420 likes | 864 Views
Solving the Open Source Security Puzzle. Vic Hargrave JB Cheng Santiago González Bassett. Disclaimer.
E N D
Solving the Open Source Security Puzzle Vic Hargrave JB Cheng Santiago González Bassett June 18, 2013 – Securing Ubiquity
Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity
Log Normalization • Syslog • Comes default within *Nix operating systems. • Sylog-NG • Can be installed in various configurations to take the place of default syslog. • Free to use or enterprise version available for purchase. • Many configuration types to export data. • OSSEC • Free to use • Can export via syslog to other systems. June 18, 2013 – Securing Ubiquity
Solving the Open Source Security Puzzle • What are the standards? • Why choose one product over another? • How do the various security components work together? • How does this work in the real world, real examples. June 18, 2013 – Securing Ubiquity
Understanding Rules • Customizable rulesets- Enable a security practitioner to add true intelligence of their environment. June 18, 2013 – Securing Ubiquity
Host Event Detection AIDE (Advanced Intrusion Detection Environment) June 18, 2013 – Securing Ubiquity
Network Detection Systems June 18, 2013 – Securing Ubiquity
Event Management June 18, 2013 – Securing Ubiquity
What is ? Open Source SECurity Open Source Host-based Intrusion Detection System Provides protection for Windows, Linux, Mac OS, Solaris and many *nix systems http://www.ossec.net Founded by Daniel Cid Current project managers – JB Cheng and Vic Hargrave June 18, 2013 – Securing Ubiquity
OSSEC Capabilities Log analysis File Integrity checking (Unix and Windows) Registry Integrity checking (Windows) Host-based anomaly detection (for Unix – rootkit detection) Active Response June 18, 2013 – Securing Ubiquity
HIDS Advantages Monitors system behaviors that are not evident from the network traffic Can find persistent threats that penetrate firewalls and network intrusion detection/prevention systems June 18, 2013 – Securing Ubiquity
OSSEC Architecture logs UDP 1514 tail -f $ossec_alerts/alerts.log OSSEC Server alerts OSSEC Agents logs UDP 1514 June 18, 2013 – Securing Ubiquity
File Integrity Alert Sample ** Alert 1365550297.8499: mail - ossec,syscheck, 2013 Apr 09 16:31:37 ubuntu->syscheck Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels' June 18, 2013 – Securing Ubiquity
Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed, 2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' 2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64 June 18, 2013 – Securing Ubiquity
PCI DSS Requirement 10.5.5 - Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) 11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly June 18, 2013 – Securing Ubiquity
Annual gathering of OSSEC users and developers. Community members discuss how they are using OSSEC, what new features they would like and set the roadmap for future releases. OSSEC 2.7.1 soon to be released. Planning for OSSEC 3.0 is underway. OSSECCON 2013 will be held Thursday July 25th at Trend Micro’s Cupertino office. Please join us there! June 18, 2013 – Securing Ubiquity
OSSIMUnified Open Source Security Santiago González Bassett santiago@alienvault.com @santiagobassett Alien Vault June 18, 2013 – Securing Ubiquity
About me http://santi-bassett.blogspot.com/ @santiagobassett • Developer, systems engineer, security administrator, consultant and researcher in the last 10 years. • Member of OSSIMproject team since its inception. • Implemented distributed Open Sourcesecurity technologies in large enterprise environments for European and US companies. June 18, 2013 – Securing Ubiquity
What is OSSIM? http://communities.alienvault.com/ OSSIMis the Open SourceSIEM – GNU GPL version 3.0 With over 195,000 downloads it is the most widely used SIEMin the world. Created in 2003, is developed and maintained by Alien Vault and community contributors. Provides Unifiedand IntelligentSecurity. June 18, 2013 – Securing Ubiquity
Why OSSIM? Because Unifiessecurity management • Centralizes information • Integrates threats detection tools Because provides security Intelligence Discards false positives Assesses theimpactof an attack Collaborativelylearnsabout APT June 18, 2013 – Securing Ubiquity
OSSIM integrated tools Assets • nmap • prads Behavioral monitoring • fprobe • nfdump • ntop • tcpdump • nagios Vulnerability assessment • osvdb • openvas Threat detection • ossec • snort • suricata June 18, 2013 – Securing Ubiquity
OSSIM +200 Collectors June 18, 2013 – Securing Ubiquity
OSSIM Architecture Normalized Events Configuration & Management June 18, 2013 – Securing Ubiquity
OSSIM Anatomy of a collector [Raw log] 76.103.249.20- - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 2002612"-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36" [apache-access] event_type=event regexp=“((?P<dst>\S+)(:(?P<port>\d{1,5}))? )?(?P<src>\S+) (?P<id>\S+) (?P<user>\S+) \[(?P<date>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P<request>.*)\” (?P<code>\d{3}) ((?P<size>\d+)|-)( \"(?P<referer_uri>.*)\" \”(?P<useragent>.*)\")?$” src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id} June 18, 2013 – Securing Ubiquity
OSSIM Reliability Assessment Reliability June 18, 2013 – Securing Ubiquity
OSSIM Risk Assessment Event Priority = 2 Source Destination Event Reliability = 10 Asset Value = 2 Asset Value = 5 RISK= (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25 June 18, 2013 – Securing Ubiquity
OSSIM & OSSEC Integration • Web management interface • OSSEC alerts plugin • OSSEC correlation rules • OSSEC reports June 18, 2013 – Securing Ubiquity
OSSIM Deployment June 18, 2013 – Securing Ubiquity
OSSIM Attack Detection June 18, 2013 – Securing Ubiquity
OSSIM Demo Use Cases Detection& Risk assessment • OTX • Snort NIDS • Logical Correlation • Vulnerability assessment • Asset discovery Correlating Firewall logs: • Cisco ASA plugin • Network Scan detection Correlating Windows Events: • OSSEC integration • Brute force attack detection June 18, 2013 – Securing Ubiquity
Thank you Santiago Gonzalez Bassett santiago@alienvault.com @santiagobassett Alien Vault Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity