Utilizing Novell Sentinel Advisor and Attack Vulnerability


Published on

In the world of Security Information Event monitoring it is imperative that you have the ability to sort through the mass amounts of data to quickly identify and isolate any attacks and identify any vulnerabilities in your infrastructure. Advisor is an optional subscription service that provides this capability by providing normalized attack information to help identify attacks against vulnerable systems.

This session is intended to guide you through an understanding of what advisor is and how it can help you, how the advisor data feeds are downloaded and updated, what devices are supported, reporting, and step through demonstration of exploit detection.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Utilizing Novell Sentinel Advisor and Attack Vulnerability

  1. 1. Utilizing Novell Sentinel ® ™ Advisor and Attack vulnerability Tom Burt GTS-Backline Engineer Novell Novell/tburt@novell.com
  2. 2. Presentation Goals • Present the benefits of Advisor • Explain Advisor and its related components • Discuss installation and maintenance of Advisor 2 © Novell, Inc. All rights reserved.
  3. 3. Agenda • Advisor Overview • Exploit Detection Overview • Background/History Advisor v3 vs. v4 • Installation and Maintenance 3 © Novell, Inc. All rights reserved.
  4. 4. Advisor Overview
  5. 5. Terminology • Advisor-The Novell optional add on subscription to ® provide attack and remediation information • Attack-An event that indicates malicious or rogue software and or devices • Vulnerability-An opening or weakness in a network allowing the potential for an attack • Vulnerability Scanners-The process of detecting the strength of protection on a network. • IPS/IDS collectors-Sentinel device collectors that ™ gather data from IDS devices • Vulnerability collectors-Sentinel device collectors that gather data from vulnerability scanners 5 © Novell, Inc. All rights reserved.
  6. 6. Collector links • IPS, IDS and Vulnerability scan collectors are available at the following URL; http://support.novell.com/products/sentinel/secure/senti nel61.html 6 © Novell, Inc. All rights reserved.
  7. 7. Overview • Powered by Security Nexus • Acts as an early warning service to identify attacks and vulnerabilities. – Provides Normalized Attack and remediation information • Optional add on subscription service – Initial download feed is free but additional downloads require a license > Entitlement is linked to your Customer authentication credentials 7 © Novell, Inc. All rights reserved.
  8. 8. Overview • Early warning service – Normalization of attack data – Correlation on real time data – Incident Tracking • Updates – Updated on a regular configurable basis – Advisor feeds/Downloads > CVE's > Bugtraq > IDS > ISS > etc.... 8 © Novell, Inc. All rights reserved.
  9. 9. Exploit Detection Overview
  10. 10. Exploit detection • Exploit detection: Enables you to quickly identify and/or send out notifications in the event an attack is attempting to exploit a vulnerability in your system 10 © Novell, Inc. All rights reserved.
  11. 11. Requirements • Requires that both the Vulnerability scanner and IDS system reports the vulnerabilities and attacks against the same systems. • In Sentinel, systems are identified by IP Address and MSSP Customer Name • The Vulnerability and IDS system must be supported by the Advisor service • The reported attacks and vulnerabilities must be known to the Advisor service and Exploit Detection – Most Novell collectors support the Attack and exploit detection data 11 © Novell, Inc. All rights reserved.
  12. 12. Requirements cont.... • The Vulnerability and IDS collectors must populate all 4 of these fields – DeviceName (RV31) – DIP (Destination or TargetIP) – DeviceAttackName (RT1) – MSSP Customer Name (RV39) > Managed Security Service Provider • All Novell shipped collectors populate these values by ® default 12 © Novell, Inc. All rights reserved.
  13. 13. Exploit Detection • When running supported IDS and Vulnerability collectors, events from the devices are scanned for potential attacks and vulnerabilities – The mapping service maps the Product Name and MSSP Customer Name to the Advisor name and MSSP Customer Name – If the events match successfully, the exploit information is updated in the exploitdetection.csv file > $ESEC_HOME/data/map_data/exploitdetection.csv » IP, Device & Attack names, MSSP Customer name – The mapping service populates the vulnerability event field > Used to evaluate whether the incoming event exploits a vulnerability » If the value is 1, the destination device IS exploited » If the value is 0, the destination device is NOT exploited 13 © Novell, Inc. All rights reserved.
  14. 14. Brief History
  15. 15. History Advisor v3 Advisor v4 XML Files CSV Database Space GB Database Space MB Disk Space GB Disk Space MB Feed Process Time - Hours Feed Process Time - Minutes Failed Feed Recovery - Hours Failed Feed Recovery - Minutes Failed Process required database MD5sum cleanup Configured at Install only Can be configured at any time Log files for failure Internal Events 15 © Novell, Inc. All rights reserved.
  16. 16. History • Supported Systems – IDS – IPS – Vulnerability 16 © Novell, Inc. All rights reserved.
  17. 17. Installation/Maintenance
  18. 18. Installation • Requirements – The Advisor service and Exploit Detection rely on mappings between attacks on assets and vulnerabilities of devices. As such it requires the following data to work with Advisor > Vulnerability scan data » Sentinel supports multiple Vulnerability scanners > Advisor map data » Contains data about known threats, attacks, and vulnerabilities » Service gathers information from multiple vulnerability and IDS vendors » Creates mappings from abstract Vuln and attack data » Security Nexus provides the advisor feed data > Real Time attack data » The real time attacks that are detected as events are loaded into the Sentinel database from IDS collectors 18 © Novell, Inc. All rights reserved.
  19. 19. Installation • Installation media – SP2 Full installer – SP2 Patch installer • Initial load data – Advisor v4 feed files are included with Novell Sentinel ® ™ > $ESEC_HOME/data/updates/advisor – After initial load, updates are performed on scheduled basis > Advisor license/subscription is required for updates > Feed location; https://secure-www.novell.com/sentinel/download/advisor/feed/ 19 © Novell, Inc. All rights reserved.
  20. 20. Usage/Maintenance • Advisor User Interface • Novell Sentinel Control Center ® ™ – Must have Advisor Interface permissions – Advisor Tab > Status information – Admin Tab > Manual process of files in specified location > Download Manager » Initialize download » Edit configuration preferences > Preview Threat Map 20 © Novell, Inc. All rights reserved.
  21. 21. Usage/Maintenance 21 © Novell, Inc. All rights reserved.
  22. 22. Usage/Maintenance 22 © Novell, Inc. All rights reserved.
  23. 23. Usage/Maintenance 23 © Novell, Inc. All rights reserved.
  24. 24. Maintenance • Advisor data feed source is updated on a regular basis – Updating your database with current data feeds > Automatic scheduling of updates > Manual update • Scripts – Novell Sentinel 6.1SP2 & RD ® ™ > $ESEC_HOME/bin/advisor.sh • Configuration – advisor_client.xml 24 © Novell, Inc. All rights reserved.
  25. 25. Maintenance • Logging – As of v4 all logging is done to das_query logs – Configuration for additional logging should be made to the das_query_log.prop in the $ESEC_HOME/config directory – Logs status of download and checking for feed notifcations • Example; Fri Mar 05 05:05:21 MST 2010|INFO|Thread-148570| esecurity.ccs.comp.downloadfeed. Downloader.download Downloaded file: advnxsfeed.51.zip.md5 to local directory /opt/novell/se ntinel6/data/updates/advisor 25 © Novell, Inc. All rights reserved.
  26. 26. Manual update • A manual download of the advisor feeds can be done as needed – Login to the Novell Advisor feed download site using your eLogin username and password that is associated with the Advisor license – Download any advisor feed files you need making sure to include both the .zip and .md5 files. – Copy the files to the directory on the Sentinel server you have specified in the configuration > Default location is $ESEC_HOME/data/updates/advisor – In the Admin Tab → Advisor → Process Now 26 © Novell, Inc. All rights reserved.
  27. 27. Manual Update 27 © Novell, Inc. All rights reserved.
  28. 28. Manual Update 28 © Novell, Inc. All rights reserved.
  29. 29. Automatic Update 29 © Novell, Inc. All rights reserved.
  30. 30. Maintenance • Advisor notifications – Errors > Errors in downloading feeds or data loading – Success/failure on updates > Success or failure messages on advisor feed updates – Notifications > Correlation rules » Actions such as send email 30 © Novell, Inc. All rights reserved.
  31. 31. Maintenance • Exploit Detection Data Generation – By default scheduled to run every 30 minutes > Configurable in $ESEC_HOME/config/das_query.xml > Object component, <obj-component id="ExploitDetectDataGenerator"> > Property, <property name="minRegenerateInterval">1800000</property> • Scheduled Updates – Direct Download > 6 hour, 12 hour, Daily, Weekly, Monthly » The time of the download is based off the first successful download ~ Success at 10:30am results in 4:30pm for 6 hours configuration 31 © Novell, Inc. All rights reserved.
  32. 32. Usage • View advisor data in SCC, Sentinel Control Center ™ – Right click an event → analyze → Advisor data – Only available after initial data load – Analyze is only available if event data is from a Supported IDS Device – Regular updates are necessary to ensure accuracy of data 32 © Novell, Inc. All rights reserved.
  33. 33. Demonstration
  34. 34. Demonstration • Demonstration details – Advisor download – Advisor Processing – Vulnerability scanning with test data – Basic IDS Collector with Sample data – Exploit detection – Analyze Data 34 © Novell, Inc. All rights reserved.
  35. 35. Q&A
  36. 36. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.