A long time ago, in a galaxy far far away, AV was invented. Then firewalls and IDS and SIEM and NAC and DLP and on and on. With all these products, it seems like a career in information security is really more about managing tools than defeating a galactic empire of hackers and miscreants. But like the Rebel Alliance, you can take back your enterprise, because many of our existing monitoring systems and network devices also have security functionality. Moreover, there are many excellent open source applications that work just as well as commercial ones.

1. Ending the
Tyranny of
Expensive
Security Tools:
A New Hope

2. Who Am I?
• Michele Chubirka, aka "Mrs. Y.,” Security Architect
and professional contrarian.
• Analyst, blogger, B2B writer, podcaster.
• Researches and pontificates on topics such as
security architecture and best practices.
chubirka@postmodernsecurity.com
http://postmodernsecurity.com
https://www.novainfosec.com/author/mrsy/
@MrsYisWhy
www.linkedin.com/in/mchubirka/

3. So Many Tools….

4. So Little
Budget

5. You Probably Already Have More Than You Need
• Many products have functionality that can be
leveraged for security purposes.
• It’s not about the best tool, but the one that gets the job
done.
• Ignore the siren song of the shiny new toy.
• Expensive tools aren’t a quick fix.

6. Explore Open Source
Many commercial products developed out of
open source projects:
– Nmap
– Tripwire
– Sendmail
– ISC Bind/DHCP
– OpenSSL

7. Monitoring Tools
• Helpful in identifying anomalies.
• Can detect signs of malicious activity.
• Some provide canned compliance and security reports.
• Information can be correlated with data from security
tools for better intrusion detection and incident
response.
• Some have historical data useful during and post
breach.

8. Monitoring Tool Examples
• MRTG
• Solarwinds Orion
• Nagios
• Netdisco
• Wireless Management
Systems (WMS)

9. MRTG – Multi Router Traffic Grapher
Can detect anomalies in link
usage, indicating possible
data exfiltration or DDoS.

10. Solarwinds Orion: Netflow
Can detect anomalies,
indicating unusual
patterns of traffic and
“top talkers.” Useful for
incident response.

11. Nagios
Is it a security
incident or just an
outage?

12. Netdisco
Open source network
management tool
that keeps a history
of MAC to IP address.
Useful in identifying
hosts for malware
remediation and
other incident
response. Uses SNMP
to collect ARP and
MAC tables, then
stores in a database.

13. Compliance
Initiatives?
• PCI DSS
• SOX
• HIPAA
Make existing tools work for
you.

14. Solarwinds Orion: Compliance
Reporting

15. Cisco Prime Network Control System

16. Cisco Prime NCS Reporting

17. Aerohive Hive Manager

18. Aerohive
Reporting

19. System Tools
• Cron and Logcheck alerting
• Configuration management tools for automated
patching, tracking and reporting:
– Puppet
– Chef
– Microsoft System Center Configuration Manager (SCCM)
• Asset Management, HIDS, File Integrity Tools
– Eracent
– OSSEC

20. What changed? Was it
authorized?
When is an error an
incident?

21. OSSEC: an open
source Host Intrusion
Detection tool – can
also be used as a file
integrity monitoring
tool to meet PCI DSS
requirements.

22. Network Controls and Tools
• ACLs and Route Maps
– AOL’s Trigger: open source network automation toolkit used for pushing
out configs and security policies, turns L3 devices into firewalls.
• Load Balancers (aka Application Delivery Controllers)
– SYN Cookies: prevent SYN flood attacks
– DDoS protection
– Protocol checks
• Wireshark and NetworkMiner protocol analysis tools
• RADIUS: provides authentication, authorization and accounting
• 802.1X: port-based network access control

23. SYN Cookie
• Server receives SYN.
• Sends SYN+ACK, but discards the original SYN.
• If server receives ACK, server reconstructs SYN entry
using information encoded in the TCP sequence
number.

24. NetworkMiner Network Forensic Analysis Tool
Free and professional
editions – can be used
live or to parse PCAP
files. Focuses on
collecting data about
hosts.

25. Your Web Browser Is a Security Tool
Both Firefox and Chrome have free add-ons for application
security inspection, testing and fuzzing.
•Groundspeed: application pentesting
•HttpFox: analyzer
•Live HTTP headers: analyzer
•HackBar: application pentesting
•Wappalyzer: application reconnaissance
•PassiveRecon: web site reconnaissance
•Shodan web site and plugin: reconnaissance

26. Shodan
Search engine of
insecure devices
and systems
available on the
Internet.
Is your network in
Shodan?

27. DNS Sinkholes and RPZ
• DNS servers can be effective tools for blocking
malware, phishing and spam.
• Support for Response Policy Zones (RPZ) introduced
with ISC BIND 9.8.
• An RBL for DNS, makes it into a “DNS firewall” by
leveraging reputation feeds.
• Can block or redirect internal traffic associated with
malicious activity (yes, just like OpenDNS).
https://dnsrpz.info/

28. Fun with Wifi
• Kismet
– An open source WIDS that works with any wireless devices
supporting monitor-mode.
• Aircrack-NG
– An open source reconnaissance, key-cracking and testing
tool.

29. Aircrack-NG

30. Kismet

31. inSSIDer –
notice any
similarities
?

32. Network Security Monitor: Security Onion

33. What’s Inside?
• Snort
• Suricata
• Bro Network Security Monitor
• Argus and Ra
• Xplico
• Network Miner
• Squil and Snorby
• ELSA

34. Kali Linux: the Kitchen Sink for Pentesters

35. Threat and
Vulnerability
Management with
Zenmap – a GUI
front-end to Nmap

36. Pentest Dropboxes aka “Creepers”
• Unobtrusive, form factor device used by pentesters to
gain a backdoor into a target network.
• Can be used to perform a security profile of your own
infrastructure.
• Also used as an inexpensive monitoring tool.

37. Where You Can Find One
• Minipwner
• OG150
• PwnPi
Low cost open source
alternatives to Pwnie
Express.

39. Roll Your Own
• Raspberry Pi
• Intel NUC
• TP-Link portable routers running Open-Wrt.
• Pwnie Express even has a community edition you can
build yourself.

40. Available Tools
• Aircrack-NG
• Iperf
• OpenVPN
• SSLStrip
• Tor
• TTCP
• Kismet

41. Get A Pineapple
A wireless network
auditing tool. Highly
customizable Wifi
router, based on Open-
Wrt and Jasager.

42. Do You Always Need the Commercial Product?
• Suricata vs. Sourcefire
• Bro-NSM vs. FireEye
• Security Onion or OSSIM vs. commercial SIEMs
• SANS Investigative Forensic Toolkit (SIFT) vs. EnCase
• Armitage or OG150 vs. Metasploit Pro
• FreeRADIUS vs. Cisco ISE
• OSSEC vs. Symantec Critical System Protection
• ELSA, Graylog, Logstash/Kibana vs. Splunk
• Nmap or Zenmap vs. Qualys

43. Security Isn’t About Managing Tools
• Good information
security (and
engineering) is about
solving problems.
• You don’t always need
to buy a product.
• Be Creative.

44. Resources
• Securitytube.net
• Hak5.org
• Metasploit Minute with @mubix
• OWASP
• Offensive Security

45. Questions?

46. Where Can You Find Me?
Michele Chubirka
Spending quality time in kernel
mode.
Prefers Star Wars original trilogy.
http://postmodernsecurity.com
Twitter @MrsYisWhy
Google+ MrsYisWhy
chubirka@postmodernsecurity.com