Presentation is loading. Please wait.

Presentation is loading. Please wait.

June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett.

Similar presentations


Presentation on theme: "June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett."— Presentation transcript:

1 June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett

2 Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional- customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity 2

3 Log Normalization Syslog Comes default within *Nix operating systems. Sylog-NG Can be installed in various configurations to take the place of default syslog. Free to use or enterprise version available for purchase. Many configuration types to export data. OSSEC Free to use Can export via syslog to other systems. June 18, 2013 – Securing Ubiquity 3

4 Solving the Open Source Security Puzzle What are the standards? Why choose one product over another? How do the various security components work together? How does this work in the real world, real examples. June 18, 2013 – Securing Ubiquity 4

5 5 Understanding Rules Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.

6 Host Event Detection AIDE (Advanced Intrusion Detection Environment) June 18, 2013 – Securing Ubiquity 6

7 Network Detection Systems June 18, 2013 – Securing Ubiquity 7

8 8 Event Management

9 What is ? Open Source SECurity Open Source Host-based Intrusion Detection System Provides protection for Windows, Linux, Mac OS, Solaris and many *nix systems Founded by Daniel Cid Current project managers – JB Cheng and Vic Hargrave June 18, 2013 – Securing Ubiquity 9

10 OSSEC Capabilities Log analysis File Integrity checking (Unix and Windows) Registry Integrity checking (Windows) Host-based anomaly detection (for Unix – rootkit detection) Active Response June 18, 2013 – Securing Ubiquity 10

11 HIDS Advantages Monitors system behaviors that are not evident from the network traffic Can find persistent threats that penetrate firewalls and network intrusion detection/prevention systems June 18, 2013 – Securing Ubiquity 11

12 tail -f $ossec_alerts/alerts.log June 18, 2013 – Securing Ubiquity 12 OSSEC Server OSSEC Agents logs UDP 1514 logs UDP 1514 OSSEC Architecture alerts

13 File Integrity Alert Sample ** Alert : mail - ossec,syscheck, 2013 Apr 09 16:31:37 ubuntu->syscheck Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels' June 18, 2013 – Securing Ubiquity 13

14 Log Analysis Alert Sample ** Alert : mail - syslog,dpkg,config_changed, 2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' :38:47 status installed linux-image generic-pae June 18, 2013 – Securing Ubiquity 14

15 PCI DSS Requirement Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly June 18, 2013 – Securing Ubiquity 15

16 Annual gathering of OSSEC users and developers. Community members discuss how they are using OSSEC, what new features they would like and set the roadmap for future releases. OSSEC soon to be released. Planning for OSSEC 3.0 is underway. OSSECCON 2013 will be held Thursday July 25 th at Trend Micro’s Cupertino office. Please join us there! June 18, 2013 – Securing Ubiquity 16

17 June 18, 2013 – Securing Ubiquity Santiago González Alien Vault 17

18 About me Developer, systems engineer, security administrator, consultant and researcher in the last 10 years. Member of OSSIM project team since its inception. Implemented distributed Open Source security technologies in large enterprise environments for European and US companies. June 18, 2013 – Securing Ubiquity 18

19 What is OSSIM? OSSIM is the Open Source SIEM – GNU GPL version 3.0 With over 195,000 downloads it is the most widely used SIEM in the world. Created in 2003, is developed and maintained by Alien Vault and community contributors. Provides Unified and Intelligent Security. June 18, 2013 – Securing Ubiquity 19

20 Why OSSIM? Because provides security Intelligence Discards false positives Assesses the impact of an attack Collaboratively learns about APT June 18, 2013 – Securing Ubiquity Because Unifies security management Centralizes information Integrates threats detection tools 20

21 OSSIM integrated tools June 18, 2013 – Securing Ubiquity Assets nmap prads Behavioral monitoring fprobe nfdump ntop tcpdump nagios Vulnerability assessment osvdb openvas Threat detection ossec snort suricata 21

22 OSSIM +200 Collectors June 18, 2013 – Securing Ubiquity 22

23 OSSIM Architecture June 18, 2013 – Securing Ubiquity Configuration & Management Normalized Events 23

24 OSSIM Anatomy of a collector June 18, 2013 – Securing Ubiquity 24 [apache-access] event_type=event regexp=“((?P \S+)(:(?P \d{1,5}))? )?(?P \S+) (?P \S+) (?P \S+) \[(?P \d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P.*)\” (?P \d{3}) ((?P \d+)|-)( \"(?P.*)\" \”(?P.*)\")?$” src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id} [Raw log] [15/Jun/2013:10:14: ] "GET /ossim/session/login.php HTTP/1.1" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/537.36"

25 OSSIM Reliability Assessment June 18, 2013 – Securing Ubiquity 25 SSH Failed authentication event SSH successful authentication event 10 SSH Failed authentication events 100 SSH Failed authentication events Persistent connections SSH successful authentication event 1000 SSH Failed authentication events SSH successful authentication event Reliability

26 OSSIM Risk Assessment June 18, 2013 – Securing Ubiquity 26 RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25 SourceDestination Event Priority = 2 Event Reliability = 10 Asset Value = 2Asset Value = 5

27 OSSIM & OSSEC Integration June 18, 2013 – Securing Ubiquity Web management interface OSSEC alerts plugin OSSEC correlation rules OSSEC reports 27

28 OSSIM Deployment June 18, 2013 – Securing Ubiquity 28

29 OSSIM Attack Detection June 18, 2013 – Securing Ubiquity 29

30 OSSIM Demo Use Cases Detection & Risk assessment OTX Snort NIDS Logical Correlation Vulnerability assessment Asset discovery Correlating Firewall logs: Cisco ASA plugin Network Scan detection Correlating Windows Events: OSSEC integration Brute force attack detection June 18, 2013 – Securing Ubiquity 30

31 June 18, 2013 – Securing Ubiquity 31 Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. Thank you Santiago Gonzalez Alien Vault


Download ppt "June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett."

Similar presentations


Ads by Google