SlideShare ist ein Scribd-Unternehmen logo

Solving the Open Source Security Puzzle

Als PPTX, PDF herunterladen
Vic Hargrave
Vic Hargrave

Presentation at Cornerstones of Trust 2013 security conference.

Technologie
1 von 31
June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett
Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional- customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity 2
Log Normalization  Syslog  Comes default within *Nix operating systems.  Sylog-NG  Can be installed in various configurations to take the place of default syslog.  Free to use or enterprise version available for purchase.  Many configuration types to export data.  OSSEC  Free to use  Can export via syslog to other systems. June 18, 2013 – Securing Ubiquity 3
Solving the Open Source Security Puzzle  What are the standards?  Why choose one product over another?  How do the various security components work together?  How does this work in the real world, real examples. June 18, 2013 – Securing Ubiquity 4
June 18, 2013 – Securing Ubiquity 5 Understanding Rules  Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.
Host Event Detection AIDE(Advanced Intrusion Detection Environment) June 18, 2013 – Securing Ubiquity 6
Network Detection Systems June 18, 2013 – Securing Ubiquity 7
June 18, 2013 – Securing Ubiquity 8 Event Management
What is ?  Open Source SECurity  Open Source Host-based Intrusion Detection System  Provides protection for Windows, Linux, Mac OS, Solaris and many *nix systems  http://www.ossec.net  Founded by Daniel Cid  Current project managers – JB Cheng and Vic Hargrave June 18, 2013 – Securing Ubiquity 9
OSSEC Capabilities  Log analysis  File Integrity checking (Unix and Windows)  Registry Integrity checking (Windows)  Host-based anomaly detection (for Unix – rootkit detection)  Active Response June 18, 2013 – Securing Ubiquity 10
HIDS Advantages  Monitors system behaviors that are not evident from the network traffic  Can find persistent threats that penetrate firewalls and network intrusion detection/prevention systems June 18, 2013 – Securing Ubiquity 11
tail -f $ossec_alerts/alerts.log June 18, 2013 – Securing Ubiquity 12 OSSEC Server OSSEC Agents logs UDP 1514 logs UDP 1514 OSSEC Architecture alerts
File Integrity Alert Sample ** Alert 1365550297.8499: mail - ossec,syscheck, 2013 Apr 09 16:31:37 ubuntu->syscheck Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels' June 18, 2013 – Securing Ubiquity 13
Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed, 2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' 2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64 June 18, 2013 – Securing Ubiquity 14
PCI DSS Requirement  10.5.5 - Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)  11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly June 18, 2013 – Securing Ubiquity 15
 Annual gathering of OSSEC users and developers.  Community members discuss how they are using OSSEC, what new features they would like and set the roadmap for future releases.  OSSEC 2.7.1 soon to be released.  Planning for OSSEC 3.0 is underway.  OSSECCON 2013 will be held Thursday July 25th at Trend Micro’s Cupertino office.  Please join us there! June 18, 2013 – Securing Ubiquity 16
June 18, 2013 – Securing Ubiquity Santiago González Bassett santiago@alienvault.com @santiagobassett Alien Vault 17
About me  Developer, systems engineer, security administrator, consultant and researcher in the last 10 years.  Member of OSSIM project team since its inception.  Implemented distributed Open Source security technologies in large enterprise environments for European and US companies. June 18, 2013 – Securing Ubiquity http://santi-bassett.blogspot.com/ @santiagobassett 18
What is OSSIM? OSSIM is the Open Source SIEM – GNU GPL version 3.0  With over 195,000 downloads it is the most widely used SIEM in the world.  Created in 2003, is developed and maintained by Alien Vault and community contributors.  Provides Unified and Intelligent Security. June 18, 2013 – Securing Ubiquity http://communities.alienvault.com/ 19
Why OSSIM? Because provides security Intelligence  Discards false positives  Assesses the impact of an attack  Collaboratively learns about APT June 18, 2013 – Securing Ubiquity Because Unifies security management  Centralizes information  Integrates threats detection tools 20
OSSIM integrated tools June 18, 2013 – Securing Ubiquity Assets  nmap  prads Behavioral monitoring  fprobe  nfdump  ntop  tcpdump  nagios Vulnerability assessment  osvdb  openvas Threat detection  ossec  snort  suricata 21
OSSIM +200 Collectors June 18, 2013 – Securing Ubiquity 22
OSSIM Architecture June 18, 2013 – Securing Ubiquity Configuration & Management Normalized Events 23
OSSIM Anatomy of a collector June 18, 2013 – Securing Ubiquity 24 [apache-access] event_type=event regexp=“((?P<dst>S+)(:(?P<port>d{1,5}))? )?(?P<src>S+) (?P<id>S+) (?P<user>S+) [(?P<date>d{2}/w{3}/d{4}:d{2}:d{2}:d{2})s+[+-]d{4}] "(?P<request>.*)” (?P<code>d{3}) ((?P<size>d+)|-)( "(?P<referer_uri>.*)" ”(?P<useragent>.*)")?$” src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id} [Raw log] 76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
OSSIM Reliability Assessment June 18, 2013 – Securing Ubiquity 25 SSH Failed authentication event SSH successful authentication event 10 SSH Failed authentication events 100 SSH Failed authentication events Persistent connections SSH successful authentication event 1000 SSH Failed authentication events SSH successful authentication event Reliability
OSSIM Risk Assessment June 18, 2013 – Securing Ubiquity 26 RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25 Source Destination Event Priority = 2 Event Reliability = 10 Asset Value = 2 Asset Value = 5
OSSIM & OSSEC Integration June 18, 2013 – Securing Ubiquity  Web management interface  OSSEC alerts plugin  OSSEC correlation rules  OSSEC reports 27
OSSIM Deployment June 18, 2013 – Securing Ubiquity PORT MIRRORING SYSLOG WMI WMI SYSLO`G SDEE SYSLOG OPSEC FTP SDEE OPSEC SYSLOG OSSECSCP SQL SAMBA SYSLOG SDEE SYSLOG SNMP SYSLOG LOG COLLECTION NORMALIZED EVENTS SENSOR 1 SENSOR 2 SENSOR 3 NORMALIZED DATA SERVER SYSLOG 28
OSSIM Attack Detection June 18, 2013 – Securing Ubiquity Attack Attacker X.X.X.X Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y Attack: WEB-IIS multiple decode attempt Vulnerability: IIS Remote Command Execution Alert: Low reputation IPOTX Alert: IIS attack detected Target Y.Y.Y.Y 29
OSSIM Demo Use Cases Detection & Risk assessment  OTX  Snort NIDS  Logical Correlation  Vulnerability assessment  Asset discovery Correlating Firewall logs:  Cisco ASA plugin  Network Scan detection Correlating Windows Events:  OSSEC integration  Brute force attack detection June 18, 2013 – Securing Ubiquity 30
June 18, 2013 – Securing Ubiquity 31 Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. Thank you Santiago Gonzalez Bassett santiago@alienvault.com @santiagobassett Alien Vault

Empfohlen

Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
wremes
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
Marjo'isme Yoyok
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 

Empfohlen

Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
wremes
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
Marjo'isme Yoyok
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
Continuous monitoring with OSSIM
Continuous monitoring with OSSIMContinuous monitoring with OSSIM
Continuous monitoring with OSSIM
Eguardian Global Services
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
Mayank Gaikwad
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
AlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
AlienVault
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
Christopher Gerritz
 
Security analyst
Security analystSecurity analyst
Security analyst
Arjun Panwar
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
Tarek Amer
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16
Alexander Leonov
 
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
Nur Shiqim Chok
 
ISO 27k talk for django meet up
ISO 27k talk for django meet upISO 27k talk for django meet up
ISO 27k talk for django meet up
Viren Rajput
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network Security
Mohammed Almusaddar
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 

Weitere ähnliche Inhalte

Was ist angesagt?

OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
AlienVault
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 

Was ist angesagt? (20)

Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Continuous monitoring with OSSIM
Continuous monitoring with OSSIMContinuous monitoring with OSSIM
Continuous monitoring with OSSIM
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
Security analyst
Security analystSecurity analyst
Security analyst
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
Mod security
Mod securityMod security
Mod security
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16
 
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
 
ISO 27k talk for django meet up
ISO 27k talk for django meet upISO 27k talk for django meet up
ISO 27k talk for django meet up
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 

Ähnlich wie Solving the Open Source Security Puzzle

Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
Deepak Mishra
 
2014_EMTieghi_Industrial_Security-templateSERVI
2014_EMTieghi_Industrial_Security-templateSERVI2014_EMTieghi_Industrial_Security-templateSERVI
2014_EMTieghi_Industrial_Security-templateSERVI
Enzo M. Tieghi
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 

Ähnlich wie Solving the Open Source Security Puzzle (20)

How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network Security
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
 
Harnessing the power of cloud for real security
Harnessing the power of cloud for real securityHarnessing the power of cloud for real security
Harnessing the power of cloud for real security
 
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Cisco SecureX.pdf
Cisco SecureX.pdfCisco SecureX.pdf
Cisco SecureX.pdf
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelled
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2
 
2014_EMTieghi_Industrial_Security-templateSERVI
2014_EMTieghi_Industrial_Security-templateSERVI2014_EMTieghi_Industrial_Security-templateSERVI
2014_EMTieghi_Industrial_Security-templateSERVI
 
Hack any website
Hack any websiteHack any website
Hack any website
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Kürzlich hochgeladen (20)

Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

Solving the Open Source Security Puzzle

  • 1. June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett
  • 2. Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional- customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity 2
  • 3. Log Normalization  Syslog  Comes default within *Nix operating systems.  Sylog-NG  Can be installed in various configurations to take the place of default syslog.  Free to use or enterprise version available for purchase.  Many configuration types to export data.  OSSEC  Free to use  Can export via syslog to other systems. June 18, 2013 – Securing Ubiquity 3
  • 4. Solving the Open Source Security Puzzle  What are the standards?  Why choose one product over another?  How do the various security components work together?  How does this work in the real world, real examples. June 18, 2013 – Securing Ubiquity 4
  • 5. June 18, 2013 – Securing Ubiquity 5 Understanding Rules  Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.
  • 6. Host Event Detection AIDE(Advanced Intrusion Detection Environment) June 18, 2013 – Securing Ubiquity 6
  • 7. Network Detection Systems June 18, 2013 – Securing Ubiquity 7
  • 8. June 18, 2013 – Securing Ubiquity 8 Event Management
  • 9. What is ?  Open Source SECurity  Open Source Host-based Intrusion Detection System  Provides protection for Windows, Linux, Mac OS, Solaris and many *nix systems  http://www.ossec.net  Founded by Daniel Cid  Current project managers – JB Cheng and Vic Hargrave June 18, 2013 – Securing Ubiquity 9
  • 10. OSSEC Capabilities  Log analysis  File Integrity checking (Unix and Windows)  Registry Integrity checking (Windows)  Host-based anomaly detection (for Unix – rootkit detection)  Active Response June 18, 2013 – Securing Ubiquity 10
  • 11. HIDS Advantages  Monitors system behaviors that are not evident from the network traffic  Can find persistent threats that penetrate firewalls and network intrusion detection/prevention systems June 18, 2013 – Securing Ubiquity 11
  • 12. tail -f $ossec_alerts/alerts.log June 18, 2013 – Securing Ubiquity 12 OSSEC Server OSSEC Agents logs UDP 1514 logs UDP 1514 OSSEC Architecture alerts
  • 13. File Integrity Alert Sample ** Alert 1365550297.8499: mail - ossec,syscheck, 2013 Apr 09 16:31:37 ubuntu->syscheck Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels' June 18, 2013 – Securing Ubiquity 13
  • 14. Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed, 2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' 2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64 June 18, 2013 – Securing Ubiquity 14
  • 15. PCI DSS Requirement  10.5.5 - Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)  11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly June 18, 2013 – Securing Ubiquity 15
  • 16.  Annual gathering of OSSEC users and developers.  Community members discuss how they are using OSSEC, what new features they would like and set the roadmap for future releases.  OSSEC 2.7.1 soon to be released.  Planning for OSSEC 3.0 is underway.  OSSECCON 2013 will be held Thursday July 25th at Trend Micro’s Cupertino office.  Please join us there! June 18, 2013 – Securing Ubiquity 16
  • 17. June 18, 2013 – Securing Ubiquity Santiago González Bassett santiago@alienvault.com @santiagobassett Alien Vault 17
  • 18. About me  Developer, systems engineer, security administrator, consultant and researcher in the last 10 years.  Member of OSSIM project team since its inception.  Implemented distributed Open Source security technologies in large enterprise environments for European and US companies. June 18, 2013 – Securing Ubiquity http://santi-bassett.blogspot.com/ @santiagobassett 18
  • 19. What is OSSIM? OSSIM is the Open Source SIEM – GNU GPL version 3.0  With over 195,000 downloads it is the most widely used SIEM in the world.  Created in 2003, is developed and maintained by Alien Vault and community contributors.  Provides Unified and Intelligent Security. June 18, 2013 – Securing Ubiquity http://communities.alienvault.com/ 19
  • 20. Why OSSIM? Because provides security Intelligence  Discards false positives  Assesses the impact of an attack  Collaboratively learns about APT June 18, 2013 – Securing Ubiquity Because Unifies security management  Centralizes information  Integrates threats detection tools 20
  • 21. OSSIM integrated tools June 18, 2013 – Securing Ubiquity Assets  nmap  prads Behavioral monitoring  fprobe  nfdump  ntop  tcpdump  nagios Vulnerability assessment  osvdb  openvas Threat detection  ossec  snort  suricata 21
  • 22. OSSIM +200 Collectors June 18, 2013 – Securing Ubiquity 22
  • 23. OSSIM Architecture June 18, 2013 – Securing Ubiquity Configuration & Management Normalized Events 23
  • 24. OSSIM Anatomy of a collector June 18, 2013 – Securing Ubiquity 24 [apache-access] event_type=event regexp=“((?P<dst>S+)(:(?P<port>d{1,5}))? )?(?P<src>S+) (?P<id>S+) (?P<user>S+) [(?P<date>d{2}/w{3}/d{4}:d{2}:d{2}:d{2})s+[+-]d{4}] "(?P<request>.*)” (?P<code>d{3}) ((?P<size>d+)|-)( "(?P<referer_uri>.*)" ”(?P<useragent>.*)")?$” src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id} [Raw log] 76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
  • 25. OSSIM Reliability Assessment June 18, 2013 – Securing Ubiquity 25 SSH Failed authentication event SSH successful authentication event 10 SSH Failed authentication events 100 SSH Failed authentication events Persistent connections SSH successful authentication event 1000 SSH Failed authentication events SSH successful authentication event Reliability
  • 26. OSSIM Risk Assessment June 18, 2013 – Securing Ubiquity 26 RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25 Source Destination Event Priority = 2 Event Reliability = 10 Asset Value = 2 Asset Value = 5
  • 27. OSSIM & OSSEC Integration June 18, 2013 – Securing Ubiquity  Web management interface  OSSEC alerts plugin  OSSEC correlation rules  OSSEC reports 27
  • 28. OSSIM Deployment June 18, 2013 – Securing Ubiquity PORT MIRRORING SYSLOG WMI WMI SYSLO`G SDEE SYSLOG OPSEC FTP SDEE OPSEC SYSLOG OSSECSCP SQL SAMBA SYSLOG SDEE SYSLOG SNMP SYSLOG LOG COLLECTION NORMALIZED EVENTS SENSOR 1 SENSOR 2 SENSOR 3 NORMALIZED DATA SERVER SYSLOG 28
  • 29. OSSIM Attack Detection June 18, 2013 – Securing Ubiquity Attack Attacker X.X.X.X Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y Attack: WEB-IIS multiple decode attempt Vulnerability: IIS Remote Command Execution Alert: Low reputation IPOTX Alert: IIS attack detected Target Y.Y.Y.Y 29
  • 30. OSSIM Demo Use Cases Detection & Risk assessment  OTX  Snort NIDS  Logical Correlation  Vulnerability assessment  Asset discovery Correlating Firewall logs:  Cisco ASA plugin  Network Scan detection Correlating Windows Events:  OSSEC integration  Brute force attack detection June 18, 2013 – Securing Ubiquity 30
  • 31. June 18, 2013 – Securing Ubiquity 31 Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. Thank you Santiago Gonzalez Bassett santiago@alienvault.com @santiagobassett Alien Vault