Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Advanced OSSEC Training: Integration Strategies for Open Source Security


Published on

During this technical one-hour session, Santiago Gonzalez, an OSSEC core team member (System integration, rules & SIEM) and AlienVault Director of Professional Services, will demonstrate how to integrate OSSEC with other 3rd party applications for greater security visibility and response.

To learn more, check out the video:

Published in: Technology
  • Be the first to comment

Advanced OSSEC Training: Integration Strategies for Open Source Security

  1. 1. ADVANCED OSSEC TRAINING: INTEGRATION STRATEGIES FOR OPEN SOURCE SECURITY Santiago Bassett Director Professional Services @santiagobassett
  2. 2. AGENDA Presentation contents (20 minutes) Learning the basics • OSSEC capabilities • AlienVault capabilities OSSEC and AlienVault integration • Integration components • OSSEC Collector anatomy • OSSEC Correlation rules • AlienVault Cross-correlation • Management interface Demo – See it in action (20 minutes) Deploying OSSEC agents • Automatic deployment for Windows • Manual deployment for Linux Agentless monitoring Managing OSSEC • Monitoring/Configuring agents • Editing rules Correlating OSSEC events (Brute-force) OSSEC reports
  3. 3. ABOUT ME Developer, security engineer, researcher and consultant. Member of AlienVault and OSSEC core teams. Director of Professional Services at AlienVault Born in Spain and relocated to Silicon Valley in 2010. Excuse my accent 
  5. 5. OSSEC CAPABILITIES Log analysis based intrusion detection File integrity checking Registry keys integrity checking (Windows) Signature based malware/rootkits detection Real time alerting and active response
  6. 6. OSSEC ARCHITECTURE Agent components: Logcollectord: Read logs (syslog, wmi, flat files) Syscheckd: File integrity checking Rootcheckd: Malware and rootkits detection Agentd: Forwards data to the server Server components: Remoted: Receives data from agents Analysisd: Processes data (main process) Monitord: Monitor agents
  7. 7. ALIENVAULT USM CAPABILITIES Provides threat detection capabilities Monitors network assets Centralizes Information and Management Evaluates threats reliability and risk Collaboratively learns about APT
  8. 8. ALIENVAULT USM ARCHITECTURE Embedded tools: Asset discovery: Nmap, Prads Behavioral monitoring: Netflow, Ntop, Nagios Threat detection: Snort, Suricata, OSSEC Vulnerability assessment: Openvas External collectors: Syslog, FTP, SCP, NFS Samba, SNMP, WMI, LEA SDEE, SQL, Unix Socket
  12. 12. OSSEC CORRELATION RULES Common web attack detected XSS (Cross Site Scripting) attempt SQL injection attempt detected Windows authentication failure attempts MySQL authentication attempt failed detected PostgreSQL authentication attempt failed detected SonicWall authentication attempt failed detected Remote access authentication attempt failed detected SSH service authentication attempts failed detected Multiple authentication attempt failed detected Login authentication failed detected
  13. 13. OSSEC ALERTS RISK ASSESSMENT AlienVault USM automatically calculate risk based on OSSEC alerts priority, reliability and assets involved.
  14. 14. ALIENVAULT CROSS-CORRELATION AlienVault USM correlates events from multiple sources, crossing OSSEC alerts with information collected from embedded detectors and external sources. Attack Attacker X.X.X.X Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y Attack: WEB-IIS multiple decode attempt Vulnerability: IIS Remote Command Execution Alert: Low reputation IPOTX Alert: IIS attack detected Target Y.Y.Y.Y
  15. 15. OSSEC MANAGEMENT INTERFACE AlienVault USM provides a comprehensive GUI for OSSEC alerts management: Status monitor Events viewer Agents control manager Configuration manager Rules viewer/editor Logs viewer Server control manager Deployment manager Rules viewer/editor PDF/HTML reports
  16. 16. LET’S SEE IT IN ACTION! OSSEC and AlienVault USM
  17. 17. NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial Try our Interactive Demo Site Join our weekly LIVE Demo -usm-live-demo
  18. 18. VIEW WEBINAR ON-DEMAND To view the recorded version of this webinar Click Here