Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science.

Published byVictoria Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science."— Presentation transcript:

1 Copyright Justin C. Klein Keane @madirish2600 HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science

2 Copyright Justin C. Klein Keane @madirish2600 What is Security Intelligence Business intelligence principles applied to security data Security intelligence supports strategic infosec decision making based on metrics Target resource allocation to quantified threats Security data abounds, but making useful decisions based on that data is tough HECTOR is a repository for security data that allows for analysis HECTOR brings together disparate data sources to find trends and relationships

3 Copyright Justin C. Klein Keane @madirish2600 Sample Sources of Data Host based intrusion detection alerts Darknet data (network traffic) Port scans Honeypots (attempted logins, attack toolkits, etc.) Vulnerability scans Public vulnerability alerts and disclosures System event logs Incident response reports Etc.

4 Copyright Justin C. Klein Keane @madirish2600 Open Source HECTOR is based entirely on open source technologies Runs best on a LAMP stack Uses structured data (MySQL) Uses PHP, Perl, Python, iptables, Kojoney, OSSEC, NMAP, and more... More info and download at: https://sites.sas.upenn.edu/kleinkeane/software/ hector

5 Copyright Justin C. Klein Keane @madirish2600 Issues with Security Intelligence Problems of big data will crop up quickly Scale complicated development, deployment and debugging Much of the effort of SI will be spent on middleware Interesting data only emerges when all data is aggregated Getting access to other folks' data will be challenging Deliberate initial planning pays off – altering a table of 80 million rows is painful!

6 Copyright Justin C. Klein Keane @madirish2600 Principles Guiding Development SAS has no access to network data for NIDS Over 15,000 internet addressable IP's Asset management was a huge challenge Vulnerability disclosure mitigation was ad-hoc Multiple different security data sources (darknet, honeypots, HIDS logs, etc.) were scattered over different systems Needed a way to query data across sources and guide intelligent security decision making

7 Copyright Justin C. Klein Keane @madirish2600 How It Works (Basics) MySQL database aggregates data sources Web front end for querying and reporting Access control via CoSign (or fallback) Hosts are assigned to support groups, support groups assigned a contact e-mail address Nightly NMAP scans updates host profiles Vulnerability scan data added to the database HECTOR is extensible – add your own scans

8 Copyright Justin C. Klein Keane @madirish2600 Currently Supports Data Sources OSSEC host based intrusion detection logs Kojoney based SSH honeypots Iptables based darknet sensors NMAP port scans Vulnerability scans (Nikto, Nessus, etc.) Security news outlets (RSS feeds, vulnerability announcements, etc.)

9 Copyright Justin C. Klein Keane @madirish2600 Use Case #1 THREAT IDENTIFIED Vulnerability disclosed in a well known service EVIDENCE OF INTENT Look for spikes in scanning for that service on darknet sensors REMEDIATION PLANNING Quickly identify all machines in the environment running that service REMEDIATION LOGISTICS Build a contact list and alert admins to patch. Track admins that legitimately don't patch TRACK EFFECTIVENESS Implement targeted vulnerability scanning to track remediation

10 Copyright Justin C. Klein Keane @madirish2600 Use Case #2 – IR & Detection Attacker observed (malicious IP identified) Query all data sources for other evidence of activity from that IP Darknet probes, honeypot data, IDS logs, etc. Look for attack profile from data sources Alert admins of machines that fit the particular profile Identify vulnerable machines Potentially uncover compromises

11 Copyright Justin C. Klein Keane @madirish2600 Summary Screen

12 Copyright Justin C. Klein Keane @madirish2600 Intrusion Detection Summary

13 Copyright Justin C. Klein Keane @madirish2600 Alerts Summary

14 Copyright Justin C. Klein Keane @madirish2600 Host Summary

15 Copyright Justin C. Klein Keane @madirish2600 Search for Malicious IP

16 Copyright Justin C. Klein Keane @madirish2600 Sample Report

17 Copyright Justin C. Klein Keane @madirish2600 Scan Schedule

18 Copyright Justin C. Klein Keane @madirish2600 Asset Management

19 Copyright Justin C. Klein Keane @madirish2600 System Configuration

20 Copyright Justin C. Klein Keane @madirish2600 Thank You jukeane@sas.upenn.edu @madirish2600 http://www.MadIrish.net

21 Copyright Justin C. Klein Keane @madirish2600 Links to Resources HECTOR download - https://sites.sas.upenn.edu/kleinkeane/software/hector https://sites.sas.upenn.edu/kleinkeane/software/hector NMAP - http://nmap.org/http://nmap.org/ OSSEC - http://www.ossec.net/http://www.ossec.net/ Kojoney - http://kojoney.sourceforge.net/http://kojoney.sourceforge.net/ Kippo - https://code.google.com/p/kippo/https://code.google.com/p/kippo/ Rsyslog - http://www.rsyslog.com/http://www.rsyslog.com/ Much of my inspiration from Ed Bellis – https://www.risk.io/ https://www.risk.io/

Download ppt "Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science."

Similar presentations

Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.

Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.
Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
University of Florida Incident Tracking and Reporting Kathy Bergsma

University of Florida Incident Tracking and Reporting Kathy Bergsma
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.

Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Deploying Tools for Cleaning Personal Information University of Pennsylvania School of Arts and Sciences Justin C. Klein Keane Sr. Information Security.

Deploying Tools for Cleaning Personal Information University of Pennsylvania School of Arts and Sciences Justin C. Klein Keane Sr. Information Security.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Finding Exploitable Admin Systems A “How To” Guide for SecurityCenter.

Finding Exploitable Admin Systems A “How To” Guide for SecurityCenter.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google