Network Security Monitoring (NSM) in large enterprise environments offers many interesting technical challenges. In our talk, we present typical challenges from our experience running a large (>80 sensors), distributed (15 countries), high-performance (up to >10 Gbit/s per sensor) NSM setup in heterogeneous customer networks – and how we solved them. This includes, but is not limited to, aspects of hardware selection, performance issues and deployment of sensors. We also present examples of how the data generated by this system can be used in downstream analyses, both to passively gather knowledge about the network and to support analysts in security incident reporting and hunting.
Sascha Steinbiss has a background in bioinformatics, efficient string algorithms and genome annotation. After several years of using his skills to analyze pathogen genomes, he decided in 2016 to focus on a different kind of threat. Now his work revolves around building and running the network security monitoring infrastructure that forms the basis of DCSO’s Threat Detection and Hunting service. Sascha has been active in the open source software community for more than a decade, having authored various software tools in support of the Suricata IDS as well as parts of Suricata itself (e.g. protocol parsers). He is also a Debian Developer and one of the maintainers of Suricata and its ecosystem in Debian.
Andreas Herz is a software developer with a focus on open source and security related projects. He’s working in the open source community for over fifteen years and specialized in Networking, Linux and High-Performance. He’s part of the DCSO NOC team working on network security infrastructure as well as a OISF core team member working on the Suricata project.