BruCON 2010 Lightning Talk
Upcoming SlideShare
Loading in...5
×
 

BruCON 2010 Lightning Talk

on

  • 1,182 views

 

Statistics

Views

Total Views
1,182
Views on SlideShare
1,172
Embed Views
10

Actions

Likes
0
Downloads
17
Comments
0

3 Embeds 10

http://www.linkedin.com 6
http://blog.rootshell.be 3
http://rootshell.be 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

BruCON 2010 Lightning Talk BruCON 2010 Lightning Talk Presentation Transcript

  • Detecting Fraudulent Activity Using OSSEC... ... A Recipe! BruCON / Sep 2010
  • The Environment An e-Commerce company Commerce Complex IT infrastructure Increasing demand in security By the management By the business (compliance) Security tools and procedures in place (I hope ;-)
  • The Problem How to improve the detection of suspicious activity? How to reduce false positives? Restricted and overloaded security team (if there is one!).
  • Security Convergence! Logical Security Passwords IP access lists Physical Security Access badges GeoIP Let’s mix them!
  • The Example The eCommerce company makes business in Europe. Implement security monitoring rules using security convergence. Example: detect sessions started from ... (*) (*) Insert your favorite suspicious countries here. No political engagement ;-)
  • OSSEC to the Rescue OSSEC is ”an Open Source Host an Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy , monitoring, rootkit detection, real real-time alerting and active response response”.
  • The Ingredients Application OSSEC Fraud Log Parser Alert! Active- Active Response
  • The Recipe Configure OSSEC for your application log file (parser) Create an “Active-Response” action to trigger Response” when an denied access is detected The “Active-Response” script will perform a Response” geoIP lookup using the source IP address If the IP address belongs to another country, inject a new event into OSSEC OSSEC generates an alert based on this event.
  • The Results Adds value to the collected events. Increases visibility. Reduce the amount of alerts to process. Better reaction time.
  • Interested? This lightning talk idea came from a post on my blog: http://blog.rootshell.be/ Contact: @Xme More info? Maltego! Thank You!