Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science.

Slides:



Advertisements
Similar presentations
Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.
Advertisements

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
By Hiranmayi Pai Neeraj Jain
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
University of Florida Incident Tracking and Reporting Kathy Bergsma
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Wireless and Switch Security NETS David Mitchell.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Deploying Tools for Cleaning Personal Information University of Pennsylvania School of Arts and Sciences Justin C. Klein Keane Sr. Information Security.
IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Finding Exploitable Admin Systems A “How To” Guide for SecurityCenter.
Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Confidential Crisis Management Innovations, LLC. CMI CrisisPad TM Product Overview Copyright © 2011, Crisis Management Innovations, LLC. All Rights Reserved.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Copyright Justin C. Klein Keane Drupal Threat Landscape.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
©Justin C. Klein Keane Using OSSEC Open Source Host Based Intrusion Detection Justin C. Klein Keane University of Pennsylvania School of Arts & Sciences.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
DIYTP Assessing a System - Basics  Why?  Vulnerabilities  What to look at:  The six ‘P’s  Patch  Ports  Protect  Policies  Probe  Physical.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.
Chapter 5: Implementing Intrusion Prevention
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Network Security: Lab#5 Port Scanners and Intrusion Detection System
Intrusion Detection Cyber Security Spring Reading material Chapter 25 from Computer Security, Matt Bishop Snort –
Copyright Justin C. Klein Security Intelligence From What and Why to How.
James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
IS3220 Information Technology Infrastructure Security
-SHAMBHAVI PARADKAR TE COMP  PORT SCANNING.  DENIAL OF SERVICE(DoS). - DISTRIBUTED DENIAL OF SERVICE(DDoS). REFER Pg.637 & Pg.638.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Kevin Watson and Ammar Ammar IT Asset Visibility.
DETECTING INTRUSIONS By Matthew Morrow. WHAT ARE INTRUSIONS? Definition: “To compromise a computer system by breaking the security of such a system or.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
IDS Intrusion Detection Systems
Copyright Justin C. Klein Keane
Chapter 27: System Security
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
CRITICAL INFRASTRUCTURE CYBERSECURITY
Intrusion Prevention Systems
Chapter 4: Protecting the Organization
Intrusion Detection system
Presentation transcript:

Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science

Copyright Justin C. Klein What is Security Intelligence Business intelligence principles applied to security data Security intelligence supports strategic infosec decision making based on metrics Target resource allocation to quantified threats Security data abounds, but making useful decisions based on that data is tough HECTOR is a repository for security data that allows for analysis HECTOR brings together disparate data sources to find trends and relationships

Copyright Justin C. Klein Sample Sources of Data Host based intrusion detection alerts Darknet data (network traffic) Port scans Honeypots (attempted logins, attack toolkits, etc.) Vulnerability scans Public vulnerability alerts and disclosures System event logs Incident response reports Etc.

Copyright Justin C. Klein Open Source HECTOR is based entirely on open source technologies Runs best on a LAMP stack Uses structured data (MySQL) Uses PHP, Perl, Python, iptables, Kojoney, OSSEC, NMAP, and more... More info and download at: hector

Copyright Justin C. Klein Issues with Security Intelligence Problems of big data will crop up quickly Scale complicated development, deployment and debugging Much of the effort of SI will be spent on middleware Interesting data only emerges when all data is aggregated Getting access to other folks' data will be challenging Deliberate initial planning pays off – altering a table of 80 million rows is painful!

Copyright Justin C. Klein Principles Guiding Development SAS has no access to network data for NIDS Over 15,000 internet addressable IP's Asset management was a huge challenge Vulnerability disclosure mitigation was ad-hoc Multiple different security data sources (darknet, honeypots, HIDS logs, etc.) were scattered over different systems Needed a way to query data across sources and guide intelligent security decision making

Copyright Justin C. Klein How It Works (Basics) MySQL database aggregates data sources Web front end for querying and reporting Access control via CoSign (or fallback) Hosts are assigned to support groups, support groups assigned a contact address Nightly NMAP scans updates host profiles Vulnerability scan data added to the database HECTOR is extensible – add your own scans

Copyright Justin C. Klein Currently Supports Data Sources OSSEC host based intrusion detection logs Kojoney based SSH honeypots Iptables based darknet sensors NMAP port scans Vulnerability scans (Nikto, Nessus, etc.) Security news outlets (RSS feeds, vulnerability announcements, etc.)

Copyright Justin C. Klein Use Case #1 THREAT IDENTIFIED Vulnerability disclosed in a well known service EVIDENCE OF INTENT Look for spikes in scanning for that service on darknet sensors REMEDIATION PLANNING Quickly identify all machines in the environment running that service REMEDIATION LOGISTICS Build a contact list and alert admins to patch. Track admins that legitimately don't patch TRACK EFFECTIVENESS Implement targeted vulnerability scanning to track remediation

Copyright Justin C. Klein Use Case #2 – IR & Detection Attacker observed (malicious IP identified) Query all data sources for other evidence of activity from that IP Darknet probes, honeypot data, IDS logs, etc. Look for attack profile from data sources Alert admins of machines that fit the particular profile Identify vulnerable machines Potentially uncover compromises

Copyright Justin C. Klein Summary Screen

Copyright Justin C. Klein Intrusion Detection Summary

Copyright Justin C. Klein Alerts Summary

Copyright Justin C. Klein Host Summary

Copyright Justin C. Klein Search for Malicious IP

Copyright Justin C. Klein Sample Report

Copyright Justin C. Klein Scan Schedule

Copyright Justin C. Klein Asset Management

Copyright Justin C. Klein System Configuration

Copyright Justin C. Klein Thank

Copyright Justin C. Klein Links to Resources HECTOR download NMAP - OSSEC - Kojoney - Kippo - Rsyslog - Much of my inspiration from Ed Bellis –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.