CROWDSEC EXPLAINED in 15 minutes: product presentation by Philippe Humeau, CEO & co-founder

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Hi everyone! My name is Philippe and I'm  the CEO of CrowdSec and I'd like to explain   you today what the project is about. So,  um basically CrowdSec works a bit like   Waze somehow. You know Waze uses your heading,  your vehicle's heading, its speed and position   to deduce where there is a traffic jam  ahead or a speed trap or something.   So, a community of users is sharing  local information to deduce a global   state, right? What we're doing here is a bit  different, we are using a local behavior by   checking into the logs what's happening  you know finding behavior in your logs   and blocking if it's dangerous behavior and  when it's done we share this information   globally to the community so it becomes a global  reputation for the ip address behind the problem.   A behavior engine is at the core of it. You can  think about it like a modern version of fail to   ban so with the behavior engine you can detect  a lot of things like credential brute force for   example if someone is trying to type in five-time  password and failed maybe it's not his password   and his account it's just trying to guess your  password if usually your webshop is registering   average cards of 30 but this time every credit  card coming is doing like 0.1 dollar transaction   maybe it's not a real uh customer it's someone  trying to value that credit card numbers   same goes for postcard or web scan if  you have like a lot of four or three   four or four or five or something codes in your  logs probably someone is trying to scan you right   so basically um crowdsec is filtering  behaviors not ip ports combos   it's really about like brute force pod scan  crawler is exploited sql injection and so on   and how does it does the magic well it's a  massively multiplayer firewall you can think   about it like a firewall because it's  still filtering eyepiece at some point   but it's massively multiplayer because first  it's starts locally it looks into your log   so syslog journal the aws cloud tray cm el key  you name it you know it's just a data source and   then you apply scenarios could be your scenarios  could be our scenarios or it could be community   driven and made scenarios they are all available  on the hub and then once you found something   with your scenario that is not appreciable that  you don't want the behavior you don't want to see   you can for example drop it on your say on your  reverse proxy on your firewall everywhere it   makes sense or if you're working in an http  layer you can send a captcha for example if   you want to do it directly with the user session  you can forbid some access or some urls you can   lower the rise you can lower the speed whatever  or you can sell a modified factor mobile factory   authentication whatever you want actually the  remedy you want depends on your business and   your stakes if you want you can just you know  wire the information into a script or into your slack channel with your devops or checkups so once  you've found a bad ip you can share it with us   and we'll do the curation to be sure that it's  an accurate signal and not a poisoning attempt or   false positive and then we'll send it back to the  community so that when you detect someone everyone   benefits from it and you benefit from everyone  else's detection that's how we make the wheel   spin this is a massively multi-purifier so now  it's also a next-gen behavior engine i told you   before about failed to ban but it's better and  more modern than face-to-band in a way that it's   stateless and decoupled so you can detect in one  point and remedy in another you can also have like   minute machine many too many uh setups  or one too many or many to one setups   it's in high performance engine it's like six  times faster because it's made in go and not in   python it provides observability right of the box  out of the box you have a dashboard you can spawn   and see what's inside right it's also modular and  flexible so it's super easy to embed into whatever   devops system you're using to deploy things uh it  uses a very modern grammar or very simple at least   which is yamo so anyone can describe anything  with a yaml file it's super easy to edit and tweak   according to your needs it's adapted for linux for  now but we are also porting the software on bsd   and we aim at being compatible with windows as  well it's multi-layer and you can deal with ipv6   as well and you can do multi-stage detection like  if this and that all that then you know something   else what we're up to is a resource war by bending  together we can burn the stolen ips that hackers   use to have anonymity right they use those ips  to shelter their activities but they wouldn't be   at ease with dealing directly with their own ips  straight to their target so by burning those ips   we are actually impairing and crippling their  business krautsec is basically peeling the onion   so the reputation engine is a second engine in  kratos the first one is to be the second one is   based on all the sharing all the sightings that we  do all together so far we know it's at the largest   scale ever it's the biggest only part on earth  most likely we are thousands of users and we aim   at being hundreds of thousands if not millions of  users it's highly curated the list you receive of   ips you should ban instead of made for your needs  because we found out looking in our data lake that   for example ips doing ssh brute force are not the  same as the one doing terminal server brute force   or vpn brute force so we want to provide you  with the best telematic experience and also it's   api first so you can query the api in the way you  want to integrate it at any place you want in your   information system last but not least you can have  a hot query system or you can keep a local cache   we don't care much because the ip address is not  of such a big value the value really lies in the   network and its capability to generate the list  so if you have a local cache no big deal we are   super fun with this so you can update it like you  know when you want it's open source it's for free   it's forever period we don't intend to switch  this model later on when we'll be successful   actually the goal is to provide transparency so  that anyone can see there's no shenanigans no   back door no nothing in the code that the code is  clean and safe that anyone can contribute to it   you know help us connect more data source  create more scenarios create more bouncers   and it helps us stay connected together and  somehow it's a cross for cyber threat intelligence   because you know what is cti at its core it's a  bunch of servers maybe a hundred of them running   simulated services that we call honeypot on  one or two clouds or three maybe to intercept   traffic rogue traffic over the internet what we  do is better in most directions because we honest   the power of real machines by the thousand by the  hundred of thousands running real services so it's   not simulated one because at some point hacker can  pinpoint what is real and what is not for example   if you have a web shop the moment you put a credit  card transaction it's going to fail if it's a   honeypot because you don't you know you don't have  a php behind or if you start to have like more   interaction with honeypot quickly it you can spot  that it's not a real machine but here it's not   possible because it's real services and it runs  in all kinds of environments everywhere not only a   couple of clouds could be like on a 5g connection  on a dsl or fiber in a sweatshop in thailand   university in togo in an individual place in  iceland or finland so it's impossible to dodge   the people that are in the crowd of kratec that's  why it's the best ever radar hacker radar we think   but now we have to deal with two threats right  poisoning and false positives so we don't want   people to be able to inject false ips in the  system so we give them trust rank you have   a trust rank one if you're partaking into  the network for more than six months is and   make constantly accurate spottings right  so if you would start like 3000 machine   in an attempt to overrule the consensus you would  then reinforce us for six months before we start   listening to you and we see that if your cohort  is then behaving in a way that it's the only one   seeing things and not the rest of the network  it's probably that you're trying to poison us um   also there are other trust rank like two three  four and so on so if a truss rank one sees the   same thing as a transferring two it validates  the signal and the threshold two three or four is   getting a bit more credibility that's cool that's  how they become transferring one at some point   we also have a honeypot of our own it's not made  mostly for detection it's mostly made to provide   a counter opinion a contact point of view on what  is seen for example by a transferring two but   not by any other trustrank one meaning for example  it starts it helps us to bootleg the network to   have a higher detection uh sensitivity on some  technologies that for example our customers are   not using yet say there is a vulnerability on  wordpress or others on prestashop or hybris and   we're not yet we don't have yet enough users  on those technologies then we can spoon a   bunch of fibrous or prestashops to simulate  and listen you know and validate signals so   we are transferring zero we are validating  other signals as well we also have a list of   canaries this list is something that you cannot  ban so you will find here things like microsoft   update google boat and so on ips that are already  core to internet are gearing and we don't want to   bend them at any point in time so  it's kind of a white list if you want   and we have predictive algorithms like if ips  a b c and d are working together we are just   below the minimum threshold of noise that we would  consider as being aggressive then those ips would   then go through you know except if a predictive  algorithm is digging into our only put log in   our global data lake and try to correlate that ap  a b c and d ipa abc and d are working together so   that way we can also prevent them from harming  you and once it's done this creation process the   it's uh the ip is integrated in the ip rotation  database and distribute it throughout the network   you have to know that a bad iep is a time  dependent thing right it used to be a good   ip it has been compromised and is now acting  maliciously most of the time some of them   are constantly malevolent but most of them  are just on a temporary basis compromised   so it's rogue and then it will be cleaned  a day one day by its legitimate honor   so that's why our network density allows us to  clean every ip that have not been caught doing uh   dangerous things for the last 72 hours it's  kind of a self cleanup thing right and if   this ip wait 73 hours and come back then it  would be instantly reinstated in the consensus and it's extremely important because ipv4 shortage  triggered a lot of nut ips nat meaning network   address translation so one public ip can check  to a lot of people so we advise you to only take   the minimum necessary mediation for example if  you are working on an http layer for example   send a captcha don't drop the connection because  you could drop the connection for many legitimate   users that are behind a proxy for example whereas  if you send a captcha you will just slow down   tremendously a potential attacker but not detail  legitimate users this the next thing is we have a   three-day problem mechanism i told you about like  this 72 hours you can also self-demand yourself   it's not so easy for hackers because they would  not be able to demand all the ips they're using   and also there's a captcha here so you're not  supposed to be able to demand like tons of ips   and there's an increasing penalty so if your ip is  demand by you and it's caught again and again and   again there's an increasing time penalty before  you can demand yourself again also the consensus   is involving range qualification for  example some ips are used by 4g networks   we don't want to ban them because we  don't know who's the user behind right   so it's changing constantly so it doesn't make  sense to ban them for example or sometimes   protocols like udp are really easy to fake um to  spoof so it's complicated to ban udp based attacks   and also we send you a taylormade list  just for your needs we don't want like to   to broadcast every eyepiece everywhere  because that would create more ounce than good   you have to know that your logs are never ever  exported they stay locally we don't treat them   we're not the same we're not storing them we  pause them we learn from them and we forget them   so they don't go into the cloud we just use the  time stamp the offending ip and the behavior   this is the only thing we collect and if you  don't want it you can disable this feature   right so you don't have even to share with us and  then you just benefit from the behavior engine not   the reputation one obviously but nevertheless you  get a great reputation uh behavior in it and also   it's a dpr compliant because we are collecting the  minimum necessary uh information to do our work   and you have no online dependency you also have  our word that we only monetize things that are   like for business grade uh uh enterprises like  fleet features deploying on thousands of machines   self-monitoring and forensic api access on the  massive scale and so on so it's always free for   the community but if people are not sharing  with us and want to benefit from the behavior   uh not sorry not for the video from the reputation  engine then they will have to pay their access   for it right or if they want like extended  features that are mainly for big businesses   that's what we do and i'm glad i could tell  you about this if you have any questions   don't hesitate to go on our guitar  on this course or find us on github   we are crosstech and i'm glad you  spend time with us have a good day bye
Info
Channel: CrowdSec
Views: 1,394
Rating: undefined out of 5
Keywords: cyber security, collaborative security, secops, cyber security training, network security, firewall, devsecops, crowdsec, ip address, github, startup, cyber security startup, open source intelligence, open source intelligence tools, it security, cybersecurity, cyber attack, security solution, data security, computer networks, computer network, fail2ban, linux, security operations, security automation, osint, open source software, cyber threat intelligence, security, threat hunting
Id: d9NgZBldnos
Channel Id: undefined
Length: 14min 38sec (878 seconds)
Published: Wed Apr 21 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.