Standing up a complete enterprise Network Operations Center (NOC) in two days is no small feat, but doing so for one of the biggest security conferences – Black Hat 2017 – is truly daunting. But it’s not just setup, it’s also running the NOC and giving tours. Providing unified log management, network capture and dashboarding for the many tours and media events is an involved process putting analysts’ skill to the test. Creativity is required … appliances but no rack? No problem! Moving carts work just fine in a pinch.
One of the most critical aspects to the NOC analysts’ role is the ability to see across and into the network. The RSA NetWitness® Suite is perfectly suited to provide the combined visibility of network packet capture with centralized logging for switches, firewalls, wireless controllers, RSA SecurID® Access and wireless management as well as malware analysis.
Working with new workflows for log management and an updated version of our ESI log parsing tool enabled custom parsers (Figure 1) to be quickly developed and deployed to accommodate subtleties in the hardware, giving the NOC staff complete visibility into the Black Hat 2017 conference network traffic (Figure 2).
Figure 1. Custom parsing
Figure 2. Network traffic event summary
There is no inline decryption at Black Hat, resulting in limited visibility into SSL traffic. The task then becomes… what other metadata do we have on this session to make investigation easier? Do we have packet data? Odd certificates, threat data or traffic patterns? (Read more...)
*** This is a Security Bloggers Network syndicated blog from Speaking of Security – The RSA Blog authored by Eric Partington. Read the original post at: https://blogs.rsa.com/enterprise-network-security-at-the-black-hat-2017-noc/