0
ADVANCED OSSEC TRAINING:
INTEGRATION STRATEGIES FOR OPEN SOURCE SECURITY
Santiago Bassett
Director Professional Services
@...
AGENDA
Presentation contents (20 minutes)
Learning the basics
• OSSEC capabilities
• AlienVault capabilities
OSSEC and Ali...
ABOUT ME
Developer, security engineer, researcher and
consultant.
Member of AlienVault and OSSEC core teams.
Director of P...
LEARNING THE BASICS…
OSSEC and AlienVault USM
OSSEC CAPABILITIES
Log analysis based intrusion detection
File integrity checking
Registry keys integrity checking (Window...
OSSEC ARCHITECTURE
Agent components:
Logcollectord: Read logs (syslog, wmi, flat files)
Syscheckd: File integrity checking...
ALIENVAULT USM CAPABILITIES
Provides threat detection capabilities
Monitors network assets
Centralizes Information and Man...
ALIENVAULT USM ARCHITECTURE
Embedded tools:
Asset discovery: Nmap, Prads
Behavioral monitoring: Netflow, Ntop, Nagios
Thre...
OSSEC INTEGRATION
OSSEC and AlienVault USM
INTEGRATION COMPONENTS
OSSEC COLLECTOR ANATOMY
OSSEC CORRELATION RULES
Common web attack detected
XSS (Cross Site Scripting) attempt
SQL injection attempt detected
Windo...
OSSEC ALERTS RISK ASSESSMENT
AlienVault USM automatically calculate risk based on OSSEC alerts priority, reliability
and a...
ALIENVAULT CROSS-CORRELATION
AlienVault USM correlates events from multiple sources, crossing OSSEC alerts with
informatio...
OSSEC MANAGEMENT INTERFACE
AlienVault USM provides a comprehensive GUI for OSSEC alerts management:
Status monitor
Events ...
LET’S SEE IT IN ACTION!
OSSEC and AlienVault USM
NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Tr...
VIEW WEBINAR ON-DEMAND
To view the recorded
version of this webinar
Click Here
Upcoming SlideShare
Loading in...5
×

Advanced OSSEC Training: Integration Strategies for Open Source Security

5,798

Published on

During this technical one-hour session, Santiago Gonzalez, an OSSEC core team member (System integration, rules & SIEM) and AlienVault Director of Professional Services, will demonstrate how to integrate OSSEC with other 3rd party applications for greater security visibility and response.

To learn more, check out the video: https://www.alienvault.com/resource-center/webcasts/advanced-ossec-training-integration-strategies-for-open-source-security

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,798
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
231
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide
  • AlienVault’s Unified Security Management will provide LSI with complete security visibility by providing the five essential security capabilities in our unified platform including:-Asset discovery - active and passive network discovery
-Vulnerability assessment – active network scanning, continuous vulnerability monitoring
-Threat detection - IDS, host-based IDS (HIDS), file integrity monitoring, etc. - Behavioral monitoring - netflow analysis, log normalization, etc.
-Security intelligence - log management, SIEM event correlation, etc. All of these capabilities are already built-in and managed through a single console and reporting dashboard. The defined architecture described contains core components of which are defined below in more detail as well as the quote being provided to LSI.
  • Transcript of "Advanced OSSEC Training: Integration Strategies for Open Source Security"

    1. 1. ADVANCED OSSEC TRAINING: INTEGRATION STRATEGIES FOR OPEN SOURCE SECURITY Santiago Bassett Director Professional Services @santiagobassett
    2. 2. AGENDA Presentation contents (20 minutes) Learning the basics • OSSEC capabilities • AlienVault capabilities OSSEC and AlienVault integration • Integration components • OSSEC Collector anatomy • OSSEC Correlation rules • AlienVault Cross-correlation • Management interface Demo – See it in action (20 minutes) Deploying OSSEC agents • Automatic deployment for Windows • Manual deployment for Linux Agentless monitoring Managing OSSEC • Monitoring/Configuring agents • Editing rules Correlating OSSEC events (Brute-force) OSSEC reports
    3. 3. ABOUT ME Developer, security engineer, researcher and consultant. Member of AlienVault and OSSEC core teams. Director of Professional Services at AlienVault Born in Spain and relocated to Silicon Valley in 2010. Excuse my accent 
    4. 4. LEARNING THE BASICS… OSSEC and AlienVault USM
    5. 5. OSSEC CAPABILITIES Log analysis based intrusion detection File integrity checking Registry keys integrity checking (Windows) Signature based malware/rootkits detection Real time alerting and active response
    6. 6. OSSEC ARCHITECTURE Agent components: Logcollectord: Read logs (syslog, wmi, flat files) Syscheckd: File integrity checking Rootcheckd: Malware and rootkits detection Agentd: Forwards data to the server Server components: Remoted: Receives data from agents Analysisd: Processes data (main process) Monitord: Monitor agents
    7. 7. ALIENVAULT USM CAPABILITIES Provides threat detection capabilities Monitors network assets Centralizes Information and Management Evaluates threats reliability and risk Collaboratively learns about APT
    8. 8. ALIENVAULT USM ARCHITECTURE Embedded tools: Asset discovery: Nmap, Prads Behavioral monitoring: Netflow, Ntop, Nagios Threat detection: Snort, Suricata, OSSEC Vulnerability assessment: Openvas External collectors: Syslog, FTP, SCP, NFS Samba, SNMP, WMI, LEA SDEE, SQL, Unix Socket
    9. 9. OSSEC INTEGRATION OSSEC and AlienVault USM
    10. 10. INTEGRATION COMPONENTS
    11. 11. OSSEC COLLECTOR ANATOMY
    12. 12. OSSEC CORRELATION RULES Common web attack detected XSS (Cross Site Scripting) attempt SQL injection attempt detected Windows authentication failure attempts MySQL authentication attempt failed detected PostgreSQL authentication attempt failed detected SonicWall authentication attempt failed detected Remote access authentication attempt failed detected SSH service authentication attempts failed detected Multiple authentication attempt failed detected Login authentication failed detected
    13. 13. OSSEC ALERTS RISK ASSESSMENT AlienVault USM automatically calculate risk based on OSSEC alerts priority, reliability and assets involved.
    14. 14. ALIENVAULT CROSS-CORRELATION AlienVault USM correlates events from multiple sources, crossing OSSEC alerts with information collected from embedded detectors and external sources. Attack Attacker X.X.X.X Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y Attack: WEB-IIS multiple decode attempt Vulnerability: IIS Remote Command Execution Alert: Low reputation IPOTX Alert: IIS attack detected Target Y.Y.Y.Y
    15. 15. OSSEC MANAGEMENT INTERFACE AlienVault USM provides a comprehensive GUI for OSSEC alerts management: Status monitor Events viewer Agents control manager Configuration manager Rules viewer/editor Logs viewer Server control manager Deployment manager Rules viewer/editor PDF/HTML reports
    16. 16. LET’S SEE IT IN ACTION! OSSEC and AlienVault USM
    17. 17. NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join our weekly LIVE Demohttp://www.alienvault.com/marketing/alienvault -usm-live-demo hello@alienvault.com
    18. 18. VIEW WEBINAR ON-DEMAND To view the recorded version of this webinar Click Here
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×