Copyright Justin C. Klein Security Intelligence From What and Why to How

Copyright Justin C. Klein What is Security Intelligence? Business intelligence principles applied to security data Apply data to decision making More than just metrics – Soft data points included as well Security data abounds – Making useful decisions based on data is tough

Copyright Justin C. Klein Sample Sources of Data Host based intrusion detection alerts Darknet data (network traffic) Port scans Honeypots (attempted logins, attack toolkits, etc.) Vulnerability scans Public vulnerability alerts and disclosures System event logs Incident response reports Etc.

Copyright Justin C. Klein Why  Anecdotal evidence often guides security  “Best practice” is often indefensible  Change your password every 60 days - why???  Security isn't really engineering, or science  No hard and fast rules (or laws)  Analysis should guide decision making  Security intelligence gathers data points to support analysis

Copyright Justin C. Klein Security Intelligence vs. Vulnerability Remediation Traditional InfoSec relies on vulnerability scanning Ideally: – Find problems, fix them, find more, rinse, repeat In reality: – Scanner generates a report full of extraneous and incorrect details, no reliable severity or impact – report ignored – rinse, repeat

Copyright Justin C. Klein Why Vuln Centric Security Fails Vulnerability scanning is “dumb” Asset owners don't request scans Defaults to an enforcement approach Vulnerability reports are massive and provide little guidance Ultimately reports get filed in the trash bin

Copyright Justin C. Klein Security Intelligence Goals Add perspective and analysis to security recommendations Provide a good case for change requests Guide targeted campaigns to remediate vulnerabilities Show good ROI for efforts Maximize your limited staff resources Encourage compliance

Copyright Justin C. Klein Use Case #1 Vulnerability disclosed in a well known service Look for spikes in scanning for that service on darknet sensors Quickly identify all machines in the environment running that service Build a contact list and alert admins to patch Implement targeted vulnerability scanning to track remediation

Copyright Justin C. Klein Use Case #2 Attacker observed (malicious IP identified) Query all data sources for other evidence of activity from that IP Darknet probes, honeypot data, IDS logs, etc. Look for attack profile from data sources Alert admins of machines that fit the particular profile Identify vulnerable machines Potentially uncover compromises

Copyright Justin C. Klein Issues with Security Intelligence Problems of big data will crop up quickly Scale complicated development, deployment and debugging Much of the effort of SI will be spent on middleware Interesting data only emerges when all data is aggregated Getting access to other folks' data will be challenging Deliberate initial planning pays off – altering a table of 80 million rows is painful!

Copyright Justin C. Klein Specific Implementation - HECTOR HECTOR is our solution for security intelligence

Copyright Justin C. Klein Open Source HECTOR is based entirely on open source technologies Runs best on a LAMP stack Uses PHP, Perl, Python, MySQL, iptables, Kojoney, OSSEC, NMAP, and more... More info and download at: hector

Copyright Justin C. Klein Principles Guiding Development SAS has no access to network data for NIDS Over 15,000 internet addressable IP's Asset management was a huge challenge Vulnerability disclosure mitigation was ad-hoc Multiple different security data sources (darknet, honeypots, HIDS logs, etc.) were scattered over different systems Needed a way to query data across sources and guide intelligent security decision making

Copyright Justin C. Klein Fundamentals No network span ports or taps required! HECTOR is designed to be an augmented asset management platform All data is tied to hosts Each host includes contact information for users as well as technical support HECTOR designed to allow supplementary data to be linked with hosts, from port scans to incident histories to vulnerability reports

Copyright Justin C. Klein How It Works (Basics) MySQL database aggregates data sources Web front end for querying and reporting Access control via CoSign (or fallback) Hosts are assigned to support groups, support groups assigned a contact address Nightly NMAP scans updates host profiles Vulnerability scan data added to the database HECTOR is extensible – add your own scans

Copyright Justin C. Klein Currently Supports Data Sources OSSEC host based intrusion detection logs Kojoney based SSH honeypots Iptables based darknet sensors NMAP port scans Vulnerability scans (Nikto, Nessus, etc.) Security news outlets (RSS feeds, vulnerability announcements, etc.)

Copyright Justin C. Klein Summary Screen

Copyright Justin C. Klein Intrusion Detection Summary

Copyright Justin C. Klein Alerts Summary

Copyright Justin C. Klein Host Summary

Copyright Justin C. Klein Search for Malicious IP

Copyright Justin C. Klein Sample Report

Copyright Justin C. Klein Scan Schedule

Copyright Justin C. Klein Asset Management

Copyright Justin C. Klein System Configuration

Copyright Justin C. Klein Lessons Learned Internal software development takes a really long time Logistical considerations are always the most difficult challenge As soon as software enters a useful beta it tends to migrate rapidly to essential service Bug fixes tend to weight towards feature use Simple NMAP scans are never simple Remediation tracking is as difficult as vulnerability identification Querying large data sets takes careful planning

Copyright Justin C. Klein Thank

Copyright Justin C. Klein Links to Resources HECTOR download - hector hector NMAP - OSSEC - Kojoney - Kippo - Rsyslog -