Enterprise Network Security at the Black Hat 2017 NOC

Aug 09, 2017 | by Eric Partington

Standing up a complete enterprise Network Operations Center (NOC) in two days is no small feat, but doing so for one of the biggest security conferences – Black Hat 2017 - is truly daunting.  But it’s not just setup, it’s also running the NOC and giving tours. Providing unified log management, network capture and dashboarding for the many tours and media events is an involved process putting analysts’ skill to the test.  Creativity is required … appliances but no rack? No problem! Moving carts work just fine in a pinch.

One of the most critical aspects to the NOC analysts’ role is the ability to see across and into the network. The RSA NetWitness® Suite is perfectly suited to provide the combined visibility of network packet capture with centralized logging for switches, firewalls, wireless controllers, RSA SecurID® Access and wireless management as well as malware analysis.   

Working with new workflows for log management and an updated version of our ESI log parsing tool enabled custom parsers (Figure 1) to be quickly developed and deployed to accommodate subtleties in the hardware, giving the NOC staff complete visibility into the Black Hat 2017 conference network traffic (Figure 2).

Figure 1. Custom parsing

Figure 2. Network traffic event summary

There is no inline decryption at Black Hat, resulting in limited visibility into SSL traffic. The task then becomes… what other metadata do we have on this session to make investigation easier? Do we have packet data? Odd certificates, threat data or traffic patterns? Do we have logs from the Palo Alto Networks firewalls, or any indications from RGNet’s controllers, that anything unusual is occurring?  Do we know anything about the source or destination subnet? Is it a classroom, public Wi-Fi, or management network?  The analysts leverage as many potential indicators to gain a complete picture on an event before making a determination.  Sounds like any other day in an enterprise NOC, except this one is stood up and torn down inside seven days.

Working in a NOC where timelines are crunched and operational problems get addressed in real-time, challenges the best analysts.  Need a mapping for classroom networks to assigned CIDR blocks? Feed creation time.  Need to map VLANS to classroom course names? Custom log parser and Feed time.  New code from another vendor that updated the logging format? ESI Tool time.  All fun challenges with the end goal of providing as much detail to the Black Hat NOC management as possible to ensure a secure and stable network for all attendees.

Author: Eric Partington

Category: RSA Fundamentals

Keywords: Black Hat NOC, Network Monitoring, RSA NetWitness Suite