps, or routing the traffic around monitoring systems. In many cases, it’s easy to spot, since all the traffic might disappear. However, many large networks have the difficulty of segmented, low traffic or backup links that are difficult to monitor when they go down. Additionally, problems with asynchronous routing or physical issues might lead to only a single side of a connection being seen. This talk will go over techniques for monitoring these links and tools to help a security engineer ensure they have full visibility into the segments they are expecting to have visibility into.

ABSTRACT: This talk will concentrate on advanced Suricata performance tuning techniques and considerations with: NUMA, NUMA crosstalk, Hyper-Threading, CPU affinity, Intel x520 and x710 NICs, RSS, AF Packet v2 and v3, the newly introduced Bypass feature in Suricata and their performance impact.

Grab a bite and network with your fellow attendees.

ABSTRACT: Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It started in 2008 and integrated Suricata in 2010. Since that time, we’ve enjoyed a strong partnership between our communities and have worked together to peel back the layers of networks and make our adversaries cry. In this talk, we’ll demonstrate the current integration of Suricata in Security Onion and discuss what the future may hold.

ABSTRACT: The aim of the presentation is to introduce the audience to MISP and how it can be used build, consume and collaborate on protective measures. Topics covered will include some very basic fundamentals of MISP usage, including the means of creating, consolidating, collaborating and sharing indicators as well as exploiting the collective data-set of the community. This will include creating specific filter rules for automation and feeding protective devices using, amongst others, Suricata rules. Additional focus will be given to the feedback loop that allows users (network administrators, engineers) to provide feedback on sightings caught for example in their IDSes. Since MISP is a community driven project, it is also planned to collect feedback and ideas from the attendees to further improve the platform.

ABSTRACT: What’s the value of an IDS to industrial control system networks? This presentation will give a one answer in terms of a distributed cybersecurity tool intended to detect rogue control actions, malicious or otherwise, built on top of and enabled by Suricata. Our answer will touch upon specific features of control system networks as well as extensible open source software and how such software supports innovation in control system cybersecurity.

ABSTRACT: ISLET (Isolated, Scalable, & Lightweight Environment for Training) is a system that streamlines Linux-based software training for IT events. It’s been used by the Suricata team, Bro team, University of Illinois, and more. It minimizes the participation barrier to that of an SSH client and uses Linux containers to provide students with isolated environments from which they can perform work. This talk will discuss ISLET, the problems it solves, a technical overview of Linux containers, how it was used for Suricata training, and includes a live demonstration of standing up a brand new ISLET system in under 10 minutes.

ABSTRACT: Network Intrusion Detection Systems are commonly used to monitor network activities. These systems are particularly exposed to malicious traffic by definition and can be themselves targeted by attacks. This presentation will give an overview on how to harden these tools on a global perspective, using OS features, system configuration, and
secure parsers.

ABSTRACT: The cyber-physical landscape is changing, bringing more and more closed and even ancient systems onto the Internet. Industrial Control Systems constitute a fully new attack surface with a unique set of concerns and principles, challenging traditional IT technology in general and security in particular. New ways of thinking about endpoints, the network, applications, and protocols must be considered. Creatively applied, Suricata is in a strong position to provide advanced threat detection in these environments. We will discuss challenges and opportunities related to industrial control systems, signatures, bandwidth, processing power, and network topologies.

ABSTRACT: Suricata is a modern and powerful IDS/IPS engine that supports the popular Snort rule syntax. However, there are important differences and capabilities between how the Suricata and Snort engines work, and how rules are interpreted and applied. This presentation is intended to highlight the major differences between Snort and Suricata that the rule writer needs to be aware of and consider when converting Snort rules to Suricata and/or writing Suricata rules. Topics covered will include syntax variation, behavioral differences, capability distinctions, and performance considerations. The target audience is people who are familiar with the Snort engine and rules, who want to craft superlative rules for Suricata.

Telesoft will be hosting a wine reception at the British Embassy, located at 3100 Massachusetts Avenue, NW, Washington, DC. All conference attendees are automatically registered for the reception. Please note: photo ID will be required.

Thursday, November 10

Kelley is the Executive Director of OISF and a member of its Core Team.

ABSTRACT: The Hyperscan regular expression pattern matcher is now a fully supported matching option in Suricata. In this presentation, we will share what we have learned – both the successes and the areas where Hyperscan delivers no real benefit. We will discuss the future of the Hyperscan integration into Suricata – we are starting to reach the limits of what can be achieved with simple dropping in Hyperscan to replace Suricata matching components one by one.

ABSTRACT: We will have a deep dive into what a highly diversified organization like Mozilla does with the alerts we receive from Suricata. Our ruleset of choice is Emerging Threats, we also write rules for our needs. And we share them. By the end of this talk, you will learn some strategies – how to tune the ruleset, how to minimize the amount of false positives and what they might be telling you, how we use our alerts? I’d also like to talk about the hot topic of Indicators of Compromise. How do we use them? What kind of IOC are more useful and when? Why everyone started selling IOC and what the outcome is for the infosec industry?

Eat and connect.

Eric is a programmer and a member of OISF’s Core Team.

ABSTRACT: Are you interested in learning how to apply data science to Suricata and improve your security posture? This talk will cover how to apply statistical analysis, and machine learning to Suricata logs to find anomalous behavior and hunt for bad actors. We will unmask difficult data science concepts and how to apply them to your environment to rapidly gain insights. Attendees will learn new techniques to find threats, make use of threat intelligence for alerting, and learn from attacks.

ABSTRACT: Suricata and other network intrusion detection systems (NIDS) already provide an effective means for reassembling objects transferred across the network, but NIDS should not be the ultimate solution for object analysis. Several file-based intrusion detection systems effectively perform recursive object analysis at scale today. As malicious content delivery evolves from a network-centric to a file-centric approach, there is a need for NIDS to provide a flexible and efficient interface to offload the analysis of file objects. This discussion will demonstrate how Suricata can leverage the existing file and certificate extraction framework to send objects and metadata to the Laika BOSS object scanning system for analysis. The discussion will conclude by covering how the combination of Suricata and a file-based intrusion detection system such as Laika BOSS leverages the best of both capabilities and ultimately improves overall security posture.

ABSTRACT: This presentation will begin with a summary of the last twenty years of Internet Security, including a retrospective of the early days of firewalls, perimeter security and intrusion detection at Bell Labs. Suricata will be introduced in context as an effective critical security control, providing metrics for an organizations defense-in-depth deployment. Other topics will include performance tuning for 10-100 Gbit deployments, managing large rulesets, high-volume alert analytics and detection of “zero day” malware and APT events.

ABSTRACT: Harnessing the power of distributed communities worldwide to improve and create state of the art software for cyber security.

Wrapup of the first two days of the conference

Friday, November 11

A working meeting of the OISF Dev Team and the Community