LEVERAGING OPEN SOURCE
THE ESSENTIAL DETECTIVE SECURITY CONTROLS
The Open and Collaborative Alternative
AGENDA
v  The Case for Detective Security Controls
v  Leveraging Open Source: The Essential Controls
v  A Guided Tour/D...
Preventative Controls
Used to Implement C-I-A
Crypto, Firewall, Antivirus
PKI, VPN, SSL, DLP, EIEIO
Prevent an incident
De...
IF WE ALREADY HAVE PREVENTATIVE
CONTROLS…
WHY SHOULD WE CARE ABOUT
DETECTIVE CONTROLS?
PREVENTION HAS PROVEN TO BE ELUSIVE
Example: 2012 “Cost of Cybercrime Study”, Ponemon Institute
A detailed study of 56 “La...
“There are two types of companies that use
computers. Victims of crime that know they
are victims of crime and victims of ...
“How would you change your strategy if
you knew for certain that you were going to
be compromised?”
- Martin Roesch, 2013
...
Prevent Detect & Respond
GET GOOD AT DETECTION & RESPONSE
The basics are in
place. Beyond
that, buyer
beware!
New preventi...
GOOD NEWS!
Many professional SOC’s are powered by open source
THERE’S AN APP FOR THAT!
PRADS NFSend
P0F
OVALdi
MDL
OpenFPC
PADS
Chall...
FIRST WE CATEGORIZE THEM!
What is the state of
my environment –
anything strange?
Put it all together with
external intell...
CHALLENGE: NAME THAT TOOL!
Vulnerability
Assessment
Threat Detection
Behavioral
Monitoring
Analytics &
Intelligence
Asset
...
THE ESSENTIAL CONTROLS
Vulnerability
Assessment
Threat Detection
Behavioral
Monitoring
Analytics &
Intelligence
Asset
Disc...
LETS SEE THEM IN ACTION
" Asset Discovery with Nmap & PRADS
" Wireless IDS with Kismet
" Unified Security Management with ...
NMAP & PRADS
Problem it solves:
I need an inventory of assets on my network (Nmap) and I need to continuously keep it up t...
KISMET
Problem it solves:
I need to know how are wireless networks being accessed and if anyone setup a rogue
access point...
OSSIM
Problem it solves:
I need all the essential detective controls, but it takes too long to install them and I have way...
OPEN SOURCE IS NOT JUST
FOR SOFTWARE ANYMORE….
Open Threat Sharing
OPEN SOURCE THREAT INTELLIGENCE
OPEN SOURCE THREAT INTELLIGENCE
Expert Sourced
Used to Implement C-I-A
Crypto, Firewall, Antivirus
PKI, VPN, SSL, DLP, EIE...
OPEN SOURCE THREAT INTELLIGENCE
MDL AND OTX
Problem it solves:
My detective controls only show me what’s happening in my environment. What are the
experts...
THE PRACTITIONER’S GUIDE
Open Source Asset Discovery Tools
Nmap http://nmap.org
The de-facto standard utility for network ...
THE PRACTITIONER’S GUIDE
Open Source Behavioral Monitoring Tools
Ntop http://www.ntop.org
A Unix tool that shows the netwo...
THE PRACTITIONER’S GUIDE
Open Threat Intelligence Feeds & Threat Sharing Communities
MDL http://www.malwaredomainlist.com
...
AlienVault leveraging open source security tools the essential guide
Upcoming SlideShare
Loading in...5
×

AlienVault leveraging open source security tools the essential guide

502

Published on

AlienVault leveraging open source security tools the essential guide

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
502
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

AlienVault leveraging open source security tools the essential guide

  1. 1. LEVERAGING OPEN SOURCE THE ESSENTIAL DETECTIVE SECURITY CONTROLS The Open and Collaborative Alternative
  2. 2. AGENDA v  The Case for Detective Security Controls v  Leveraging Open Source: The Essential Controls v  A Guided Tour/Demo: §  Asset Discovery: Nmap & PRADS §  Wireless IDS: Kismet §  Unified Security Management: OSSIM (OSSEC, SNORT, Ntop, OpenVAS) v  Open Source Threat Sharing §  MDL (Malware Domain List) & OTX (Open Threat Exchange) v  Q&A
  3. 3. Preventative Controls Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP, EIEIO Prevent an incident Detective Controls Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident 2 Types of Security Controls
  4. 4. IF WE ALREADY HAVE PREVENTATIVE CONTROLS… WHY SHOULD WE CARE ABOUT DETECTIVE CONTROLS?
  5. 5. PREVENTION HAS PROVEN TO BE ELUSIVE Example: 2012 “Cost of Cybercrime Study”, Ponemon Institute A detailed study of 56 “Large US firms” Results: 102 successful intrusions between them EVERY WEEK !
  6. 6. “There are two types of companies that use computers. Victims of crime that know they are victims of crime and victims of crime that don’t have a clue yet.” - James Routh, 2007 CISO Depository Trust Clearing Corporation Some pretty savvy recent victims
  7. 7. “How would you change your strategy if you knew for certain that you were going to be compromised?” - Martin Roesch, 2013 Founder & CTO Sourcefire, Author SNORT
  8. 8. Prevent Detect & Respond GET GOOD AT DETECTION & RESPONSE The basics are in place. Beyond that, buyer beware! New prevention thingy 9.0 with advanced fuzzy logic. Stops 100% of all web-born threats at the perimeter! New capabilities to develop
  9. 9. GOOD NEWS!
  10. 10. Many professional SOC’s are powered by open source THERE’S AN APP FOR THAT! PRADS NFSend P0F OVALdi MDL OpenFPC PADS Challenge: How do we make sense of all these?
  11. 11. FIRST WE CATEGORIZE THEM! What is the state of my environment – anything strange? Put it all together with external intelligence & determine a response! The 5 essential capabilities for effective detection & response Vulnerability Assessment Threat Detection Behavioral Monitoring Intelligence & Analytics What am I protecting & what is most valuable? Asset Discovery How, when and where am I being attacked? Where are my assets exposed?
  12. 12. CHALLENGE: NAME THAT TOOL! Vulnerability Assessment Threat Detection Behavioral Monitoring Analytics & Intelligence Asset Discovery
  13. 13. THE ESSENTIAL CONTROLS Vulnerability Assessment Threat Detection Behavioral Monitoring Analytics & Intelligence Asset Discovery P0F OpenFPC NFSen OVALdi PRADS PADS open source alternatives for each of the 5 categories
  14. 14. LETS SEE THEM IN ACTION " Asset Discovery with Nmap & PRADS " Wireless IDS with Kismet " Unified Security Management with OSSIM includes (OSSEC, SNORT, ntop, opnVAS)
  15. 15. NMAP & PRADS Problem it solves: I need an inventory of assets on my network (Nmap) and I need to continuously keep it up to date as things change (PRADS). Pros: Nmap is very mature, robust & feature rich. Both tools produce verbose output. Cons: Both tools produce extremely very verbose output. PRADS does not have a GUI Why we like it: These cover both active and passive asset discovery. PRADS is relatively new but it covers the same functionality as two older tools (PADS and p0f).
  16. 16. KISMET Problem it solves: I need to know how are wireless networks being accessed and if anyone setup a rogue access point in my facility. Pros: Great command line interface. Outputs log events for WIDS events and a periodic XML report for observed networks. Cons: Wireless adapter can’t transmit when in monitor mode- need a dedicated adapter Why we like it: This tool is very versatile. There are plugins for DECT and Ubertooth devices.
  17. 17. OSSIM Problem it solves: I need all the essential detective controls, but it takes too long to install them and I have way too many dashboards to look at when I am done. Pros: USM: Unifies management of these tools and offers correlation between event sources. Includes incident response templates & workflows Cons: Full intelligence feed, log management and management features requires commercial version Why we like it: The company I work for makes OSSIM J and It makes it easy to implement and manage all these tools at once. (OSSEC, Snort, Ntop, OpenVAS & others)
  18. 18. OPEN SOURCE IS NOT JUST FOR SOFTWARE ANYMORE…. Open Threat Sharing
  19. 19. OPEN SOURCE THREAT INTELLIGENCE
  20. 20. OPEN SOURCE THREAT INTELLIGENCE Expert Sourced Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP, EIEIO Prevent an incident Crowd Sourced Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident
  21. 21. OPEN SOURCE THREAT INTELLIGENCE
  22. 22. MDL AND OTX Problem it solves: My detective controls only show me what’s happening in my environment. What are the experts seeing (MDL), what are my peers seeing (OTX)? Pros: Allows me to collect threats from security researchers (MDL) and from peers (OTX). Allows me to share threats with my peers (OTX). These add an intelligence layer to traditional tools, like NIDS and SIEM. Cons: Most feeds are a teaser to a commercial offering. Why we like it: If we get this right and everyone involved, the bad guys only get one “first attack” for the entire network – attack one and all will detect and respond.
  23. 23. THE PRACTITIONER’S GUIDE Open Source Asset Discovery Tools Nmap http://nmap.org The de-facto standard utility for network mapping. Use to scan network on a periodic basis to create and update inventory of assets. PADS http://passive.sourceforge.net Passive Asset detection system is a network sniffer that detects (infers) assets by monitoring traffic. Use to augment Nmap scans. P0f http://lcamtuf.coredump.cx/p0f3/ Passive OS fingerprinting tool. Use to identify and profile assets on your network (including that of the attackers). PRADS http://gamelinux.github.io/prads Passive Real-Time Asset Detection. Alternative to PADS - listens to network and gathers information on hosts and services. Open Source Threat Detection Tools Snort http://www.snort.org The world’s most popular network IDS/IPS. Provides signature, protocol, and anomaly-based inspection. Use to identify attacks. Suricata http://suricata-ids.org “Next Generation” alternative (or not) to SNORT funded by US DHS/DoD. Use to identify attacks and extract malware from network traffic. Kismet http://www.kismetwireless.net An 802.11 layer 2 wireless IDS. Use to identify and monitor (legitimate and rogue) networks via passively monitoring traffic. OSSEC http://www.ossec.net Host-based Intrusion Detection System. Use to perform log analysis, file integrity monitoring, policy monitoring and rootkit detection on endpoint assets.
  24. 24. THE PRACTITIONER’S GUIDE Open Source Behavioral Monitoring Tools Ntop http://www.ntop.org A Unix tool that shows the network usage, similar to what the popular top Unix command does Use to determine what processes and services are running. Nfsen http://nfsen.sourceforge.net A web-based GUI for the nfdump netflow tools. Use to monitor netfows. OpenFPC http://www.openfpc.org A set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. Use to monitor network traffic & flows. Nagios http://www.nagios.org Open source IT monitoring system. Use to monitor activity on servers. Open Source Vulnerability Assessment Tools OpenVAS http://openvas.org Framework of services and tools for vulnerability scanning and vulnerability management. The open source fork of Nessus that converted to closed source. OVALdi http://www.decalage.info/en/ovaldi An open source reference implementation of a vulnerability scanner based on the OVAL definition. Alternative to OpenVAS. Open Source Intelligence and Analytics Tools OSSIM http://www.alienvault.com/ossim Unified security management & the world’s most popular SIEM. Use to combine essential controls into a single unified system managed from single pane of glass. Logstash http://http://logstash.net/ A tool for managing events and logs. Use to collect logs, parse them, and store for later use or analysis.
  25. 25. THE PRACTITIONER’S GUIDE Open Threat Intelligence Feeds & Threat Sharing Communities MDL http://www.malwaredomainlist.com A continuously updated list of malware-related sites plus a discussion forum on new threats. Use to tune threat detection tools. ETO http://www.emergingthreats.net A platform independent (SNORT & Suricata) ruleset for tuning IDS. Us to make your IDS more effective at identifying threats. OTX http://www.alienvault.com/otx The world’s largest collaborative threat sharing network. Use to share threat information in real-time with others on the exchange. Several free risk- monitoring tools also available.

×