Presentation is loading. Please wait.

Presentation is loading. Please wait.

June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett.

Published byLibby Pipes Modified over 9 years ago

Similar presentations

Presentation on theme: "June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett."— Presentation transcript:

1 June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett

2 Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional- customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity 2

3 Log Normalization Syslog Comes default within *Nix operating systems. Sylog-NG Can be installed in various configurations to take the place of default syslog. Free to use or enterprise version available for purchase. Many configuration types to export data. OSSEC Free to use Can export via syslog to other systems. June 18, 2013 – Securing Ubiquity 3

4 Solving the Open Source Security Puzzle What are the standards? Why choose one product over another? How do the various security components work together? How does this work in the real world, real examples. June 18, 2013 – Securing Ubiquity 4

5 5 Understanding Rules Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.

6 Host Event Detection AIDE (Advanced Intrusion Detection Environment) June 18, 2013 – Securing Ubiquity 6

7 Network Detection Systems June 18, 2013 – Securing Ubiquity 7

8 8 Event Management

9 What is ? Open Source SECurity Open Source Host-based Intrusion Detection System Provides protection for Windows, Linux, Mac OS, Solaris and many *nix systems http://www.ossec.net Founded by Daniel Cid Current project managers – JB Cheng and Vic Hargrave June 18, 2013 – Securing Ubiquity 9

10 OSSEC Capabilities Log analysis File Integrity checking (Unix and Windows) Registry Integrity checking (Windows) Host-based anomaly detection (for Unix – rootkit detection) Active Response June 18, 2013 – Securing Ubiquity 10

11 HIDS Advantages Monitors system behaviors that are not evident from the network traffic Can find persistent threats that penetrate firewalls and network intrusion detection/prevention systems June 18, 2013 – Securing Ubiquity 11

12 tail -f $ossec_alerts/alerts.log June 18, 2013 – Securing Ubiquity 12 OSSEC Server OSSEC Agents logs UDP 1514 logs UDP 1514 OSSEC Architecture alerts

13 File Integrity Alert Sample ** Alert 1365550297.8499: mail - ossec,syscheck, 2013 Apr 09 16:31:37 ubuntu->syscheck Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels' June 18, 2013 – Securing Ubiquity 13

14 Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed, 2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' 2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64 June 18, 2013 – Securing Ubiquity 14

15 PCI DSS Requirement 10.5.5 - Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) 11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly June 18, 2013 – Securing Ubiquity 15

16 Annual gathering of OSSEC users and developers. Community members discuss how they are using OSSEC, what new features they would like and set the roadmap for future releases. OSSEC 2.7.1 soon to be released. Planning for OSSEC 3.0 is underway. OSSECCON 2013 will be held Thursday July 25 th at Trend Micro’s Cupertino office. Please join us there! June 18, 2013 – Securing Ubiquity 16

17 June 18, 2013 – Securing Ubiquity Santiago González Bassett santiago@alienvault.com @santiagobassett Alien Vault 17

18 About me Developer, systems engineer, security administrator, consultant and researcher in the last 10 years. Member of OSSIM project team since its inception. Implemented distributed Open Source security technologies in large enterprise environments for European and US companies. June 18, 2013 – Securing Ubiquity http://santi-bassett.blogspot.com/ @santiagobassett 18

19 What is OSSIM? OSSIM is the Open Source SIEM – GNU GPL version 3.0 With over 195,000 downloads it is the most widely used SIEM in the world. Created in 2003, is developed and maintained by Alien Vault and community contributors. Provides Unified and Intelligent Security. June 18, 2013 – Securing Ubiquity http://communities.alienvault.com/ 19

20 Why OSSIM? Because provides security Intelligence Discards false positives Assesses the impact of an attack Collaboratively learns about APT June 18, 2013 – Securing Ubiquity Because Unifies security management Centralizes information Integrates threats detection tools 20

21 OSSIM integrated tools June 18, 2013 – Securing Ubiquity Assets nmap prads Behavioral monitoring fprobe nfdump ntop tcpdump nagios Vulnerability assessment osvdb openvas Threat detection ossec snort suricata 21

22 OSSIM +200 Collectors June 18, 2013 – Securing Ubiquity 22

23 OSSIM Architecture June 18, 2013 – Securing Ubiquity Configuration & Management Normalized Events 23

24 OSSIM Anatomy of a collector June 18, 2013 – Securing Ubiquity 24 [apache-access] event_type=event regexp=“((?P \S+)(:(?P \d{1,5}))? )?(?P \S+) (?P \S+) (?P \S+) \[(?P \d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P.*)\” (?P \d{3}) ((?P \d+)|-)( \"(?P.*)\" \”(?P.*)\")?$” src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id} [Raw log] 76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

25 OSSIM Reliability Assessment June 18, 2013 – Securing Ubiquity 25 SSH Failed authentication event SSH successful authentication event 10 SSH Failed authentication events 100 SSH Failed authentication events Persistent connections SSH successful authentication event 1000 SSH Failed authentication events SSH successful authentication event Reliability

26 OSSIM Risk Assessment June 18, 2013 – Securing Ubiquity 26 RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25 SourceDestination Event Priority = 2 Event Reliability = 10 Asset Value = 2Asset Value = 5

27 OSSIM & OSSEC Integration June 18, 2013 – Securing Ubiquity Web management interface OSSEC alerts plugin OSSEC correlation rules OSSEC reports 27

28 OSSIM Deployment June 18, 2013 – Securing Ubiquity 28

29 OSSIM Attack Detection June 18, 2013 – Securing Ubiquity 29

30 OSSIM Demo Use Cases Detection & Risk assessment OTX Snort NIDS Logical Correlation Vulnerability assessment Asset discovery Correlating Firewall logs: Cisco ASA plugin Network Scan detection Correlating Windows Events: OSSEC integration Brute force attack detection June 18, 2013 – Securing Ubiquity 30

31 June 18, 2013 – Securing Ubiquity 31 Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. Thank you Santiago Gonzalez Bassett santiago@alienvault.com @santiagobassett Alien Vault

Download ppt "June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
What’s new in this release? September 6, 2012. Milestone Systems Confidential Milestone’s September release 2012 XProtect ® Web Client 1 Connect instantly.

What’s new in this release? September 6, Milestone Systems Confidential Milestone’s September release 2012 XProtect ® Web Client 1 Connect instantly.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Privileged Account Management Jason Fehrenbach, Product Manager.

Privileged Account Management Jason Fehrenbach, Product Manager.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Network Security and Audits LITN Fall Conference 2006 Presented by Katie Givens Mosaic.

Network Security and Audits LITN Fall Conference 2006 Presented by Katie Givens Mosaic.
JARED BIRD Nagios: Providing Value Throughout the Organization.

JARED BIRD Nagios: Providing Value Throughout the Organization.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Govt. Engineering College Bikaner A PROJECT Presentation ON STUDY AND IMPLEMENTATION OF ADVANCE IDS SECURITY.

Govt. Engineering College Bikaner A PROJECT Presentation ON STUDY AND IMPLEMENTATION OF ADVANCE IDS SECURITY.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Similar presentations

Ads by Google