Nicholas Sheridan

General Query about Analysing Behaviour and Mitigation

Discussion created by Nicholas Sheridan on Dec 9, 2018
Latest reply on Dec 9, 2018 by Dameon Welch-Abernathy

Hi forum!

 

I recently installed with the help of a consultant some cloudguard firewalls.  As a side effect of my deployment we needed to integrate remote access with OSX clients, and apparently needed to permit http and https from everywhere to the firewalls IP address - apparently related to the remote access blade and supporting OSX.  So we moved the gaia managment ports to an alternative port and controlled access to that, which made sense.  Now I see an awful lot of IPS events, which I feel (rightly or wrongly) may be unneccesary as the IPS blade is processing these events; that is prior to this change in configuration a packet directed to the firewalls IP address on http or https would have been a simple packet drop.  I am worried this is causing unneccesary work for the firewall.  We are beginning to integrate the firewall logs into elastic, and I will shortly start parsing the events into a structured format with grok and applying machine learning to work out outliers, and superflous events and so on (I have yet to understand the stucture of the logs yet).   Assuming the machine learning is sufficiently accurate, I was then considering integrating into event management, which probably at this point would integrate with the API to do something basic like create an object and add it to an object groupby passing the source IP into a simple python script - which seems a simple task as I have used this to configure the firewall to begin with.  The implications of this seem extremely useful, as depending on how the object group is used within the policy this could be very effective - and might be helpful for working uncovering targeted attacks which I worry about most.  

 

I was wondering if this is a already a canned configuration best practice and I might be trying to 'reinvent the wheel'.  Anyone done anything similiar?  On one hand I think I could apply a policy that removes IPS from these http and https ingress packets from the blade, but on the other I think - this demonstrates ominous activitiy from particular hosts which may be better learned then moved to a standard packet drop in the firewall policy and discarded.  I was thinking of having a rule containing an empty group that has hosts added to it automatically - so nothing particulary complex.  I'm interested in anyones opinion on this as I am concerned I may be over-engineering, but consolidation into elastic and machine learning was part of the plan so it's not too far a cry from what was planned; only the event management was the extra widget I am now considering to introduce.  Kibana makes all the data very accessible for managers who can see what is happening with out any of the technical team having to spend to much time explaining the mechanics of what is going on, and the technical team can iteratively review the trends and do a common sense 'human check' which is what we are better at I think.

 

I appreciate this may become complex, and I am worried about solving one management problem and creating another, but I am also congnisant of being able to cross reference behaviour on different systems and gain confidence by log aggregation.  This struck me as an interesting use case of applying data learned and combining it into readily availble APIs.

 

Thanks

Outcomes