Published on

These are the slides of the talk given during 2011.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide 2011

  1. 1. All Your Security Events are Belong to ...You! InfoSecurity 2011 - Xavier Mertens
  2. 2. $ whoami• Xavier Mertens• Senior Security Consultant• CISSP, CISA, CeH• Security Blogger• Volunteer for security projects like:
  3. 3. $ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not reflectthose of past, present or future employers,partners or customers”
  4. 4. Today’s Situation
  5. 5. Are You Ready?• Most organizations are NOT prepared to deal with security incidents• If anything can go wrong, it will! (Murphy’s law)• Assigned internal resources?
  6. 6. Technical Issues• Networks are complex• Some components/knowledge are outsourced• Millions of daily events• Lot of console/tools• Lot of protocols/applications
  7. 7. Find the DifferencesAug 27 14:33:01 macosx ipfw: 12190 Deny TCP192.168.13.1:2060 in via en1%PIX-3-313001: Denied ICMP type=11, code=0 from192.168.30.2 on interface 2
  8. 8. Economic Issues• “Time is money” • Real-time operations • Downtime has a huge financial impact• Reduced staff & budget• Happy shareholders
  9. 9. Legal Issues• Compliance requirements • Big names • Initiated by the group or business• Local laws• Due diligence & due care
  10. 10. Belgian Example: CBFA From a document published in April 2009: “Tout établissement qui connecte son infrastructure sur Internet dispose d’une politique de sécurité qui tient compte de: ... la création, l’archivage de fichier “historique d’évènements” techniques adaptés à leur analyse, leur suivi et leur reporting.”
  11. 11. Challenges• Creation & archiving of log files• Analyze (Normalization)• Follow-up• Reporting
  12. 12. Layer Approach Correlation Reporting Search Storage Normalization Log Collection
  13. 13. Raw Material• Your logs are belong to you• If not stored internally (cloud, outsourcing), claim access to them• All applications/devices generate events• Developers, you MUST generate GOOD events
  14. 14. 3rd Party Sources• Vulnerabilities Databases• Blacklists (IP addresses, ASNs)• “Physical” Data • Geolocalization • Badge readers
  15. 15. The Recipe
  16. 16. Collection• Push or pull methods• Use a supported protocols• Ensure integrity• As close as the source
  17. 17. Normalization• Parse events• Fill in common fields • Date, Src, Dst, User, Device, Type, Port, ...
  18. 18. Storage• Index• Store• Archive• Ensure integrity (again)
  19. 19. Search• You know Google?• Investigations / Forensic• Looking for “smoke signals”
  20. 20. Reporting• Automated / On-demand• Reliable only if first steps are successfull
  21. 21. Correlation• Generation of new events based on the way other events occurred (based on their logic, their time or recurrence)• Correlation will be successful only of the other layers are properly working• Is a step to incident management
  22. 22. Build Your Toolbox
  23. 23. <warning>Please keep v€ndor$ away from the next slide ;-) </warning>
  24. 24. Let’s Kill Some Myths• Big players do not always provide the best solutions. A Formula-1 is touchy to drive!• Why pay $$$ and use <10% of the features? (the “Microsoft Office” effect)• But even free softwares have costs!• False sense of security
  25. 25. LM vs. SIEM• A LM (“Log Management”) addresses the lowest layers from the collection to reporting.• A SIEM (“Security Information & Event Management”) adds the correlation layer (and incidents management tools)
  26. 26. Grocery Shopping• Compliance• Suspicious activity• Web applications monitoring• Correlation• Supported devices• Buying a SIEM is a very specific project
  27. 27. Free Tools to the Rescue
  28. 28. Syslog Daemons• Syslog is well implemented• Lot of forked implementations • syslogd, rsyslogd, syslog-ng • Multiple sources • Supports TLS, TCP• Several tools exists to export to Syslog (ex: SNARE)
  29. 29. SEC• “Simple Event Correlation”• Performs correlation of logs based on Perl regex• Produces new events, triggers scripts, writes to files
  30. 30. OSSEC• HIDS• Log collection & parsing• Active-Response• Rootkit detection• File integrity checking• Agents (UNIX, Windows)• Log archiving
  31. 31. Miscellaneous• MySQL• iptables / ulogd• GoogleMaps API• Some Perl code• Cloud Services (don’t be afraid)
  32. 32. Personal Researches• Examples based on OSSEC!• MySQL integrity audit• USB stick detection in Windows environments• Detecting rogue access• Mapping data on Google Maps
  33. 33. Visibility!• LaaS (Loggly)• Splunk•
  34. 34. Example of Visualization
  35. 35. Conclusions• The raw material is already yours!• The amount of data cannot be reviewed manually.• Suspicious activity occurs below the radar.• Stick to your requirements!• It costs $$$ and HH:MM• Make your logs more valuable via external sources
  36. 36. Thank You! Q&A?http://blog.rootshell.be