We want access to as much logs as possible. Historically the approach is to replicate logs to a central location. The cost of storage is the bottleneck on Siem solution, hard to be maintained at scale, leading to reduce the amount of information at disposal.
The state-of-the-art solutions today focus on to analyze the log on the endpoint. This can optimize the maintenance but add the problem on updating the rules or accessing raw data.
Both of the approaches are inefficient and expensive.
What we want from logs collection:
- Inference and baselines
- replication on topics
- on demand access and drilldown with hashable/forensic history of status
- ownership: data need to point 1:1 to endpoint/people
Granting access to all endpoints hosts logs, grant at least the requirements above, with 0 storage cost and low maintenance.
This can be achieved applying the logic of non-centralized web distribution used in IPFS/IPNS protocol to log collection . ipfs.io/#why
What are you going to get from the talk?
IPFS protocol explanation and feature
How to modify the FOSS ipfs client, to make it "log friendly" and transparent to the user
How to define a private cluster, key mgmt., IPNS(dns): This will grant encryption on transit and on storage
How to define a IPFS gw to collect the information using classic HTTP API
How to integrate the solution via the SIEM solution you have in place: This will grant the possibility to use the playbook already designed
Each log file and all of the blocks within it are given a unique fingerprint called a cryptographic hash.
IPFS removes duplications across the network.
Each network node stores only content it is interested in, and some indexing information that helps figure out who is storing what.
When looking up files, you're asking the network to find nodes storing the content behind a unique hash.
Every file can be found by human-readable names using a decentralized naming system called IPNS.
Fabio Nigi, head of security operation at Philip Morris Digital, former security investigator at Cisco CSIRT. During and after his engineering degree in Computer Science, Fabio focused on Ethical Hacking, spent 10 years researching, analyzing and solving ICT Governance, Risk, Compliance, Information Security and Privacy issues as SMEs in Enterprise global environments.
Linkedin Profile: linkedin.com/in/fabionigi/