1 / 31

Solving the Open Source Security Puzzle

Solving the Open Source Security Puzzle. Vic Hargrave JB Cheng Santiago González Bassett. Disclaimer.

zan
Download Presentation

Solving the Open Source Security Puzzle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Solving the Open Source Security Puzzle Vic Hargrave JB Cheng Santiago González Bassett June 18, 2013 – Securing Ubiquity

  2. Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA).  Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented.  Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship.  If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity

  3. Log Normalization • Syslog • Comes default within *Nix operating systems. • Sylog-NG • Can be installed in various configurations to take the place of default syslog. • Free to use or enterprise version available for purchase. • Many configuration types to export data. • OSSEC • Free to use • Can export via syslog to other systems. June 18, 2013 – Securing Ubiquity

  4. Solving the Open Source Security Puzzle • What are the standards? • Why choose one product over another? • How do the various security components work together? • How does this work in the real world, real examples. June 18, 2013 – Securing Ubiquity

  5. Understanding Rules • Customizable rulesets- Enable a security practitioner to add true intelligence of their environment. June 18, 2013 – Securing Ubiquity

  6. Host Event Detection AIDE (Advanced Intrusion Detection Environment) June 18, 2013 – Securing Ubiquity

  7. Network Detection Systems June 18, 2013 – Securing Ubiquity

  8. Event Management June 18, 2013 – Securing Ubiquity

  9. What is ? Open Source SECurity Open Source Host-based Intrusion Detection System Provides protection for Windows, Linux, Mac OS, Solaris and many *nix systems http://www.ossec.net Founded by Daniel Cid Current project managers – JB Cheng and Vic Hargrave June 18, 2013 – Securing Ubiquity

  10. OSSEC Capabilities Log analysis File Integrity checking (Unix and Windows) Registry Integrity checking (Windows) Host-based anomaly detection (for Unix – rootkit detection) Active Response June 18, 2013 – Securing Ubiquity

  11. HIDS Advantages Monitors system behaviors that are not evident from the network traffic Can find persistent threats that penetrate firewalls and network intrusion detection/prevention systems June 18, 2013 – Securing Ubiquity

  12. OSSEC Architecture logs UDP 1514 tail -f $ossec_alerts/alerts.log OSSEC Server alerts OSSEC Agents logs UDP 1514 June 18, 2013 – Securing Ubiquity

  13. File Integrity Alert Sample ** Alert 1365550297.8499: mail - ossec,syscheck, 2013 Apr 09 16:31:37 ubuntu->syscheck Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels' June 18, 2013 – Securing Ubiquity

  14. Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed, 2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' 2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64 June 18, 2013 – Securing Ubiquity

  15. PCI DSS Requirement 10.5.5 - Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) 11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly June 18, 2013 – Securing Ubiquity

  16. Annual gathering of OSSEC users and developers. Community members discuss how they are using OSSEC, what new features they would like and set the roadmap for future releases. OSSEC 2.7.1 soon to be released. Planning for OSSEC 3.0 is underway. OSSECCON 2013 will be held Thursday July 25th at Trend Micro’s Cupertino office. Please join us there! June 18, 2013 – Securing Ubiquity

  17. OSSIMUnified Open Source Security Santiago González Bassett santiago@alienvault.com @santiagobassett Alien Vault June 18, 2013 – Securing Ubiquity

  18. About me http://santi-bassett.blogspot.com/ @santiagobassett • Developer, systems engineer, security administrator, consultant and researcher in the last 10 years. • Member of OSSIMproject team since its inception. • Implemented distributed Open Sourcesecurity technologies in large enterprise environments for European and US companies. June 18, 2013 – Securing Ubiquity

  19. What is OSSIM? http://communities.alienvault.com/ OSSIMis the Open SourceSIEM – GNU GPL version 3.0 With over 195,000 downloads it is the most widely used SIEMin the world. Created in 2003, is developed and maintained by Alien Vault and community contributors. Provides Unifiedand IntelligentSecurity. June 18, 2013 – Securing Ubiquity

  20. Why OSSIM? Because Unifiessecurity management • Centralizes information • Integrates threats detection tools Because provides security Intelligence Discards false positives Assesses theimpactof an attack Collaborativelylearnsabout APT June 18, 2013 – Securing Ubiquity

  21. OSSIM integrated tools Assets • nmap • prads Behavioral monitoring • fprobe • nfdump • ntop • tcpdump • nagios Vulnerability assessment • osvdb • openvas Threat detection • ossec • snort • suricata June 18, 2013 – Securing Ubiquity

  22. OSSIM +200 Collectors June 18, 2013 – Securing Ubiquity

  23. OSSIM Architecture Normalized Events Configuration & Management June 18, 2013 – Securing Ubiquity

  24. OSSIM Anatomy of a collector [Raw log] 76.103.249.20- - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 2002612"-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36" [apache-access] event_type=event regexp=“((?P<dst>\S+)(:(?P<port>\d{1,5}))? )?(?P<src>\S+) (?P<id>\S+) (?P<user>\S+) \[(?P<date>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P<request>.*)\” (?P<code>\d{3}) ((?P<size>\d+)|-)( \"(?P<referer_uri>.*)\" \”(?P<useragent>.*)\")?$” src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id} June 18, 2013 – Securing Ubiquity

  25. OSSIM Reliability Assessment Reliability June 18, 2013 – Securing Ubiquity

  26. OSSIM Risk Assessment Event Priority = 2 Source Destination Event Reliability = 10 Asset Value = 2 Asset Value = 5 RISK= (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25 June 18, 2013 – Securing Ubiquity

  27. OSSIM & OSSEC Integration • Web management interface • OSSEC alerts plugin • OSSEC correlation rules • OSSEC reports June 18, 2013 – Securing Ubiquity

  28. OSSIM Deployment June 18, 2013 – Securing Ubiquity

  29. OSSIM Attack Detection June 18, 2013 – Securing Ubiquity

  30. OSSIM Demo Use Cases Detection& Risk assessment • OTX • Snort NIDS • Logical Correlation • Vulnerability assessment • Asset discovery Correlating Firewall logs: • Cisco ASA plugin • Network Scan detection Correlating Windows Events: • OSSEC integration • Brute force attack detection June 18, 2013 – Securing Ubiquity

  31. Thank you Santiago Gonzalez Bassett santiago@alienvault.com @santiagobassett Alien Vault Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA).  Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented.  Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship.  If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity

More Related