SlideShare ist ein Scribd-Unternehmen logo

OSSIM Overview

Als PPTX, PDF herunterladen
n|u - The Open Security Community
n|u - The Open Security Community

OSSIM

Technologie
1 von 34
CEH | CHFI
Agenda  Introduction to OSSIM  How to deploy & configure OSSEC agents  Configuring syslog and enabling plugins  Scanning your network for assets and vulnerabilities  OSSIM Demo
2 Types of Security Controls Preventative Controls Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP Prevent an incident Detective Controls Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident
The Big Question  IF WE ALREADY HAVE PREVENTATIVE CONTROLS…  WHY SHOULD WE CARE ABOUT DETECTIVE CONTROLS? Prevention has proven to be elusive A detailed study of 56 “Large US firms” Results: 102 successful intrusions between them EVERY WEEK!
“There are two types of companies that use computers. Victims of crime that know they are victims of crime and victims of crime that don’t have a clue yet.” - James Routh, 2007 CISO Depository Trust Clearing Corporation Some pretty savvy recent victims
Get good at detection & response Prevent Detect & Respond The basics are in place. Beyond that, enterprises beware! New capabilities to develop
Many professional SOC’s are powered by open source There’s an App for that! PRADS NFSend P0F OVALdi MDL OpenFPC PADS Challenge: How do we make sense of all these?
Lets get started!
The World’s Most Widely Used SIEM MEET OSSIM OSSIM is trusted by 195,000+ security professionals in 175 countries…and counting Established and launched by security engineers out of necessity Users enjoy all of the features of a traditional SIEM – and more
First We Categorize Them! What is the state of my environment – anything strange? Put it all together with external intelligence & determine a response! The 5 essential capabilities for effective detection & response Vulnerability Assessment Threat Detection Behavioral Monitoring Intelligence & Analytics What am I protecting & what is most valuable? Asset Discovery How, when and where am I being attacked? Where are my assets exposed?
Example of How the tools work together
Tools Classification HOW IT WORKS TOOLS integrated with AlienVault OSSIM are classified by behavior of the tool with the network Active: they generate traffic in network being monitored Passive: they analyze network traffic without generating any traffic Passive tools require port mirroring (SPAN) configured in network equipment or virtual machines to analyze traffic
Host IDS  OSSIM comes with OSSEC host- based IDS, which provides:  Log monitoring and collection  Rootkit detection  File integrity checking  Windows registry integrity checking  Active response  OSSEC uses authenticated server/agent architecture. OSSIM Sensor OSSEC Server Servers OSSEC Agent OSSIM Server UDP 1514 Normalized events
Deploying HIDS 1. Add an agent in OSSIM 2. Deploy HIDS agent to the target system. 3. Optionally change configuration file on the agent. 4. Verify HIDS operations.
Add an agent. Save agent. Specify name and IP address. Add Agent in OSSIM  Required task for all operating systems  Can also be added through the manage_a gents script Environment > Detection > HIDS > Agents
Specify domain, username and password of the target system. Download preconfigured agent for Windows. Automatic deployment for Windows. Extract key. Deploy HIDS Agent to Target System  Automated deployment for Windows machines  Manual installation for other OS  Key extraction is required for manual installation
Configuration file. Log file. Change Configuration File on Agent  OSSEC configuration is controlled by a text file.  Agent needs to be restarted after configuration changes.  Log file is available for troubleshootin g.
Agent status should be active. Verify HIDS Operations  Displays overview of OSSEC events and agent information Environment > Detection > HIDS > Overview
OSSEC events. Verify HIDS Operations (Cont.)  Verify if OSSEC events are displayed in the SIEM console.  Utilize search filter to display only events from OSSEC data source. Analysis > Security Events (SIEM) > SIEM
Verify HIDS Operations (Cont.) Environment > Detection > HIDS > Agents > Agent Control Verify registry integrity. Verify presence of rootkits. Verify file integrity.
Syslog & Plugins
Syslog Forwarding  Syslog configuration will vary based on source device/application but, usually, the necessary parameters are:  Destination IP  Source IP  Port (default is UDP 514)
Enabling Plugins  Enable plugin at the asset level  General > Plugins > Edit Plugins  Green light under “Receiving Data” will confirm successful log collection
Vulnerability Assessment  Uses a built-in OpenVAS scanner  Detects vulnerabilities in assets  Vulnerabilities are correlated with events‘ cross-correlation rules  Useful for compliance reports and auditing  Managed from the central SIEM console:  Running and scheduling vulnerability scans  Examining reports  Updating vulnerability signatures
Advanced Options  Vulnerability assessment can be:  Authenticated (SSH and SMB)  Unauthenticated  Predefined profiles can be selected:  Non destructive full and slow scan  Non destructive full and fast scan  Full and fast scan including destructive tests  Custom profiles can be created.
Vulnerability Assessment Configuration 1. (Optionally) tune global vulnerability assessment settings. 2. (Optionally) create a set of credentials. 3. (Optionally) create a scanning profile. 4. Create a vulnerability scan job. 5. Examine scanning results. 6. Optionally create a vulnerability or compliance report.
Update configuration. Select vulnerability ticket threshold. Tune Global Vulnerability Assessment Settings  The vulnerability assessment system opens a ticket for found vulnerabilities.  Start with a high threshold and fix important vulnerabilities first. Configuration > Administration > Main
Specify login username. Specify credential set name. Select authentication type. Click settings. Create Set of Credentials  Used to log into a machine for authenticated scan  Supports the DOMAIN/US ER username Environment > Vulnerabilities > Overview
Examine 3 default profiles. Enable/disable plugin family. Create a new profle. Edit profiles. Create Scanning Profile  Enable profiles that apply to assets you are scanning. Environment > Vulnerabilities > Overview
Create a new scan job. Import Nessus scan report. Select schedule method. Specify scan job name. Select profile. Select server. Select assets. Select credential set for authenticated scan. Save job. Create Vulnerability Scan Job Environment > Vulnerabilities > Scan Jobs
Examine vulnerability statistics. View vulnerability report for all assets. Examine reports for all scan jobs. Examine Vulnerabilities Results Environment > Vulnerabilities > Overview
OSSIM Demo
Questions & Answers
OSSIM Overview

Empfohlen

Continuous monitoring with OSSIM
Continuous monitoring with OSSIMContinuous monitoring with OSSIM
Continuous monitoring with OSSIMEguardian Global Services
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesAlienVault
 

Empfohlen

Continuous monitoring with OSSIM
Continuous monitoring with OSSIMContinuous monitoring with OSSIM
Continuous monitoring with OSSIMEguardian Global Services
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesAlienVault
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&EOwais Ahmad
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight Mohamed Zohair
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEMPatten John
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt ScannerFlorian Roth
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SHRIYARAI4
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands OnSplunk
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
5 howtomitigate
5 howtomitigate5 howtomitigate
5 howtomitigatericharddxd
 
CIS_Controls_v7.1_Implementation_Groups.pdf
CIS_Controls_v7.1_Implementation_Groups.pdfCIS_Controls_v7.1_Implementation_Groups.pdf
CIS_Controls_v7.1_Implementation_Groups.pdfNesterWare
 

Weitere ähnliche Inhalte

Was ist angesagt?

Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&EOwais Ahmad
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SHRIYARAI4
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands OnSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 

Was ist angesagt? (20)

Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands On
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 

Ähnlich wie OSSIM Overview

5 howtomitigate
5 howtomitigate5 howtomitigate
5 howtomitigatericharddxd
 
CIS_Controls_v7.1_Implementation_Groups.pdf
CIS_Controls_v7.1_Implementation_Groups.pdfCIS_Controls_v7.1_Implementation_Groups.pdf
CIS_Controls_v7.1_Implementation_Groups.pdfNesterWare
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
 
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02technext1
 
Critical Controls Of Cyber Defense
Critical Controls Of Cyber DefenseCritical Controls Of Cyber Defense
Critical Controls Of Cyber DefenseRishu Mehra
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Cyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptxCyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptxTikdiPatel
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersIBM Security
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointIvanti
 

Ähnlich wie OSSIM Overview (20)

5 howtomitigate
5 howtomitigate5 howtomitigate
5 howtomitigate
 
CIS_Controls_v7.1_Implementation_Groups.pdf
CIS_Controls_v7.1_Implementation_Groups.pdfCIS_Controls_v7.1_Implementation_Groups.pdf
CIS_Controls_v7.1_Implementation_Groups.pdf
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdf
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
Idps technology starter v2.0
Idps technology starter v2.0Idps technology starter v2.0
Idps technology starter v2.0
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
 
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
 
Critical Controls Of Cyber Defense
Critical Controls Of Cyber DefenseCritical Controls Of Cyber Defense
Critical Controls Of Cyber Defense
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Cyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptxCyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptx
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange Partners
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfUK Journal
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024Stephen Perrenod
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jNeo4j
 

Kürzlich hochgeladen (20)

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 

OSSIM Overview

  • 2. Agenda  Introduction to OSSIM  How to deploy & configure OSSEC agents  Configuring syslog and enabling plugins  Scanning your network for assets and vulnerabilities  OSSIM Demo
  • 3. 2 Types of Security Controls Preventative Controls Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP Prevent an incident Detective Controls Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident
  • 4. The Big Question  IF WE ALREADY HAVE PREVENTATIVE CONTROLS…  WHY SHOULD WE CARE ABOUT DETECTIVE CONTROLS? Prevention has proven to be elusive A detailed study of 56 “Large US firms” Results: 102 successful intrusions between them EVERY WEEK!
  • 5. “There are two types of companies that use computers. Victims of crime that know they are victims of crime and victims of crime that don’t have a clue yet.” - James Routh, 2007 CISO Depository Trust Clearing Corporation Some pretty savvy recent victims
  • 6. Get good at detection & response Prevent Detect & Respond The basics are in place. Beyond that, enterprises beware! New capabilities to develop
  • 7. Many professional SOC’s are powered by open source There’s an App for that! PRADS NFSend P0F OVALdi MDL OpenFPC PADS Challenge: How do we make sense of all these?
  • 9. The World’s Most Widely Used SIEM MEET OSSIM OSSIM is trusted by 195,000+ security professionals in 175 countries…and counting Established and launched by security engineers out of necessity Users enjoy all of the features of a traditional SIEM – and more
  • 10. First We Categorize Them! What is the state of my environment – anything strange? Put it all together with external intelligence & determine a response! The 5 essential capabilities for effective detection & response Vulnerability Assessment Threat Detection Behavioral Monitoring Intelligence & Analytics What am I protecting & what is most valuable? Asset Discovery How, when and where am I being attacked? Where are my assets exposed?
  • 11. Example of How the tools work together
  • 12. Tools Classification HOW IT WORKS TOOLS integrated with AlienVault OSSIM are classified by behavior of the tool with the network Active: they generate traffic in network being monitored Passive: they analyze network traffic without generating any traffic Passive tools require port mirroring (SPAN) configured in network equipment or virtual machines to analyze traffic
  • 13. Host IDS  OSSIM comes with OSSEC host- based IDS, which provides:  Log monitoring and collection  Rootkit detection  File integrity checking  Windows registry integrity checking  Active response  OSSEC uses authenticated server/agent architecture. OSSIM Sensor OSSEC Server Servers OSSEC Agent OSSIM Server UDP 1514 Normalized events
  • 14. Deploying HIDS 1. Add an agent in OSSIM 2. Deploy HIDS agent to the target system. 3. Optionally change configuration file on the agent. 4. Verify HIDS operations.
  • 15. Add an agent. Save agent. Specify name and IP address. Add Agent in OSSIM  Required task for all operating systems  Can also be added through the manage_a gents script Environment > Detection > HIDS > Agents
  • 16. Specify domain, username and password of the target system. Download preconfigured agent for Windows. Automatic deployment for Windows. Extract key. Deploy HIDS Agent to Target System  Automated deployment for Windows machines  Manual installation for other OS  Key extraction is required for manual installation
  • 17. Configuration file. Log file. Change Configuration File on Agent  OSSEC configuration is controlled by a text file.  Agent needs to be restarted after configuration changes.  Log file is available for troubleshootin g.
  • 18. Agent status should be active. Verify HIDS Operations  Displays overview of OSSEC events and agent information Environment > Detection > HIDS > Overview
  • 19. OSSEC events. Verify HIDS Operations (Cont.)  Verify if OSSEC events are displayed in the SIEM console.  Utilize search filter to display only events from OSSEC data source. Analysis > Security Events (SIEM) > SIEM
  • 20. Verify HIDS Operations (Cont.) Environment > Detection > HIDS > Agents > Agent Control Verify registry integrity. Verify presence of rootkits. Verify file integrity.
  • 22. Syslog Forwarding  Syslog configuration will vary based on source device/application but, usually, the necessary parameters are:  Destination IP  Source IP  Port (default is UDP 514)
  • 23. Enabling Plugins  Enable plugin at the asset level  General > Plugins > Edit Plugins  Green light under “Receiving Data” will confirm successful log collection
  • 24. Vulnerability Assessment  Uses a built-in OpenVAS scanner  Detects vulnerabilities in assets  Vulnerabilities are correlated with events‘ cross-correlation rules  Useful for compliance reports and auditing  Managed from the central SIEM console:  Running and scheduling vulnerability scans  Examining reports  Updating vulnerability signatures
  • 25. Advanced Options  Vulnerability assessment can be:  Authenticated (SSH and SMB)  Unauthenticated  Predefined profiles can be selected:  Non destructive full and slow scan  Non destructive full and fast scan  Full and fast scan including destructive tests  Custom profiles can be created.
  • 26. Vulnerability Assessment Configuration 1. (Optionally) tune global vulnerability assessment settings. 2. (Optionally) create a set of credentials. 3. (Optionally) create a scanning profile. 4. Create a vulnerability scan job. 5. Examine scanning results. 6. Optionally create a vulnerability or compliance report.
  • 27. Update configuration. Select vulnerability ticket threshold. Tune Global Vulnerability Assessment Settings  The vulnerability assessment system opens a ticket for found vulnerabilities.  Start with a high threshold and fix important vulnerabilities first. Configuration > Administration > Main
  • 28. Specify login username. Specify credential set name. Select authentication type. Click settings. Create Set of Credentials  Used to log into a machine for authenticated scan  Supports the DOMAIN/US ER username Environment > Vulnerabilities > Overview
  • 29. Examine 3 default profiles. Enable/disable plugin family. Create a new profle. Edit profiles. Create Scanning Profile  Enable profiles that apply to assets you are scanning. Environment > Vulnerabilities > Overview
  • 30. Create a new scan job. Import Nessus scan report. Select schedule method. Specify scan job name. Select profile. Select server. Select assets. Select credential set for authenticated scan. Save job. Create Vulnerability Scan Job Environment > Vulnerabilities > Scan Jobs
  • 31. Examine vulnerability statistics. View vulnerability report for all assets. Examine reports for all scan jobs. Examine Vulnerabilities Results Environment > Vulnerabilities > Overview