IPFS As a Distributed Alternative to Logs Collection

Presented at DeepSec 2019 „Internet of Facts and Fears“, Unknown date/time (Unknown duration).

We want access to as much logs as possible. Historically the approach is to replicate logs to a central location. The cost of storage is the bottleneck on Siem solution, hard to be maintained at scale, leading to reduce the amount of information at disposal. The state-of-the-art solutions today focus on to analyze the log on the endpoint. This can optimize the maintenance but add the problem on updating the rules or accessing raw data. Both of the approaches are inefficient and expensive. What we want from logs collection: - comparability - accessibility - Inference and baselines - replication on topics - on demand access and drilldown with hashable/forensic history of status - ownership: data need to point 1:1 to endpoint/people Goal: Granting access to all endpoints hosts logs, grant at least the requirements above, with 0 storage cost and low maintenance. How: This can be achieved applying the logic of non-centralized web distribution used in IPFS/IPNS protocol to log collection . What are you going to get from the talk? IPFS protocol explanation and feature How to modify the FOSS ipfs client, to make it "log friendly" and transparent to the user How to define a private cluster, key mgmt., IPNS(dns): This will grant encryption on transit and on storage How to define a IPFS gw to collect the information using classic HTTP API How to integrate the solution via the SIEM solution you have in place: This will grant the possibility to use the playbook already designed Properties protocol-granted: Each log file and all of the blocks within it are given a unique fingerprint called a cryptographic hash. IPFS removes duplications across the network. Each network node stores only content it is interested in, and some indexing information that helps figure out who is storing what. When looking up files, you're asking the network to find nodes storing the content behind a unique hash. Every file can be found by human-readable names using a decentralized naming system called IPNS.

Presenters:

  • Fabio Nigi - Philip Morris international
    Fabio Nigi, head of security operation at Philip Morris Digital, former security investigator at Cisco CSIRT. During and after his engineering degree in Computer Science, Fabio focused on Ethical Hacking, spent 10 years researching, analyzing and solving ICT Governance, Risk, Compliance, Information Security and Privacy issues as SMEs in Enterprise global environments. Linkedin Profile: https://www.linkedin.com/in/fabionigi/

Links:

Similar Presentations: