BruCON 2010 Lightning Talk

1,010
-1

Published on

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,010
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

BruCON 2010 Lightning Talk

  1. 1. Detecting Fraudulent Activity Using OSSEC... ... A Recipe! BruCON / Sep 2010
  2. 2. The Environment An e-Commerce company Commerce Complex IT infrastructure Increasing demand in security By the management By the business (compliance) Security tools and procedures in place (I hope ;-)
  3. 3. The Problem How to improve the detection of suspicious activity? How to reduce false positives? Restricted and overloaded security team (if there is one!).
  4. 4. Security Convergence! Logical Security Passwords IP access lists Physical Security Access badges GeoIP Let’s mix them!
  5. 5. The Example The eCommerce company makes business in Europe. Implement security monitoring rules using security convergence. Example: detect sessions started from ... (*) (*) Insert your favorite suspicious countries here. No political engagement ;-)
  6. 6. OSSEC to the Rescue OSSEC is ”an Open Source Host an Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy , monitoring, rootkit detection, real real-time alerting and active response response”.
  7. 7. The Ingredients Application OSSEC Fraud Log Parser Alert! Active- Active Response
  8. 8. The Recipe Configure OSSEC for your application log file (parser) Create an “Active-Response” action to trigger Response” when an denied access is detected The “Active-Response” script will perform a Response” geoIP lookup using the source IP address If the IP address belongs to another country, inject a new event into OSSEC OSSEC generates an alert based on this event.
  9. 9. The Results Adds value to the collected events. Increases visibility. Reduce the amount of alerts to process. Better reaction time.
  10. 10. Interested? This lightning talk idea came from a post on my blog: http://blog.rootshell.be/ Contact: @Xme More info? Maltego! Thank You!

×