This document provides an overview of setting up practical monitoring with the open source security information management (SIM) tool OSSIM. It discusses identifying assets and data sources, the OSSIM platform capabilities, architecture, requirements, and basic configuration steps. It also covers adding assets, configuring vulnerability assessment, setting up host and network intrusion detection systems, enabling plugins for integrating devices like CheckPoint firewalls, and configuring availability monitoring. The document provides details on key concepts like regular expressions, correlation rules, and using the OSSIM dashboard.
Best Practices for Configuring Your OSSIM InstallationAlienVault
Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation.
Join us for this customer training webcast where our OSSIM experts will walk through:
How to deploy & configure OSSEC agents
Best practices for configuring syslog and enabling plugins
Scanning your network for assets and vulnerabilities
Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources.
IBM InfoSphere Guardium provides the simplest, most robust solution for assuring the privacy and integrity of trusted information in your data center (SAP, PeopleSoft, Cognos, Siebel, etc.) and reducing costs by automating the entire compliance auditing process in heterogeneous environments.
Security Incident Event Management
Real time monitoring of Servers, Network Devices.
Correlation of Events
Analysis and reporting of Security Incidents.
Threat Intelligence
Long term storage
Best Practices for Configuring Your OSSIM InstallationAlienVault
Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation.
Join us for this customer training webcast where our OSSIM experts will walk through:
How to deploy & configure OSSEC agents
Best practices for configuring syslog and enabling plugins
Scanning your network for assets and vulnerabilities
Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources.
IBM InfoSphere Guardium provides the simplest, most robust solution for assuring the privacy and integrity of trusted information in your data center (SAP, PeopleSoft, Cognos, Siebel, etc.) and reducing costs by automating the entire compliance auditing process in heterogeneous environments.
Security Incident Event Management
Real time monitoring of Servers, Network Devices.
Correlation of Events
Analysis and reporting of Security Incidents.
Threat Intelligence
Long term storage
Security Information and Event Management (SIEM)hardik soni
Leo TechnoSoft SIEM products help's every enterprise with all security threats. Security information and event management software provides real-time visibility.
Get advice from security gurus on how to get up & running with SIEM quickly and painlessly. You'll learn about log collection, log management, log correlation, integrated data sources and how-to leverage threat intelligence into your SIEM implementation.
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
SIEM is a technological solution that collects and aggregates logs from various data sources, discovers trends, and alerts when it spots anomalous activity, like a possible security threat.
BM® Security Guardium® Data Activity Monitor empowers security
teams to analyze, protect and adapt for comprehensive data protection in
heterogeneous environments, including databases, data warehouses, files,
file shares, cloud, and big-data platforms such as Hadoop and NoSQL.
LTS Secure Security Information and Event Management (SIEM), is a technology that provides real-time analysis of security alerts generated by network hardware and applications.
Creating Correlation Rules in AlienVaultAlienVault
Make a correlation between events, rules and security enforcement. Learn why correlation rules are the heart of SIEM, how to effectively correlate threats with protections, and how to link your rules to policies.
SIEM : Security Information and Event Management SHRIYARAI4
SIEM is a tool that collects, aggregates, normalizes the data and analyzes it according to pre-set rules and presents the data in human readable format
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
This joint webinar, in collaboration with IBM, offers a look at the industry leading Threat Hunting App for IBM QRadar. By combining the threat detection capabilities of QRadar and Sqrrl, security analysts are armed with advanced analytics and visualization to hunt for unknown threats and more efficiently investigate known incidents.
Watch the training with audio here: http://info.sqrrl.com/sqrrl-ibm-threat-hunting-for-qradar-users
This IBM QRadar training is designed for security analysts, security technical architects, offense managers, network administrators, and system administrators using QRadar SIEM.
IBM Security QRadar SIEM is a tech platform developed by IBM to provide a 360-degree overview of an organization’s security system.
QRadar normalizes events that come from a security system’s log sources and correlates them according to certain rules configured in QRadar.
IBM QRadar collects log data from an enterprise, network devices, host assets, operating systems, applications, vulnerabilities, user activities and behaviors.
IBM QRadar performs real-time analysis of the log data and network flows to identify malicious activity so it could be stopped quickly, preventing or minimizing damage to an organization.
SIEM (Security Information and Event Management)Osama Ellahi
In this presentation we cover basic knowledge about siem .
-What is siem
-How It works
-Siem Process
-Siem capabilities
-Some snaps of VARNOIS(Tools that use for getting logs"LOGS aggregation" and then apply some machine algorithms to see about logs that logs are risky OR not).
There are a lot of others vendors also who provided the tools for information and event management.like QRADAR is also one of the best tool by IBM.
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
Infrastructure-as-Code (IaC) has emerged as an essential element of organizational DevOps practices. Tools such as AWS CloudFormation and Terraform allow software-defined infrastructure to be deployed quickly and repeatably to AWS. But the agility of CI/CD pipelines also creates new challenges in infrastructure security hardening. How do you ensure that your CloudFormation templates meet your organization's security, compliance, and governance needs before you deploy them? How do you deploy infrastructure securely to production environments, and monitor the security posture on a continuous basis? And how do you do this repeatedly without hitting a speed bump? This session provides a foundation for how to bring proven software hardening practices into the world of infrastructure deployment. We discuss how to build security and compliance tests for infrastructure analogous to unit tests for application code, and showcase how security, compliance and governance testing fit in a modern CI/CD pipeline.
Session Sponsored by: Dome9
In this presentation, we try to teach programmers how to avoid security flaws in the code.
The presentation is of the format of problem->solution->problem....
Given a piece of code the attendees have to identify the security bugs in it and the suggest a fix. Now, the attendees have to find security bugs in the fix. The exercise goes on and the attendees become secure code aware.
-- KnowBigData.com
Security Information and Event Management (SIEM)hardik soni
Leo TechnoSoft SIEM products help's every enterprise with all security threats. Security information and event management software provides real-time visibility.
Get advice from security gurus on how to get up & running with SIEM quickly and painlessly. You'll learn about log collection, log management, log correlation, integrated data sources and how-to leverage threat intelligence into your SIEM implementation.
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
SIEM is a technological solution that collects and aggregates logs from various data sources, discovers trends, and alerts when it spots anomalous activity, like a possible security threat.
BM® Security Guardium® Data Activity Monitor empowers security
teams to analyze, protect and adapt for comprehensive data protection in
heterogeneous environments, including databases, data warehouses, files,
file shares, cloud, and big-data platforms such as Hadoop and NoSQL.
LTS Secure Security Information and Event Management (SIEM), is a technology that provides real-time analysis of security alerts generated by network hardware and applications.
Creating Correlation Rules in AlienVaultAlienVault
Make a correlation between events, rules and security enforcement. Learn why correlation rules are the heart of SIEM, how to effectively correlate threats with protections, and how to link your rules to policies.
SIEM : Security Information and Event Management SHRIYARAI4
SIEM is a tool that collects, aggregates, normalizes the data and analyzes it according to pre-set rules and presents the data in human readable format
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
This joint webinar, in collaboration with IBM, offers a look at the industry leading Threat Hunting App for IBM QRadar. By combining the threat detection capabilities of QRadar and Sqrrl, security analysts are armed with advanced analytics and visualization to hunt for unknown threats and more efficiently investigate known incidents.
Watch the training with audio here: http://info.sqrrl.com/sqrrl-ibm-threat-hunting-for-qradar-users
This IBM QRadar training is designed for security analysts, security technical architects, offense managers, network administrators, and system administrators using QRadar SIEM.
IBM Security QRadar SIEM is a tech platform developed by IBM to provide a 360-degree overview of an organization’s security system.
QRadar normalizes events that come from a security system’s log sources and correlates them according to certain rules configured in QRadar.
IBM QRadar collects log data from an enterprise, network devices, host assets, operating systems, applications, vulnerabilities, user activities and behaviors.
IBM QRadar performs real-time analysis of the log data and network flows to identify malicious activity so it could be stopped quickly, preventing or minimizing damage to an organization.
SIEM (Security Information and Event Management)Osama Ellahi
In this presentation we cover basic knowledge about siem .
-What is siem
-How It works
-Siem Process
-Siem capabilities
-Some snaps of VARNOIS(Tools that use for getting logs"LOGS aggregation" and then apply some machine algorithms to see about logs that logs are risky OR not).
There are a lot of others vendors also who provided the tools for information and event management.like QRADAR is also one of the best tool by IBM.
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
Infrastructure-as-Code (IaC) has emerged as an essential element of organizational DevOps practices. Tools such as AWS CloudFormation and Terraform allow software-defined infrastructure to be deployed quickly and repeatably to AWS. But the agility of CI/CD pipelines also creates new challenges in infrastructure security hardening. How do you ensure that your CloudFormation templates meet your organization's security, compliance, and governance needs before you deploy them? How do you deploy infrastructure securely to production environments, and monitor the security posture on a continuous basis? And how do you do this repeatedly without hitting a speed bump? This session provides a foundation for how to bring proven software hardening practices into the world of infrastructure deployment. We discuss how to build security and compliance tests for infrastructure analogous to unit tests for application code, and showcase how security, compliance and governance testing fit in a modern CI/CD pipeline.
Session Sponsored by: Dome9
In this presentation, we try to teach programmers how to avoid security flaws in the code.
The presentation is of the format of problem->solution->problem....
Given a piece of code the attendees have to identify the security bugs in it and the suggest a fix. Now, the attendees have to find security bugs in the fix. The exercise goes on and the attendees become secure code aware.
-- KnowBigData.com
AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. This webinar will introduce the best practices for IoT Security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, as well as integrate devices with other AWS services to create secure solutions.
Learning Objectives:
• Common IoT Thing Management Issues
• Learn about AWS IoT Security and Access Control Mechanisms
• Build Secure interactions with the AWS Cloud
Who Should Attend:
• Technical Decision Makers, Developers, Makers
What is Splunk? At the end of this session you’ll have a high-level understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll see practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
What is Splunk? At the end of this session you’ll have a high-level understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll see practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
Cluj JSHeroes 2017 - Liran Tal on Node.js SecurityLiran Tal
Security is often an overlooked topic for JavaScript developers whether on the frontend or backend stack. In this session we will review essential security topics such as NoSQL Injections, ReDOS Attacks, Insecure dependencies and employing the use of HTTP Headers for enhanced security.
by Greg McConnel, Sr. Solutions Architect, AWS
Join us for this hands-on lab where you will learn about the new threat detection and monitoring service, Amazon GuardDuty, by walking through its capabilities and some real-world attack scenarios. You need a personal (not corporate) AWS account to take the lab. We will provide AWS credits to help cover any costs you incur while taking the lab.
SEC303 Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.
Integrating_Cloud_Development_Security_And_Operations.pdfAmazon Web Services
Managing infrastructure as code has become an important process in scaling software organizations. This brings many software development processes and ideas to operations, including version control, automated testing, configuration management and reliable duplication. Programmable infrastructure becomes invaluable as application services grows, in quantity and granularity, in a growing company.
Automating the provisioning, configuration and deployment of complex applications requires some design choices on top of AWS services. This presentation discusses how to implement modularity, reliability and security into continuous delivery pipelines ("DevSecOps"). Learn how to automate application delivery using AWS CloudFormation and other tools from Amazon Web Services.
(ENT212) How Autodesk Leverages Splunk as an Assurance Platform on AWS | AWS ...Amazon Web Services
This session highlights the critical role of real-time visibility in Autodesk's adoption of AWS. Autodesk shares how they use Splunk software to gain insight into applications and services deployed in AWS, achieve centralized visibility across on-premises and cloud systems, and monitor critical security-related user activity in their AWS account.
Autodesk shares how these insights provide the required level of confidence and assurance to migrate significant enterprise workloads to AWS. In this session, Splunk also presents their cloud solutions enabling real-time visibility and monitoring in AWS. This session explains how to accelerate your AWS adoption by delivering centralized and real-time visibility and how to get started with Splunk in AWS at no cost.
Sponsored by Splunk.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
4. Contents
Practical Monitoring with OSSIM
Asset and Data Source Identification
OSSIM Platform
OSSIM Architecture
Minimum Requirements
Create OTX Account
Factors to Consider
Demo Environment
OSSIM Installation
Basic Configuration
AddingAssets & ConfiguringVA
IDS in OSSIM
Setting up HIDS
Setting up NIDS
Adding Devices Enabling Plugins
Plugins for CheckPoint Firewall
Availability Monitoring
5. Practical Monitoring with OSSIM
Cyber security is a challenge.
24 x 7 monitoring of critical networks.
OSSIM is a open source product.
PEOPLE PROCESSTECHNOLOGY
Strengths and weaknesses of OSSIM tool.
6. Asset and data source Identification
Asset –any device with an IP address.
Data Source – Assets Capable of creating and sending logs.
OSSIM support logs from databases, syslogs andWMI etc.
8. OSSIM Architecture
Sensor
Asset Discovery
Vulnerability Scanning
Event Collection
Server
Policy
RiskAssessment
Correlation
SQL Storage
Forwarding
Logger
Log Storage for OSSIM
Digitally Signed long term Storage
9. Minimum Requirements
Hardware requirement
8 CPU cores
16 Gb RAM
1TB of HDD
3 Network Interfaces
Additional requirement
VMware or Hyper-V
OSSIM ISO file
OTX key (I’ll guide you on how to get it)
11. Factors to Consider
Before the implementation of OSSIM it is necessary to check on the following areas.
EPS (Events Per Seconds)
Numbers of Assets
Bandwidth
Geographical locations
Network Boundaries
Time zones
Storage
15. Basic Configuration
Setting up the correct time zone
Configuring hostname
Setting up the correct time zone for the user
Configuring password for the configuration backup
16. Adding Assets & Configuring VA
Any device with an IP address is an asset.
Examples :-
Firewalls
servers
IP cameras
mobile device
network printers
17. IDS in OSSIM
HIDS – Host base intrusion detection system
NIDS – network base intrusion detection system
IDS
HIDS NIDS
18. Setting up HIDS
What is HIDS?
Host base intrusion detection system means put the agent to the
device and pull the device logs to the OSSIM and do the Correlations
part inside the OSSIM and generate the alarms.
Ossec
Nxlog
File beat
19. Setting up NIDS
Network base intrusion detections means it’s analyzed in and out
network traffic in the environment and analyzed the behavior of the
traffic generated. OSSIM is doing those part with out agent that’s
why it called NIDS.
20. Adding devices and Enabling Plugins
Next we’re going to integrate devices that send syslogs. So first ask
your network admin to forward syslogs towards UDP port 514 of the
log collector IP of OSSIM
23. Plugins for CheckPoint firewall
What is a plugin?
OSSIM has nearly 1000 plugins for different devices
For Example “Fw1.alt” is the plugin for CheckPoint
26. Regular Expressions
Operator Meaning
c A non special character matches itself
c Adds the special meaning of the character c; The $ matches with $
^ Indicates the position at the beginning of the line
$ Indicates the position at the end of the line
. Any individual character
[…] One or any of the characters …; accepts intervals of the type a-z, 0-9, A-Z
[^…] A character different from … ; accepts intervals of the type a-z, 0-9, A-Z
27. Regular Expressions - Combinations
Regular expression Matches with
a.b axb aab abb aSb a#b ...
a..b axxb aaab abbb a4$b ...
[abc] a b c (one character strings)
[aA] a (one character strings)
[aA][bB] ab aB AB (two character strings)
[0123456789] 0 1 2 3 4 5 6 7 8 9
[0-9] 0 1 2 3 4 5 6 7 8 9
[A-Za-z] A B C ... Z a b c ... z
[0-9][0-9][0-9] 000 001 .. 009 010 .. 019 100 .. 999
28. Regular Expressions — Occurrence
MatchesOperator Meaning
r* 0 or more occurrences of r
r+ 1 or more occurrences of r
r? 0 or 1 occurrence of r, and no more
r{n} n occurrences of r
r{,m} 0 or at most m occurrences of r
r{n,m} n or more occurrences of r, but at most m
r1|r2 r1 or r2
29. Regular Expressions — Special Characters
Regular expression Matches with Equals
d Any decimal character [0-9]
D Any non-decimal character [^0-9]
s Any space character [ tnrfv]
S Any non-space character [^ tnrfv]
w
Any alphanumeric character
and “_”
[a-zA-Z0-9_]
W Any non-alphanumeric character [^a-zA-Z0-9_]
Z End of line
31. Create a Simple Correlation
Logical correlation uses correlation directives to detect attacks.
By default, OSSIM includes almost 80 built-in directives.
Users can customize existing directives or create custom ones.
32. Availability Monitoring
The last option to enable in OSSIM will be the Availability monitoring.
As the word means, it simply checks whether the resource/service is
available or not.
Service Available Monitoring
Device Available Monitoring
I have been working soc analyst in past year and did
Cyber security is the key challenge for any kind or any size of a company . Because of the rapid development of new technology
There are multiple solutions to overcome this challenge. But when considering effectiveness of these solutions, Security operating center or we simply called SOC, leads the industry, with it’s continues monitoring capability.
You know when it’s come to soc people believe it as an expensive solution . But to overcome this any one can go for an open solutions
So let me introduce you a world recognize open source tool with many useful features
Cyber security is a challenge for many organization today. Rapid Changes in the threat landscape forces many organizations to adopt expensive security solutions even when the organizations is not ready for such solution.
Establishing an organization wide security operation center (SOC) is perceived as a solution to meet the challenges of cyber security by introducing 24 x 7 monitoring of critical networks.
OSSIM is a open source product with many useful features that will allow you to take the first steps towards establishing a SOC. It will also allow you to adopt PEOPLE PROCESS TECHNOLOGY approach for your cyber security solution.
It is important to understand the strengths and weaknesses of OSSIM tool.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
To perform the basic ossime functionality these are the requirement
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Any body know what is plugin?
Let’s move to the simple correlation
I’ll show simple dashboard and let’s try to understand it