Downloaded 441 times
Uploaded byAlienVault
Advanced OSSEC Training: Integration Strategies for Open Source Security
This document summarizes an advanced training on integrating OSSEC and AlienVault for open source security. The presentation covers the capabilities and architecture of OSSEC and AlienVault, how they integrate, and a demo of deploying OSSEC agents, managing alerts, and correlating events across sources. OSSEC provides log analysis, file integrity checking, and signature-based malware detection while AlienVault adds threat detection capabilities, centralized management, risk assessment, and cross-source event correlation to strengthen security monitoring.
More Related Content
![[DevSecOps Live] DevSecOps: Challenges and Opportunities](https://cdn.slidesharecdn.com/ss_thumbnails/20200316dsochallengesopportunities-200416111818-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
- 1. ADVANCED OSSEC TRAINING: INTEGRATIONSTRATEGIES FOR OPEN SOURCE SECURITY Santiago Bassett Director Professional Services @santiagobassett
- 2. AGENDA Presentation contents (20minutes) Learning the basics • OSSEC capabilities • AlienVault capabilities OSSEC and AlienVault integration • Integration components • OSSEC Collector anatomy • OSSEC Correlation rules • AlienVault Cross-correlation • Management interface Demo – See it in action (20 minutes) Deploying OSSEC agents • Automatic deployment for Windows • Manual deployment for Linux Agentless monitoring Managing OSSEC • Monitoring/Configuring agents • Editing rules Correlating OSSEC events (Brute-force) OSSEC reports
- 3. ABOUT ME Developer, securityengineer, researcher and consultant. Member of AlienVault and OSSEC core teams. Director of Professional Services at AlienVault Born in Spain and relocated to Silicon Valley in 2010. Excuse my accent
- 4. LEARNING THE BASICS… OSSECand AlienVault USM
- 5. OSSEC CAPABILITIES Log analysisbased intrusion detection File integrity checking Registry keys integrity checking (Windows) Signature based malware/rootkits detection Real time alerting and active response
- 6. OSSEC ARCHITECTURE Agent components: Logcollectord:Read logs (syslog, wmi, flat files) Syscheckd: File integrity checking Rootcheckd: Malware and rootkits detection Agentd: Forwards data to the server Server components: Remoted: Receives data from agents Analysisd: Processes data (main process) Monitord: Monitor agents
- 7. ALIENVAULT USM CAPABILITIES Providesthreat detection capabilities Monitors network assets Centralizes Information and Management Evaluates threats reliability and risk Collaboratively learns about APT
- 8. ALIENVAULT USM ARCHITECTURE Embeddedtools: Asset discovery: Nmap, Prads Behavioral monitoring: Netflow, Ntop, Nagios Threat detection: Snort, Suricata, OSSEC Vulnerability assessment: Openvas External collectors: Syslog, FTP, SCP, NFS Samba, SNMP, WMI, LEA SDEE, SQL, Unix Socket
- 9. OSSEC INTEGRATION OSSEC andAlienVault USM
- 10.
- 11.
- 12. OSSEC CORRELATION RULES Commonweb attack detected XSS (Cross Site Scripting) attempt SQL injection attempt detected Windows authentication failure attempts MySQL authentication attempt failed detected PostgreSQL authentication attempt failed detected SonicWall authentication attempt failed detected Remote access authentication attempt failed detected SSH service authentication attempts failed detected Multiple authentication attempt failed detected Login authentication failed detected
- 13. OSSEC ALERTS RISKASSESSMENT AlienVault USM automatically calculate risk based on OSSEC alerts priority, reliability and assets involved.
- 14. ALIENVAULT CROSS-CORRELATION AlienVault USMcorrelates events from multiple sources, crossing OSSEC alerts with information collected from embedded detectors and external sources. Attack Attacker X.X.X.X Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y Attack: WEB-IIS multiple decode attempt Vulnerability: IIS Remote Command Execution Alert: Low reputation IPOTX Alert: IIS attack detected Target Y.Y.Y.Y
- 15. OSSEC MANAGEMENT INTERFACE AlienVaultUSM provides a comprehensive GUI for OSSEC alerts management: Status monitor Events viewer Agents control manager Configuration manager Rules viewer/editor Logs viewer Server control manager Deployment manager Rules viewer/editor PDF/HTML reports
- 16. LET’S SEE ITIN ACTION! OSSEC and AlienVault USM
- 17. NOW FOR SOMEQ&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join our weekly LIVE Demohttp://www.alienvault.com/marketing/alienvault -usm-live-demo hello@alienvault.com
- 18. VIEW WEBINAR ON-DEMAND Toview the recorded version of this webinar Click Here
Editor's Notes
- #4 AlienVault’s Unified Security Management will provide LSI with complete security visibility by providing the five essential security capabilities in our unified platform including:-Asset discovery - active and passive network discovery -Vulnerability assessment – active network scanning, continuous vulnerability monitoring -Threat detection - IDS, host-based IDS (HIDS), file integrity monitoring, etc. - Behavioral monitoring - netflow analysis, log normalization, etc. -Security intelligence - log management, SIEM event correlation, etc. All of these capabilities are already built-in and managed through a single console and reporting dashboard. The defined architecture described contains core components of which are defined below in more detail as well as the quote being provided to LSI.