Yves B. Desharnais is an independent IT, Information Security, and PCI DSS Subject Matter Expert with over 15 years of professional experience. His work has taken him to Europe, Canada, Mexico and the United States.

Yves was previously certified as a QSA and currently holds the PCIP (PCI Professional) and CISSP (Certified Information Systems Security Professional) certifications. He is the author of a book series on PCI DSS, including the physical version called PCI DSS Made Easy (www.PCIResources.com).

Yves received his bachelor in Computer Engineering from the Universite de Sherbrooke and his Master of Business Administration (MBA) from the University of Notre Dame.

Topic: Using Netflow & Open Source Tools for Network Behavioral Analysis

What really goes on in your network? Most current IDS (or IPS) solutions look at abnormal behavior, which is the equivalent of signature-based malware analysis; but what is legitimate behavior depends on each organization's’ business processes, applications (many homegrown) and systems, and network configurations. In addition, most organizations often lack detailed and/or updated data flow information describing which operations are legitimate. The Cisco Netflow protocol (and the IPFix IETF standard, also known as Netflow v10) can provide us with a more efficient way of doing this traffic identification, or the work of a NIDS, than using span ports.

In this talk, we will explain what the Netflow protocol is and how it works. We will then show you how to use open source tools (fluentd, nmap, etc.) to parse this data flow information and create a comparison engine that will match network traffic to defined rules

(the expected baseline). There are many potential uses for such a technological implementation: to create a simple Network IDS, to identify traffic, to create firewall rules and to identify environment scope (useful for PCI DSS, but for other purposes as well) especially when application documentation is lacking.

This approach was used successfully to reduce PCI DSS server scope size to under 20% in mid-2016 on a medium-sized network, and to apply firewall rules live without any business disruption. This methodology has been further improved, and this presentation will feature a new release of code used in the live demo presented.