Your SlideShare is downloading. ×
  • Like
Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework

  • 487 views
Published

John Lowry's presentation on Using Nagios as a Security Monitoring Framework. …

John Lowry's presentation on Using Nagios as a Security Monitoring Framework.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna

Published in Technology , Design
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
487
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
17
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Using Nagios as a Security Monitoring Framework John Lowry johnlowry@gmail.com
  • 2. 2 Frameworks > Out of the Box
  • 3. 3 Frameworks > Out of the Box OOTB is “one size fits all”
  • 4. 4 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure
  • 5. 5 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront
  • 6. 6 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve
  • 7. 7 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve Framework means it is infinitely configurable
  • 8. 8 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve Framework means it is infinitely configurable Framework means it is as good as you want it to be.
  • 9. 9 Why Nagios for security?
  • 10. 10 Why Nagios for security? Alert framework is robust
  • 11. 11 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert
  • 12. 12 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert It is built for anomaly detection.
  • 13. 13 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert It is built for anomaly detection. <--HUGE PART OF SECURITY
  • 14. 14 Basic Strategies for Anomaly Detection
  • 15. 15 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this
  • 16. 16 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems.
  • 17. 17 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems. Security and sysadmins ask: Why is this HTTP server throwing 500 messages? Why is this SNMP trap getting generated?
  • 18. 18 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems. Security and sysadmins ask: Why is this HTTP server throwing 500 messages? Why is this SNMP trap getting generated? Nagios, when setup correctly, knows what is “normal” and when something anomalous happens you get an alert.
  • 19. 20 Noise versus Signal Rabbits versus the Army There is such a thing as too much information False positives train one to ignore alerts
  • 20. 21 Triage every alert If it is a valid alert, you are SUPPOSED to fix it. Make a ticket, prioritize it, fix it, DO SOMETHING, do not ignore it.
  • 21. 22 Regularly update your monitoring If you are getting false positives, fix the check Tune the frequency, do not be the source of the problem Active tuning, daily, weekly, monthly.
  • 22. 23 Integrating External Tools AV IDS/IPS, HIDS, FIC Log monitoring Host and service detection (nmap) SNMP Traps If you get email from a tool and it runs under cron, consider using Nagios to manage it.
  • 23. 24 Passive check strategies
  • 24. 25 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event
  • 25. 26 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check.
  • 26. 27 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts.
  • 27. 28 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts. Good for some forensics, not so good if someone misses it.
  • 28. 29 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts. Good for some forensics, not so good if someone misses it. But this happens anyway.
  • 29. 30 Some Automation
  • 30. 31 Example Workstation Incident Response
  • 31. 32 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI
  • 32. 33 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI Nagios then uses an event handler to grab 24 hours of pcap data. Use Bro to look for interesting traffic, file a ticket, with attached files
  • 33. 34 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI Nagios then uses an event handler to grab 24 hours of pcap data. Use Bro to look for interesting traffic, file a ticket, with attached files All while I am getting coffee
  • 34. 35 FIN Questions?