June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett

Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional- customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity 2

Log Normalization Syslog Comes default within *Nix operating systems. Sylog-NG Can be installed in various configurations to take the place of default syslog. Free to use or enterprise version available for purchase. Many configuration types to export data. OSSEC Free to use Can export via syslog to other systems. June 18, 2013 – Securing Ubiquity 3

Solving the Open Source Security Puzzle What are the standards? Why choose one product over another? How do the various security components work together? How does this work in the real world, real examples. June 18, 2013 – Securing Ubiquity 4

5 Understanding Rules Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.

Host Event Detection AIDE (Advanced Intrusion Detection Environment) June 18, 2013 – Securing Ubiquity 6

Network Detection Systems June 18, 2013 – Securing Ubiquity 7

8 Event Management

What is ? Open Source SECurity Open Source Host-based Intrusion Detection System Provides protection for Windows, Linux, Mac OS, Solaris and many *nix systems Founded by Daniel Cid Current project managers – JB Cheng and Vic Hargrave June 18, 2013 – Securing Ubiquity 9

OSSEC Capabilities Log analysis File Integrity checking (Unix and Windows) Registry Integrity checking (Windows) Host-based anomaly detection (for Unix – rootkit detection) Active Response June 18, 2013 – Securing Ubiquity 10

HIDS Advantages Monitors system behaviors that are not evident from the network traffic Can find persistent threats that penetrate firewalls and network intrusion detection/prevention systems June 18, 2013 – Securing Ubiquity 11

tail -f $ossec_alerts/alerts.log June 18, 2013 – Securing Ubiquity 12 OSSEC Server OSSEC Agents logs UDP 1514 logs UDP 1514 OSSEC Architecture alerts

File Integrity Alert Sample ** Alert : mail - ossec,syscheck, 2013 Apr 09 16:31:37 ubuntu->syscheck Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels' June 18, 2013 – Securing Ubiquity 13

Log Analysis Alert Sample ** Alert : mail - syslog,dpkg,config_changed, 2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' :38:47 status installed linux-image generic-pae June 18, 2013 – Securing Ubiquity 14

PCI DSS Requirement Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly June 18, 2013 – Securing Ubiquity 15

Annual gathering of OSSEC users and developers. Community members discuss how they are using OSSEC, what new features they would like and set the roadmap for future releases. OSSEC soon to be released. Planning for OSSEC 3.0 is underway. OSSECCON 2013 will be held Thursday July 25 th at Trend Micro’s Cupertino office. Please join us there! June 18, 2013 – Securing Ubiquity 16

June 18, 2013 – Securing Ubiquity Santiago González Alien Vault 17

About me Developer, systems engineer, security administrator, consultant and researcher in the last 10 years. Member of OSSIM project team since its inception. Implemented distributed Open Source security technologies in large enterprise environments for European and US companies. June 18, 2013 – Securing Ubiquity 18

What is OSSIM? OSSIM is the Open Source SIEM – GNU GPL version 3.0 With over 195,000 downloads it is the most widely used SIEM in the world. Created in 2003, is developed and maintained by Alien Vault and community contributors. Provides Unified and Intelligent Security. June 18, 2013 – Securing Ubiquity 19

Why OSSIM? Because provides security Intelligence Discards false positives Assesses the impact of an attack Collaboratively learns about APT June 18, 2013 – Securing Ubiquity Because Unifies security management Centralizes information Integrates threats detection tools 20

OSSIM integrated tools June 18, 2013 – Securing Ubiquity Assets nmap prads Behavioral monitoring fprobe nfdump ntop tcpdump nagios Vulnerability assessment osvdb openvas Threat detection ossec snort suricata 21

OSSIM +200 Collectors June 18, 2013 – Securing Ubiquity 22

OSSIM Architecture June 18, 2013 – Securing Ubiquity Configuration & Management Normalized Events 23

OSSIM Anatomy of a collector June 18, 2013 – Securing Ubiquity 24 [apache-access] event_type=event regexp=“((?P \S+)(:(?P \d{1,5}))? )?(?P \S+) (?P \S+) (?P \S+) \[(?P \d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P.*)\” (?P \d{3}) ((?P \d+)|-)( \"(?P.*)\" \”(?P.*)\")?$” src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id} [Raw log] [15/Jun/2013:10:14: ] "GET /ossim/session/login.php HTTP/1.1" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/537.36"

OSSIM Reliability Assessment June 18, 2013 – Securing Ubiquity 25 SSH Failed authentication event SSH successful authentication event 10 SSH Failed authentication events 100 SSH Failed authentication events Persistent connections SSH successful authentication event 1000 SSH Failed authentication events SSH successful authentication event Reliability

OSSIM Risk Assessment June 18, 2013 – Securing Ubiquity 26 RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25 SourceDestination Event Priority = 2 Event Reliability = 10 Asset Value = 2Asset Value = 5

OSSIM & OSSEC Integration June 18, 2013 – Securing Ubiquity Web management interface OSSEC alerts plugin OSSEC correlation rules OSSEC reports 27

OSSIM Deployment June 18, 2013 – Securing Ubiquity 28

OSSIM Attack Detection June 18, 2013 – Securing Ubiquity 29

OSSIM Demo Use Cases Detection & Risk assessment OTX Snort NIDS Logical Correlation Vulnerability assessment Asset discovery Correlating Firewall logs: Cisco ASA plugin Network Scan detection Correlating Windows Events: OSSEC integration Brute force attack detection June 18, 2013 – Securing Ubiquity 30

June 18, 2013 – Securing Ubiquity 31 Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. Thank you Santiago Gonzalez Alien Vault