1) Most organizations are unprepared to deal with security incidents effectively due to complex networks, outsourcing of resources, and reduced budgets and staffing. 2) Proper log collection, normalization, storage, search, and reporting is needed to gain visibility into security events and identify suspicious activity, but many organizations only utilize a small portion of expensive SIEM capabilities. 3) Free and open source tools like Syslog utilities, Simple Event Correlation, and OSSEC can be used to build an effective log management solution while avoiding high SIEM costs. These raw logs provide valuable information if properly analyzed and correlated.

1. All Your Security Events
are Belong to ...You!
InfoSecurity 2011 - Xavier Mertens

2. $ whoami
• Xavier Mertens
• Senior Security Consultant
• CISSP, CISA, CeH
• Security Blogger
• Volunteer for security projects like:

3. $ cat disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not reflect
those of past, present or future employers,
partners or customers”

4. Today’s Situation

5. Are You Ready?
• Most organizations are NOT prepared to
deal with security incidents
• If anything can go wrong, it will!
(Murphy’s law)
• Assigned internal resources?

6. Technical Issues
• Networks are complex
• Some components/knowledge are
outsourced
• Millions of daily events
• Lot of console/tools
• Lot of protocols/applications

7. Find the Differences
Aug 27 14:33:01 macosx ipfw: 12190 Deny TCP
192.168.13.1:2060 192.168.13.104:5000 in via en1
%PIX-3-313001: Denied ICMP type=11, code=0 from
192.168.30.2 on interface 2

8. Economic Issues
• “Time is money”
• Real-time operations
• Downtime has a huge financial impact
• Reduced staff & budget
• Happy shareholders

9. Legal Issues
• Compliance requirements
• Big names
• Initiated by the group or business
• Local laws
• Due diligence & due care

10. Belgian Example: CBFA
From a document published in April 2009:
“Tout établissement qui connecte son
infrastructure sur Internet dispose d’une politique
de sécurité qui tient compte de:
...
la création, l’archivage de fichier “historique
d’évènements” techniques adaptés à leur
analyse, leur suivi et leur reporting.”

11. Challenges
• Creation & archiving of log files
• Analyze (Normalization)
• Follow-up
• Reporting

12. Layer Approach
Correlation
Reporting
Search
Storage
Normalization
Log Collection

13. Raw Material
• Your logs are belong to you
• If not stored internally (cloud,
outsourcing), claim access to them
• All applications/devices generate events
• Developers, you MUST generate GOOD
events

14. 3rd Party Sources
• Vulnerabilities Databases
• Blacklists (IP addresses, ASNs)
• “Physical” Data
• Geolocalization
• Badge readers

15. The Recipe

16. Collection
• Push or pull methods
• Use a supported protocols
• Ensure integrity
• As close as the source

17. Normalization
• Parse events
• Fill in common fields
• Date, Src, Dst, User, Device, Type, Port, ...

18. Storage
• Index
• Store
• Archive
• Ensure integrity (again)

19. Search
• You know Google?
• Investigations / Forensic
• Looking for “smoke signals”

20. Reporting
• Automated / On-demand
• Reliable only if first steps are successfull

21. Correlation
• Generation of new events based on the
way other events occurred (based on their
logic, their time or recurrence)
• Correlation will be successful only of the
other layers are properly working
• Is a step to incident management

22. Build Your Toolbox

23. <warning>
Please keep v€ndor$
away from the
next slide ;-)
</warning>

24. Let’s Kill Some Myths
• Big players do not always provide the best
solutions. A Formula-1 is touchy to drive!
• Why pay $$$ and use <10% of the
features? (the “Microsoft Office” effect)
• But even free softwares have costs!
• False sense of security

25. LM vs. SIEM
• A LM (“Log Management”) addresses the
lowest layers from the collection to
reporting.
• A SIEM (“Security Information & Event
Management”) adds the correlation layer
(and incidents management tools)

26. Grocery Shopping
• Compliance
• Suspicious activity
• Web applications monitoring
• Correlation
• Supported devices
• Buying a SIEM is a very specific project

27. Free Tools to the
Rescue

28. Syslog Daemons
• Syslog is well implemented
• Lot of forked implementations
• syslogd, rsyslogd, syslog-ng
• Multiple sources
• Supports TLS, TCP
• Several tools exists to export to Syslog
(ex: SNARE)

29. SEC
• “Simple Event Correlation”
• Performs correlation of logs based on Perl
regex
• Produces new events, triggers scripts,
writes to files

30. OSSEC
• HIDS
• Log collection & parsing
• Active-Response
• Rootkit detection
• File integrity checking
• Agents (UNIX, Windows)
• Log archiving

31. Miscellaneous
• MySQL
• iptables / ulogd
• GoogleMaps API
• Some Perl code
• Cloud Services (don’t be afraid)

32. Personal Researches
• Examples based on OSSEC!
• MySQL integrity audit
• USB stick detection in Windows
environments
• Detecting rogue access
• Mapping data on Google Maps

33. Visibility!
• LaaS (Loggly)
• Splunk
• Secviz.org

34. Example of Visualization

35. Conclusions
• The raw material is already yours!
• The amount of data cannot be reviewed
manually.
• Suspicious activity occurs below the radar.
• Stick to your requirements!
• It costs $$$ and HH:MM
• Make your logs more valuable via external
sources

36. Thank You!
Q&A?
http://blog.rootshell.be
http://twitter.com/xme