PowerPoint slides

Report
Vic Hargrave
JB Cheng
Santiago González Bassett
June 18, 2013 – Securing Ubiquity
Disclaimer
The views and opinions expressed during this conference are those of
the speakers and do not necessarily reflect the views and opinions
held by the Information Systems Security Association (ISSA), the
Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay
Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor
any of its chapters warrants the accuracy, timeliness or completeness
of the information presented. Nothing in this conference should be
construed as professional or legal advice or as creating a professionalcustomer or attorney-client relationship. If professional, legal, or
other expert assistance is required, the services of a competent
professional should be sought.
2
June 18, 2013 – Securing Ubiquity
Log Normalization
 Syslog
 Comes default within *Nix operating systems.
 Sylog-NG
 Can be installed in various configurations to take the place
of default syslog.
 Free to use or enterprise version available for purchase.
 Many configuration types to export data.
 OSSEC
 Free to use
 Can export via syslog to other systems.
3
June 18, 2013 – Securing Ubiquity
Solving the Open Source Security
Puzzle
 What are the standards?
 Why choose one product over another?
 How do the various security components work
together?
 How does this work in the real world, real
examples.
4
June 18, 2013 – Securing Ubiquity
Understanding Rules
 Customizable rulesets - Enable a security practitioner to
add true intelligence of their environment.
5
June 18, 2013 – Securing Ubiquity
Host Event Detection
AIDE
(Advanced Intrusion
Detection Environment)
6
June 18, 2013 – Securing Ubiquity
Network Detection Systems
7
June 18, 2013 – Securing Ubiquity
Event Management
8
June 18, 2013 – Securing Ubiquity
What is
?
 Open Source SECurity
 Open Source Host-based Intrusion Detection System
 Provides protection for Windows, Linux, Mac OS, Solaris
and many *nix systems
 http://www.ossec.net
 Founded by Daniel Cid
 Current project managers – JB Cheng and Vic Hargrave
9
June 18, 2013 – Securing Ubiquity
OSSEC Capabilities
 Log analysis
 File Integrity checking (Unix and Windows)
 Registry Integrity checking (Windows)
 Host-based anomaly detection (for Unix – rootkit
detection)
 Active Response
10
June 18, 2013 – Securing Ubiquity
HIDS Advantages
 Monitors system behaviors that are not evident from the
network traffic
 Can find persistent threats that penetrate firewalls and
network intrusion detection/prevention systems
11
June 18, 2013 – Securing Ubiquity
OSSEC Architecture
logs
UDP
1514
OSSEC
Server
alerts
OSSEC
Agents
tail -f $ossec_alerts/alerts.log
logs
UDP
1514
12
June 18, 2013 – Securing Ubiquity
File Integrity Alert Sample
** Alert 1365550297.8499: mail - ossec,syscheck,
2013 Apr 09 16:31:37 ubuntu->syscheck
Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).'
Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels'
13
June 18, 2013 – Securing Ubiquity
Log Analysis Alert Sample
** Alert 1365514728.3680: mail - syslog,dpkg,config_changed,
2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.log
Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.'
2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64
14
June 18, 2013 – Securing Ubiquity
PCI DSS Requirement
 10.5.5 - Use file-integrity monitoring or change-detection
software on logs to ensure that existing log data cannot
be changed without generating alerts (although new data
being added should not cause an alert)
 11.5 - Deploy file-integrity monitoring software to alert
personnel to unauthorized modification of critical system
files, configuration files, or content files; and configure
the software to perform critical file comparisons at least
weekly
15
June 18, 2013 – Securing Ubiquity
 Annual gathering of OSSEC users and developers.
 Community members discuss how they are using OSSEC,
what new features they would like and set the roadmap
for future releases.
 OSSEC 2.7.1 soon to be released.
 Planning for OSSEC 3.0 is underway.
 OSSECCON 2013 will be held Thursday July 25th at Trend
Micro’s Cupertino office.
 Please join us there!
16
June 18, 2013 – Securing Ubiquity
Santiago González Bassett
[email protected]
@santiagobassett
Alien Vault
June 18, 2013 – Securing Ubiquity
17
About me
 Developer, systems engineer, security administrator,
consultant and researcher in the last 10 years.
 Member of OSSIM project team since its inception.
 Implemented distributed Open Source security
technologies in large enterprise environments for
European and US companies.
http://santi-bassett.blogspot.com/
@santiagobassett
18
June 18, 2013 – Securing Ubiquity
What is OSSIM?
OSSIM is the Open Source SIEM – GNU GPL version 3.0
 With over 195,000 downloads it is the most widely
used SIEM in the world.
 Created in 2003, is developed and maintained by
Alien Vault and community contributors.
 Provides Unified and Intelligent Security.
http://communities.alienvault.com/
19
June 18, 2013 – Securing Ubiquity
Why OSSIM?
Because provides security Intelligence
 Discards false positives
 Assesses the impact of an attack
 Collaboratively learns about APT
Because Unifies security management
 Centralizes information
 Integrates threats detection tools
20
June 18, 2013 – Securing Ubiquity
OSSIM integrated tools
Assets
 nmap
 prads
Behavioral monitoring
 fprobe
 nfdump
 ntop
 tcpdump
 nagios
Threat detection
 ossec
 snort
 suricata
Vulnerability assessment
 osvdb
 openvas
21
June 18, 2013 – Securing Ubiquity
OSSIM +200 Collectors
22
June 18, 2013 – Securing Ubiquity
OSSIM Architecture
Normalized
Events
Configuration &
Management
23
June 18, 2013 – Securing Ubiquity
OSSIM Anatomy of a collector
[Raw log]
76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200
2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/27.0.1453.110 Safari/537.36"
[apache-access]
event_type=event
regexp=“((?P<dst>\S+)(:(?P<port>\d{1,5}))? )?(?P<src>\S+) (?P<id>\S+) (?P<user>\S+)
\[(?P<date>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P<request>.*)\”
(?P<code>\d{3}) ((?P<size>\d+)|-)( \"(?P<referer_uri>.*)\" \”(?P<useragent>.*)\")?$”
src_ip={resolv($src)}
dst_ip={resolv($dst)}
dst_port={$port}
date={normalize_date($date)}
plugin_sid={$code}
username={$user}
userdata1={$request}
userdata2={$size}
userdata3={$referer_uri}
userdata4={$useragent}
filename={$id}
24
June 18, 2013 – Securing Ubiquity
OSSIM Reliability Assessment
SSH Failed
authentication event
SSH successful
authentication event
10 SSH Failed
authentication events
Reliability
Persistent
connections
100 SSH Failed
authentication events
SSH successful
authentication event
SSH successful
authentication event
1000 SSH Failed
authentication events
25
June 18, 2013 – Securing Ubiquity
OSSIM Risk Assessment
Source
Event Priority = 2
Destination
Event Reliability = 10
Asset Value = 2
Asset Value = 5
RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25
26
June 18, 2013 – Securing Ubiquity
OSSIM & OSSEC Integration
 Web management interface  OSSEC correlation rules
 OSSEC alerts plugin
 OSSEC reports
27
June 18, 2013 – Securing Ubiquity
OSSIM Deployment
PORT MIRRORING
NORMALIZED EVENTS
SDEE
FTP
WMI
SYSLO`G
WMI
SYSLOG
LOG COLLECTION
OPSEC
SYSLOG
SYSLOG
SDEE
SENSOR 1
SYSLOG
SNMP
OPSEC
SYSLOG
SAMBA
SYSLOG
SENSOR 3
SQL
SYSLOG
OSSEC
SCP
SENSOR 2
SERVER
SDEE
NORMALIZED DATA
28
June 18, 2013 – Securing Ubiquity
OSSIM Attack Detection
OTX
Alert: Low
reputation IP
Attacker
X.X.X.X
Vulnerability: IIS Remote
Command Execution
Attack
Accepted HTTP packet
from X.X.X.X to Y.Y.Y.Y
Target
Y.Y.Y.Y
Alert: IIS attack
detected
Attack: WEB-IIS multiple
decode attempt
29
June 18, 2013 – Securing Ubiquity
OSSIM Demo Use Cases
Detection & Risk assessment
 OTX
 Snort NIDS
 Logical Correlation
 Vulnerability assessment
 Asset discovery
Correlating Firewall logs:
 Cisco ASA plugin
 Network Scan detection
Correlating Windows Events:
 OSSEC integration
 Brute force attack detection
30
June 18, 2013 – Securing Ubiquity
Thank you
Santiago Gonzalez Bassett
[email protected]
@santiagobassett
Alien Vault
Disclaimer
The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and
opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San
Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy,
timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal
advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is
required, the services of a competent professional should be sought.
31
June 18, 2013 – Securing Ubiquity

similar documents