Your SlideShare is downloading. ×
0
McGyver’s SIEM
                           Building the best free HUD




                                          Wim Rem...
What we won’t need today ...




Thursday 21 October 2010
The views and opinions expressed in this presentation are
         those of the presenter and do not reflect those of past,...
FOSS will never ever provide you with a complete SIEM
                                          solution. Implementing SIE...
Who am I ?

                           Wim Remes

                            Ernst & Young (Belgium)

                   ...
What is this about ?


              1. What is SIEM ?
              2. A common-sensical approach.
              3. Let’s...
1
                           What is SIEM ?
                               (Definition)




Thursday 21 October 2010
Security Information & Event Management


      Software/Hardware that gathers, analyzes and presents
               infor...
SIEM
                                                Log Management
            Security Information & Event Management

 ...
DATA   INFORMATION

Thursday 21 October 2010
Information
                           Knowledge
                               Understanding

                           ...
1
                           What is SIEM ?
                            (Functionality we want)




Thursday 21 October 20...
Collection


                                    syslog



                              scp



                          ...
Normalization
                           FW_1 I dropped a packet from x to z on port 80 at 13:22
                         ...
Correlation
                       time : 04:22        time : 04:23        time : 04:24       time : 04:25
               ...
3 base use cases

                                  React Faster

                            Improve Efficiency

        ...
Thursday 21 October 2010
2
   common-sensical approach




Thursday 21 October 2010
Architecture




                               FLAT

Thursday 21 October 2010
Architecture




                            HIERARCHICAL

Thursday 21 October 2010
Architecture




                               MESH

Thursday 21 October 2010
integrating SIEM

                             Data Sources




         Data Points
                                     ...
3
                           Let’s get it on !




Thursday 21 October 2010
Our arsenal

                           ossec
                    http://www.ossec.net                    ossim
          ...
OSSEC
            Host Based Intrusion Detection/Prevention

                     - Log Monitoring
                     - ...
OSSEC

                           ossec-logcollector

                                agentd                  remoted

   ...
OSSEC
                                                                     SIEM


                                        ...
OSSEC

                           pre-decoding



                            decoding



                            sign...
OSSEC
                              palo alto threat detection

          Aug 26 13:56:07 192.168.0.5 1,2010/08/26 13:56:0...
OSSEC
                                  palo alto threat detection
                                          (decoder)

  ...
OSSEC
                             palo alto threat detection
                                       (rules)
        <grou...
OSSEC
                                          rules

                                                  login




       ...
OSSEC
                                           rules

                                                   login




     ...
OSSIM
                                         (includes OSSEC)



                                              front < y...
OSSIM
                           risk maps




Thursday 21 October 2010
OSSIM
                           compliance reporting




Thursday 21 October 2010
OSSIM
                           event analysis




Thursday 21 October 2010
OSSIM
                           incident response




Thursday 21 October 2010
3
                           Let’s get it on !
                    a few words on data visualization
                     ...
Choosing the right chart !




         http://ebiquity.umbc.edu/blogger/2009/01/25/how-to-choose-the-right-chart-for-your...
DAVIX
            Data visualization Live CD

                     - free data processing and visualization tools
        ...
a firewall log treemap




                                 source : http://www.secviz.org


Thursday 21 October 2010
radial firewall visualization




                           source : http://www.secviz.org


Thursday 21 October 2010
windows event log types




                           source : http://www.secviz.org


Thursday 21 October 2010
1 day of firewall logs




                                 source : http://www.secviz.org

Thursday 21 October 2010
gl-tail




                           http://www.fudgie.org/

Thursday 21 October 2010
gl-tail




                           http://www.fudgie.org/

Thursday 21 October 2010
Recap

                           Focus on approach, not tools

            Use open source to facilitate & learn

       ...
Thank you !
                                       interesting people to follow :
                                        ...
Upcoming SlideShare
Loading in...5
×

McGyver's SIEM -- Building the best free HUD

7,185

Published on

My Blackhat Webcast of October 21nd 2010, the webcast is available on http://www.blackhat.com/html/webcast/webcast-home.html

Published in: Technology

Transcript of "McGyver's SIEM -- Building the best free HUD"

  1. 1. McGyver’s SIEM Building the best free HUD Wim Remes Thursday 21 October 2010
  2. 2. What we won’t need today ... Thursday 21 October 2010
  3. 3. The views and opinions expressed in this presentation are those of the presenter and do not reflect those of past, current or future employers, associates or clients. Thursday 21 October 2010
  4. 4. FOSS will never ever provide you with a complete SIEM solution. Implementing SIEM is hard work and requires dedication and vision. The premise of this talk is to enable you to build the skillset required to implement a SIEM solution and for you to understand your needs using free and open source software. With that skillset you will then be enabled to to make an informed choice, lower the actual implementation cost and improve ROI. More importantly, it will teach your technical people how to interpret data, build use cases and apply a common-sensical methodology. Instead of making them button-clicking drones (again), here’s your chance to make your people the strongest link not the weakest. Thursday 21 October 2010
  5. 5. Who am I ? Wim Remes Ernst & Young (Belgium) infosecmentors.com eurotrashsecurity.eu Thursday 21 October 2010
  6. 6. What is this about ? 1. What is SIEM ? 2. A common-sensical approach. 3. Let’s get it on ! 4. Ask away ... Thursday 21 October 2010
  7. 7. 1 What is SIEM ? (Definition) Thursday 21 October 2010
  8. 8. Security Information & Event Management Software/Hardware that gathers, analyzes and presents information from multiple sources of security-relevant data. (thanks to wikipedia) Thursday 21 October 2010
  9. 9. SIEM Log Management Security Information & Event Management SEM SIM ESIM (+ everything your vendor wants it or it’s name to be) Thursday 21 October 2010
  10. 10. DATA INFORMATION Thursday 21 October 2010
  11. 11. Information Knowledge Understanding Wisdom Thursday 21 October 2010
  12. 12. 1 What is SIEM ? (Functionality we want) Thursday 21 October 2010
  13. 13. Collection syslog scp ftp Thursday 21 October 2010
  14. 14. Normalization FW_1 I dropped a packet from x to z on port 80 at 13:22 time : 13:22 action : dropped source: x destination : z port : 80 FW_2 rejected x:1234 to z:22 at 1:23pm time : 13:23 action : dropped source: x destination : z port : 22 Thursday 21 October 2010
  15. 15. Correlation time : 04:22 time : 04:23 time : 04:24 time : 04:25 action : failed action : failed action : failed action : success src_ip : a.b.c.d src_ip : a.b.c.d src_ip : a.b.c.d src_ip : a.b.c.d user : craig user : craig user : craig user : craig Brute-force attack ? Brute-force (look at this in the morning) attack ? (wake the f* up now !) Thursday 21 October 2010
  16. 16. 3 base use cases React Faster Improve Efficiency Automate Compliance Securosis : Understanding and Selecting SIEM/Log Management Thursday 21 October 2010
  17. 17. Thursday 21 October 2010
  18. 18. 2 common-sensical approach Thursday 21 October 2010
  19. 19. Architecture FLAT Thursday 21 October 2010
  20. 20. Architecture HIERARCHICAL Thursday 21 October 2010
  21. 21. Architecture MESH Thursday 21 October 2010
  22. 22. integrating SIEM Data Sources Data Points Use Cases Thursday 21 October 2010
  23. 23. 3 Let’s get it on ! Thursday 21 October 2010
  24. 24. Our arsenal ossec http://www.ossec.net ossim http://www.alienvault.com syslog-ng http://www.balabit.com/network-security/syslog-ng davix http://www.secviz.org (+ some golden nuggets) Thursday 21 October 2010
  25. 25. OSSEC Host Based Intrusion Detection/Prevention - Log Monitoring - Integrity Control & Host Checking - Policy Monitoring - Real-time alerting & Active Response Running on : Windows, AIX,Solaris,HP-UX,MacOS & Linux Thursday 21 October 2010
  26. 26. OSSEC ossec-logcollector agentd remoted analysisd Client maild execd Server Thursday 21 October 2010
  27. 27. OSSEC SIEM OSSEC OSSEC agentless ! syslog = OSSEC agent * observation : none of the leading SIEM solutions support OSSEC as an event source out of the box, why ? Thursday 21 October 2010
  28. 28. OSSEC pre-decoding decoding signatures Thursday 21 October 2010
  29. 29. OSSEC palo alto threat detection Aug 26 13:56:07 192.168.0.5 1,2010/08/26 13:56:07,0003A100245,THREAT,   vulnerability,8,2010/08/26 13:56:01,10.0.0.1,10.0.0.2,0.0.0.0,   0.0.0.0,rule2,domainuser,,netbios-ns,vsys1,TAP-ZONE,TAP-ZONE,ethernet1/1,   ethernet1/1,Logger,2010/08/26 13:56:07,136674,3,137,137,0,0,0x8000,udp,   alert,"",NetBIOS nbtstat query(31707),any,low,client-to-server thanks to Xavier Mertens (@xme) Thursday 21 October 2010
  30. 30. OSSEC palo alto threat detection (decoder) <-- Custom decoder for PaloAlto Firewalls Threat Events --> <decoder name="paloalto-threat">     <prematch>^d,dddd/dd/dd dd:dd:dd,.+,THREAT,</prematch>    <regex>(d+.d+.d+.d+),(d+.d+.d+.d+),d+.d+.d+.d+,d+.d+.d+.d+,.+,(.*),(.*),.+,alert,.+,(.+),. +$</regex>   <order>srcip,dstip,srcuser,dstuser,extra_data</order> </decoder> thanks to Xavier Mertens (@xme) Thursday 21 October 2010
  31. 31. OSSEC palo alto threat detection (rules) <group name="syslog,paloalto-threat,"> <rule id="150000" level="0"> <decoded_as>paloalto-threat</decoded_as> <description>PaloAlto Firewalls Threat Events</description> </rule> <rule id="150001" level="10"> <if_sid>150000</if_sid>     <match>NetBIOs</match> <description>Possible NetBIOS attack detected!</description> </rule>   <rule id="150002" level="10"> <if_sid>150000</if_sid>     <user>domainadministrator</user> <description>Possible attack detected against Administrator!</description> </rule> </group> thanks to Xavier Mertens (@xme) Thursday 21 October 2010
  32. 32. OSSEC rules login failed success 100 times in from unauthorized the last 10 ip address ! minutes on critical server wake the f* up ! Thursday 21 October 2010
  33. 33. OSSEC rules login failed success 100 times in from unauthorized the last 10 AR ip address ! minutes on critical server AR don’t bother, everything is under control Thursday 21 October 2010
  34. 34. OSSIM (includes OSSEC) front < you are here ! end normalization, prioritization, DB server collection, risk assessment, correlation, ... snort, nessus, Spade, p0f, Ntop, arpwatch, OSSEC, ... sensor sensor sensor Thursday 21 October 2010
  35. 35. OSSIM risk maps Thursday 21 October 2010
  36. 36. OSSIM compliance reporting Thursday 21 October 2010
  37. 37. OSSIM event analysis Thursday 21 October 2010
  38. 38. OSSIM incident response Thursday 21 October 2010
  39. 39. 3 Let’s get it on ! a few words on data visualization (because it’s important !) Thursday 21 October 2010
  40. 40. Choosing the right chart ! http://ebiquity.umbc.edu/blogger/2009/01/25/how-to-choose-the-right-chart-for-your-data/ Thursday 21 October 2010
  41. 41. DAVIX Data visualization Live CD - free data processing and visualization tools - Bootable CD - available from http://www.secviz.org - part of “Applied Security Visualization” by Raffael Marty Thursday 21 October 2010
  42. 42. a firewall log treemap source : http://www.secviz.org Thursday 21 October 2010
  43. 43. radial firewall visualization source : http://www.secviz.org Thursday 21 October 2010
  44. 44. windows event log types source : http://www.secviz.org Thursday 21 October 2010
  45. 45. 1 day of firewall logs source : http://www.secviz.org Thursday 21 October 2010
  46. 46. gl-tail http://www.fudgie.org/ Thursday 21 October 2010
  47. 47. gl-tail http://www.fudgie.org/ Thursday 21 October 2010
  48. 48. Recap Focus on approach, not tools Use open source to facilitate & learn Integrate in architecture later Thursday 21 October 2010
  49. 49. Thank you ! interesting people to follow : @andrewsmhay @zrlram @anton_chuvakin @rockyd @xme podcast : wremes@gmail.com LogChat (see Anton’s blog or iTunes) @wimremes websites : http://www.securosis.com http://www.secviz.org http://www.ossec.net http://www.alienvault.com http://chuvakin.blogspot.com/ http://blog.rootshell.be http://www.decurity.com Thursday 21 October 2010
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×