Download - Solving the Open Source Security Puzzle
![Page 1: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/1.jpg)
June 18, 2013 – Securing Ubiquity
Solving the Open Source Security Puzzle
Vic HargraveJB Cheng
Santiago González Bassett
![Page 2: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/2.jpg)
DisclaimerThe views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought.
June 18, 2013 – Securing Ubiquity
2
![Page 3: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/3.jpg)
Log NormalizationSyslog
Comes default within *Nix operating systems. Sylog-NG
Can be installed in various configurations to take the place of default syslog.
Free to use or enterprise version available for purchase.Many configuration types to export data.
OSSECFree to useCan export via syslog to other systems.
June 18, 2013 – Securing Ubiquity
3
![Page 4: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/4.jpg)
Solving the Open Source Security Puzzle
What are the standards?Why choose one product over another?How do the various security components
work together?How does this work in the real world, real
examples.
June 18, 2013 – Securing Ubiquity
4
![Page 5: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/5.jpg)
June 18, 2013 – Securing Ubiquity
5
Understanding Rules
Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.
![Page 6: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/6.jpg)
Host Event Detection
AIDE(Advanced Intrusion Detection Environment)
June 18, 2013 – Securing Ubiquity
6
![Page 7: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/7.jpg)
Network Detection Systems
June 18, 2013 – Securing Ubiquity
7
![Page 8: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/8.jpg)
June 18, 2013 – Securing Ubiquity
8
Event Management
![Page 9: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/9.jpg)
What is ?Open Source SECurityOpen Source Host-based Intrusion Detection SystemProvides protection for Windows, Linux, Mac OS, Solaris
and many *nix systemshttp://www.ossec.netFounded by Daniel CidCurrent project managers – JB Cheng and Vic Hargrave
June 18, 2013 – Securing Ubiquity
9
![Page 10: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/10.jpg)
OSSEC CapabilitiesLog analysisFile Integrity checking (Unix and Windows)Registry Integrity checking (Windows)Host-based anomaly detection (for Unix – rootkit
detection)Active Response
June 18, 2013 – Securing Ubiquity
10
![Page 11: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/11.jpg)
HIDS AdvantagesMonitors system behaviors that are not evident from the
network trafficCan find persistent threats that penetrate firewalls and
network intrusion detection/prevention systems
June 18, 2013 – Securing Ubiquity
11
![Page 12: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/12.jpg)
tail -f $ossec_alerts/alerts.log
June 18, 2013 – Securing Ubiquity
12
OSSEC Server
OSSEC Agents
logsUDP 1514
logsUDP 1514
OSSEC Architecture
alerts
![Page 13: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/13.jpg)
File Integrity Alert Sample** Alert 1365550297.8499: mail - ossec,syscheck,2013 Apr 09 16:31:37 ubuntu->syscheckRule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).'Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels'
June 18, 2013 – Securing Ubiquity
13
![Page 14: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/14.jpg)
Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed,2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.logRule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.'2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64
June 18, 2013 – Securing Ubiquity
14
![Page 15: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/15.jpg)
PCI DSS Requirement10.5.5 - Use file-integrity monitoring or change-detection
software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)
11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly
June 18, 2013 – Securing Ubiquity
15
![Page 16: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/16.jpg)
Annual gathering of OSSEC users and developers.Community members discuss how they are using OSSEC,
what new features they would like and set the roadmap for future releases.
OSSEC 2.7.1 soon to be released.Planning for OSSEC 3.0 is underway.OSSECCON 2013 will be held Thursday July 25th at Trend
Micro’s Cupertino office.Please join us there!
June 18, 2013 – Securing Ubiquity
16
![Page 17: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/17.jpg)
June 18, 2013 – Securing Ubiquity
OSSIMUnified Open Source Security
Santiago González [email protected]
@santiagobassettAlien Vault
17
![Page 18: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/18.jpg)
About meDeveloper, systems engineer, security administrator,
consultant and researcher in the last 10 years.Member of OSSIM project team since its inception.Implemented distributed Open Source security
technologies in large enterprise environments for European and US companies.
June 18, 2013 – Securing Ubiquity
http://santi-bassett.blogspot.com/@santiagobassett
18
![Page 19: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/19.jpg)
What is OSSIM?OSSIM is the Open Source SIEM – GNU GPL version 3.0With over 195,000 downloads it is the most widely
used SIEM in the world.Created in 2003, is developed and maintained by
Alien Vault and community contributors.Provides Unified and Intelligent Security.
June 18, 2013 – Securing Ubiquity
http://communities.alienvault.com/
19
![Page 20: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/20.jpg)
Why OSSIM?Because provides security IntelligenceDiscards false positivesAssesses the impact of an attackCollaboratively learns about APT
June 18, 2013 – Securing Ubiquity
Because Unifies security managementCentralizes informationIntegrates threats detection tools
20
![Page 21: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/21.jpg)
OSSIM integrated tools
June 18, 2013 – Securing Ubiquity
Assetsnmapprads
Behavioral monitoringfprobenfdumpntoptcpdumpnagios
Vulnerability assessment
osvdbopenvas
Threat detection
ossecsnortsuricata
21
![Page 22: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/22.jpg)
OSSIM +200 Collectors
June 18, 2013 – Securing Ubiquity
22
![Page 23: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/23.jpg)
OSSIM Architecture
June 18, 2013 – Securing Ubiquity
Configuration &Management
NormalizedEvents
23
![Page 24: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/24.jpg)
OSSIM Anatomy of a collector
June 18, 2013 – Securing Ubiquity
24
[apache-access]event_type=eventregexp=“((?P<dst>\S+)(:(?P<port>\d{1,5}))? )?(?P<src>\S+) (?P<id>\S+) (?P<user>\S+) \[(?P<date>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P<request>.*)\” (?P<code>\d{3}) ((?P<size>\d+)|-)( \"(?P<referer_uri>.*)\" \”(?P<useragent>.*)\")?$”src_ip={resolv($src)}dst_ip={resolv($dst)}dst_port={$port}date={normalize_date($date)}plugin_sid={$code}username={$user}userdata1={$request}userdata2={$size}userdata3={$referer_uri}userdata4={$useragent}filename={$id}
[Raw log]76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
![Page 25: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/25.jpg)
OSSIM Reliability Assessment
June 18, 2013 – Securing Ubiquity
25
SSH Failed authentication event
SSH successful authentication event
10 SSH Failed authentication events
100 SSH Failed authentication events
Persistent connections
SSH successful authentication event
1000 SSH Failed authentication events
SSH successful authentication event
Reliability
![Page 26: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/26.jpg)
OSSIM Risk Assessment
June 18, 2013 – Securing Ubiquity
26
RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25
Source DestinationEvent Priority = 2
Event Reliability = 10
Asset Value = 2 Asset Value = 5
![Page 27: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/27.jpg)
OSSIM & OSSEC Integration
June 18, 2013 – Securing Ubiquity
Web management interfaceOSSEC alerts plugin
OSSEC correlation rulesOSSEC reports
27
![Page 28: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/28.jpg)
OSSIM Deployment
June 18, 2013 – Securing Ubiquity
28
![Page 29: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/29.jpg)
OSSIM Attack Detection
June 18, 2013 – Securing Ubiquity
29
![Page 30: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/30.jpg)
OSSIM Demo Use CasesDetection & Risk assessmentOTXSnort NIDSLogical CorrelationVulnerability assessmentAsset discoveryCorrelating Firewall logs:Cisco ASA pluginNetwork Scan detection
Correlating Windows Events:OSSEC integrationBrute force attack detection
June 18, 2013 – Securing Ubiquity
30
![Page 31: Solving the Open Source Security Puzzle](https://reader035.vdocuments.mx/reader035/viewer/2022062405/555a6a39d8b42ae7218b4dba/html5/thumbnails/31.jpg)
June 18, 2013 – Securing Ubiquity
31
Disclaimer
The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought.
Thank you
Santiago Gonzalez [email protected]
@santiagobassettAlien Vault