SlideShare a Scribd company logo

Solving the Open Source Security Puzzle

Download as PPTX, PDF
Vic Hargrave
Vic Hargrave

This document summarizes a presentation on open source security tools. It discusses log normalization with Syslog and Syslog-NG and OSSEC's ability to export logs. It then summarizes OSSEC capabilities like log analysis, file integrity checking, and active response. Next, it discusses how OSSEC can detect host events and network threats. It also provides an example of an OSSEC file integrity alert and log analysis alert. Lastly, it discusses the OSSIM open source SIEM and its ability to provide unified security intelligence through integrated tools and collectors.

1 of 31
June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett
Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional- customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity 2
Log Normalization  Syslog  Comes default within *Nix operating systems.  Sylog-NG  Can be installed in various configurations to take the place of default syslog.  Free to use or enterprise version available for purchase.  Many configuration types to export data.  OSSEC  Free to use  Can export via syslog to other systems. June 18, 2013 – Securing Ubiquity 3
Solving the Open Source Security Puzzle  What are the standards?  Why choose one product over another?  How do the various security components work together?  How does this work in the real world, real examples. June 18, 2013 – Securing Ubiquity 4
June 18, 2013 – Securing Ubiquity 5 Understanding Rules  Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.
Host Event Detection AIDE(Advanced Intrusion Detection Environment) June 18, 2013 – Securing Ubiquity 6
Network Detection Systems June 18, 2013 – Securing Ubiquity 7
June 18, 2013 – Securing Ubiquity 8 Event Management
What is ?  Open Source SECurity  Open Source Host-based Intrusion Detection System  Provides protection for Windows, Linux, Mac OS, Solaris and many *nix systems  http://www.ossec.net  Founded by Daniel Cid  Current project managers – JB Cheng and Vic Hargrave June 18, 2013 – Securing Ubiquity 9
OSSEC Capabilities  Log analysis  File Integrity checking (Unix and Windows)  Registry Integrity checking (Windows)  Host-based anomaly detection (for Unix – rootkit detection)  Active Response June 18, 2013 – Securing Ubiquity 10
HIDS Advantages  Monitors system behaviors that are not evident from the network traffic  Can find persistent threats that penetrate firewalls and network intrusion detection/prevention systems June 18, 2013 – Securing Ubiquity 11
tail -f $ossec_alerts/alerts.log June 18, 2013 – Securing Ubiquity 12 OSSEC Server OSSEC Agents logs UDP 1514 logs UDP 1514 OSSEC Architecture alerts
File Integrity Alert Sample ** Alert 1365550297.8499: mail - ossec,syscheck, 2013 Apr 09 16:31:37 ubuntu->syscheck Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels' June 18, 2013 – Securing Ubiquity 13
Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed, 2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' 2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64 June 18, 2013 – Securing Ubiquity 14
PCI DSS Requirement  10.5.5 - Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)  11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly June 18, 2013 – Securing Ubiquity 15
 Annual gathering of OSSEC users and developers.  Community members discuss how they are using OSSEC, what new features they would like and set the roadmap for future releases.  OSSEC 2.7.1 soon to be released.  Planning for OSSEC 3.0 is underway.  OSSECCON 2013 will be held Thursday July 25th at Trend Micro’s Cupertino office.  Please join us there! June 18, 2013 – Securing Ubiquity 16
June 18, 2013 – Securing Ubiquity Santiago González Bassett santiago@alienvault.com @santiagobassett Alien Vault 17
About me  Developer, systems engineer, security administrator, consultant and researcher in the last 10 years.  Member of OSSIM project team since its inception.  Implemented distributed Open Source security technologies in large enterprise environments for European and US companies. June 18, 2013 – Securing Ubiquity http://santi-bassett.blogspot.com/ @santiagobassett 18
What is OSSIM? OSSIM is the Open Source SIEM – GNU GPL version 3.0  With over 195,000 downloads it is the most widely used SIEM in the world.  Created in 2003, is developed and maintained by Alien Vault and community contributors.  Provides Unified and Intelligent Security. June 18, 2013 – Securing Ubiquity http://communities.alienvault.com/ 19
Why OSSIM? Because provides security Intelligence  Discards false positives  Assesses the impact of an attack  Collaboratively learns about APT June 18, 2013 – Securing Ubiquity Because Unifies security management  Centralizes information  Integrates threats detection tools 20
OSSIM integrated tools June 18, 2013 – Securing Ubiquity Assets  nmap  prads Behavioral monitoring  fprobe  nfdump  ntop  tcpdump  nagios Vulnerability assessment  osvdb  openvas Threat detection  ossec  snort  suricata 21
OSSIM +200 Collectors June 18, 2013 – Securing Ubiquity 22
OSSIM Architecture June 18, 2013 – Securing Ubiquity Configuration & Management Normalized Events 23
OSSIM Anatomy of a collector June 18, 2013 – Securing Ubiquity 24 [apache-access] event_type=event regexp=“((?P<dst>S+)(:(?P<port>d{1,5}))? )?(?P<src>S+) (?P<id>S+) (?P<user>S+) [(?P<date>d{2}/w{3}/d{4}:d{2}:d{2}:d{2})s+[+-]d{4}] "(?P<request>.*)” (?P<code>d{3}) ((?P<size>d+)|-)( "(?P<referer_uri>.*)" ”(?P<useragent>.*)")?$” src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id} [Raw log] 76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
OSSIM Reliability Assessment June 18, 2013 – Securing Ubiquity 25 SSH Failed authentication event SSH successful authentication event 10 SSH Failed authentication events 100 SSH Failed authentication events Persistent connections SSH successful authentication event 1000 SSH Failed authentication events SSH successful authentication event Reliability
OSSIM Risk Assessment June 18, 2013 – Securing Ubiquity 26 RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25 Source Destination Event Priority = 2 Event Reliability = 10 Asset Value = 2 Asset Value = 5
OSSIM & OSSEC Integration June 18, 2013 – Securing Ubiquity  Web management interface  OSSEC alerts plugin  OSSEC correlation rules  OSSEC reports 27
OSSIM Deployment June 18, 2013 – Securing Ubiquity PORT MIRRORING SYSLOG WMI WMI SYSLO`G SDEE SYSLOG OPSEC FTP SDEE OPSEC SYSLOG OSSECSCP SQL SAMBA SYSLOG SDEE SYSLOG SNMP SYSLOG LOG COLLECTION NORMALIZED EVENTS SENSOR 1 SENSOR 2 SENSOR 3 NORMALIZED DATA SERVER SYSLOG 28
OSSIM Attack Detection June 18, 2013 – Securing Ubiquity Attack Attacker X.X.X.X Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y Attack: WEB-IIS multiple decode attempt Vulnerability: IIS Remote Command Execution Alert: Low reputation IPOTX Alert: IIS attack detected Target Y.Y.Y.Y 29
OSSIM Demo Use Cases Detection & Risk assessment  OTX  Snort NIDS  Logical Correlation  Vulnerability assessment  Asset discovery Correlating Firewall logs:  Cisco ASA plugin  Network Scan detection Correlating Windows Events:  OSSEC integration  Brute force attack detection June 18, 2013 – Securing Ubiquity 30
June 18, 2013 – Securing Ubiquity 31 Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. Thank you Santiago Gonzalez Bassett santiago@alienvault.com @santiagobassett Alien Vault

Recommended

Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
wremes
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
Marjo'isme Yoyok
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 

Recommended

Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
wremes
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
Marjo'isme Yoyok
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
Continuous monitoring with OSSIM
Continuous monitoring with OSSIMContinuous monitoring with OSSIM
Continuous monitoring with OSSIM
Eguardian Global Services
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
Mayank Gaikwad
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
AlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
AlienVault
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
Christopher Gerritz
 
Security analyst
Security analystSecurity analyst
Security analyst
Arjun Panwar
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
Tarek Amer
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16
Alexander Leonov
 
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
Nur Shiqim Chok
 
ISO 27k talk for django meet up
ISO 27k talk for django meet upISO 27k talk for django meet up
ISO 27k talk for django meet up
Viren Rajput
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network Security
Mohammed Almusaddar
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 

More Related Content

What's hot

Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
Continuous monitoring with OSSIM
Continuous monitoring with OSSIMContinuous monitoring with OSSIM
Continuous monitoring with OSSIM
Eguardian Global Services
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
Mayank Gaikwad
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
AlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
AlienVault
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
Christopher Gerritz
 
Security analyst
Security analystSecurity analyst
Security analyst
Arjun Panwar
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
Tarek Amer
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16
Alexander Leonov
 
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
Nur Shiqim Chok
 
ISO 27k talk for django meet up
ISO 27k talk for django meet upISO 27k talk for django meet up
ISO 27k talk for django meet up
Viren Rajput
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 

What's hot (20)

Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Continuous monitoring with OSSIM
Continuous monitoring with OSSIMContinuous monitoring with OSSIM
Continuous monitoring with OSSIM
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
Security analyst
Security analystSecurity analyst
Security analyst
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
Mod security
Mod securityMod security
Mod security
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16
 
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
 
ISO 27k talk for django meet up
ISO 27k talk for django meet upISO 27k talk for django meet up
ISO 27k talk for django meet up
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 

Similar to Solving the Open Source Security Puzzle

How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network Security
Mohammed Almusaddar
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
Adel Barkam
 
Harnessing the power of cloud for real security
Harnessing the power of cloud for real securityHarnessing the power of cloud for real security
Harnessing the power of cloud for real security
Erkang Zheng
 
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...Deepak Mishra
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
Splunk
 
Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment
Gazzang
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Cisco SecureX.pdf
Cisco SecureX.pdfCisco SecureX.pdf
Cisco SecureX.pdf
WildhaniIhyaraRahman1
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Canada
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
Splunk
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelled
losalamos
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2
Mukesh Chinta
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.
Boni Yeamin
 
2014_EMTieghi_Industrial_Security-templateSERVI
2014_EMTieghi_Industrial_Security-templateSERVI2014_EMTieghi_Industrial_Security-templateSERVI
2014_EMTieghi_Industrial_Security-templateSERVIEnzo M. Tieghi
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
Cristian Garcia G.
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 

Similar to Solving the Open Source Security Puzzle (20)

How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network Security
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
 
Harnessing the power of cloud for real security
Harnessing the power of cloud for real securityHarnessing the power of cloud for real security
Harnessing the power of cloud for real security
 
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
Study And Implemenataion Of Advance Intrusion Detection And Prevention Sysyte...
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Cisco SecureX.pdf
Cisco SecureX.pdfCisco SecureX.pdf
Cisco SecureX.pdf
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelled
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.
 
2014_EMTieghi_Industrial_Security-templateSERVI
2014_EMTieghi_Industrial_Security-templateSERVI2014_EMTieghi_Industrial_Security-templateSERVI
2014_EMTieghi_Industrial_Security-templateSERVI
 
Hack any website
Hack any websiteHack any website
Hack any website
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 

Recently uploaded

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 

Recently uploaded (20)

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 

Solving the Open Source Security Puzzle

  • 1. June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett
  • 2. Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional- customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity 2
  • 3. Log Normalization  Syslog  Comes default within *Nix operating systems.  Sylog-NG  Can be installed in various configurations to take the place of default syslog.  Free to use or enterprise version available for purchase.  Many configuration types to export data.  OSSEC  Free to use  Can export via syslog to other systems. June 18, 2013 – Securing Ubiquity 3
  • 4. Solving the Open Source Security Puzzle  What are the standards?  Why choose one product over another?  How do the various security components work together?  How does this work in the real world, real examples. June 18, 2013 – Securing Ubiquity 4
  • 5. June 18, 2013 – Securing Ubiquity 5 Understanding Rules  Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.
  • 6. Host Event Detection AIDE(Advanced Intrusion Detection Environment) June 18, 2013 – Securing Ubiquity 6
  • 7. Network Detection Systems June 18, 2013 – Securing Ubiquity 7
  • 8. June 18, 2013 – Securing Ubiquity 8 Event Management
  • 9. What is ?  Open Source SECurity  Open Source Host-based Intrusion Detection System  Provides protection for Windows, Linux, Mac OS, Solaris and many *nix systems  http://www.ossec.net  Founded by Daniel Cid  Current project managers – JB Cheng and Vic Hargrave June 18, 2013 – Securing Ubiquity 9
  • 10. OSSEC Capabilities  Log analysis  File Integrity checking (Unix and Windows)  Registry Integrity checking (Windows)  Host-based anomaly detection (for Unix – rootkit detection)  Active Response June 18, 2013 – Securing Ubiquity 10
  • 11. HIDS Advantages  Monitors system behaviors that are not evident from the network traffic  Can find persistent threats that penetrate firewalls and network intrusion detection/prevention systems June 18, 2013 – Securing Ubiquity 11
  • 12. tail -f $ossec_alerts/alerts.log June 18, 2013 – Securing Ubiquity 12 OSSEC Server OSSEC Agents logs UDP 1514 logs UDP 1514 OSSEC Architecture alerts
  • 13. File Integrity Alert Sample ** Alert 1365550297.8499: mail - ossec,syscheck, 2013 Apr 09 16:31:37 ubuntu->syscheck Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels' June 18, 2013 – Securing Ubiquity 13
  • 14. Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed, 2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' 2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64 June 18, 2013 – Securing Ubiquity 14
  • 15. PCI DSS Requirement  10.5.5 - Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)  11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly June 18, 2013 – Securing Ubiquity 15
  • 16.  Annual gathering of OSSEC users and developers.  Community members discuss how they are using OSSEC, what new features they would like and set the roadmap for future releases.  OSSEC 2.7.1 soon to be released.  Planning for OSSEC 3.0 is underway.  OSSECCON 2013 will be held Thursday July 25th at Trend Micro’s Cupertino office.  Please join us there! June 18, 2013 – Securing Ubiquity 16
  • 17. June 18, 2013 – Securing Ubiquity Santiago González Bassett santiago@alienvault.com @santiagobassett Alien Vault 17
  • 18. About me  Developer, systems engineer, security administrator, consultant and researcher in the last 10 years.  Member of OSSIM project team since its inception.  Implemented distributed Open Source security technologies in large enterprise environments for European and US companies. June 18, 2013 – Securing Ubiquity http://santi-bassett.blogspot.com/ @santiagobassett 18
  • 19. What is OSSIM? OSSIM is the Open Source SIEM – GNU GPL version 3.0  With over 195,000 downloads it is the most widely used SIEM in the world.  Created in 2003, is developed and maintained by Alien Vault and community contributors.  Provides Unified and Intelligent Security. June 18, 2013 – Securing Ubiquity http://communities.alienvault.com/ 19
  • 20. Why OSSIM? Because provides security Intelligence  Discards false positives  Assesses the impact of an attack  Collaboratively learns about APT June 18, 2013 – Securing Ubiquity Because Unifies security management  Centralizes information  Integrates threats detection tools 20
  • 21. OSSIM integrated tools June 18, 2013 – Securing Ubiquity Assets  nmap  prads Behavioral monitoring  fprobe  nfdump  ntop  tcpdump  nagios Vulnerability assessment  osvdb  openvas Threat detection  ossec  snort  suricata 21
  • 22. OSSIM +200 Collectors June 18, 2013 – Securing Ubiquity 22
  • 23. OSSIM Architecture June 18, 2013 – Securing Ubiquity Configuration & Management Normalized Events 23
  • 24. OSSIM Anatomy of a collector June 18, 2013 – Securing Ubiquity 24 [apache-access] event_type=event regexp=“((?P<dst>S+)(:(?P<port>d{1,5}))? )?(?P<src>S+) (?P<id>S+) (?P<user>S+) [(?P<date>d{2}/w{3}/d{4}:d{2}:d{2}:d{2})s+[+-]d{4}] "(?P<request>.*)” (?P<code>d{3}) ((?P<size>d+)|-)( "(?P<referer_uri>.*)" ”(?P<useragent>.*)")?$” src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id} [Raw log] 76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
  • 25. OSSIM Reliability Assessment June 18, 2013 – Securing Ubiquity 25 SSH Failed authentication event SSH successful authentication event 10 SSH Failed authentication events 100 SSH Failed authentication events Persistent connections SSH successful authentication event 1000 SSH Failed authentication events SSH successful authentication event Reliability
  • 26. OSSIM Risk Assessment June 18, 2013 – Securing Ubiquity 26 RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25 Source Destination Event Priority = 2 Event Reliability = 10 Asset Value = 2 Asset Value = 5
  • 27. OSSIM & OSSEC Integration June 18, 2013 – Securing Ubiquity  Web management interface  OSSEC alerts plugin  OSSEC correlation rules  OSSEC reports 27
  • 28. OSSIM Deployment June 18, 2013 – Securing Ubiquity PORT MIRRORING SYSLOG WMI WMI SYSLO`G SDEE SYSLOG OPSEC FTP SDEE OPSEC SYSLOG OSSECSCP SQL SAMBA SYSLOG SDEE SYSLOG SNMP SYSLOG LOG COLLECTION NORMALIZED EVENTS SENSOR 1 SENSOR 2 SENSOR 3 NORMALIZED DATA SERVER SYSLOG 28
  • 29. OSSIM Attack Detection June 18, 2013 – Securing Ubiquity Attack Attacker X.X.X.X Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y Attack: WEB-IIS multiple decode attempt Vulnerability: IIS Remote Command Execution Alert: Low reputation IPOTX Alert: IIS attack detected Target Y.Y.Y.Y 29
  • 30. OSSIM Demo Use Cases Detection & Risk assessment  OTX  Snort NIDS  Logical Correlation  Vulnerability assessment  Asset discovery Correlating Firewall logs:  Cisco ASA plugin  Network Scan detection Correlating Windows Events:  OSSEC integration  Brute force attack detection June 18, 2013 – Securing Ubiquity 30
  • 31. June 18, 2013 – Securing Ubiquity 31 Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. Thank you Santiago Gonzalez Bassett santiago@alienvault.com @santiagobassett Alien Vault