Upload
vic-hargrave
View
612
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Presentation at Cornerstones of Trust 2013 security conference.
Citation preview
June 18, 2013 – Securing Ubiquity
Solving the Open Source Security Puzzle
Vic HargraveJB Cheng
Santiago González Bassett
DisclaimerThe views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought.
June 18, 2013 – Securing Ubiquity
2
Log NormalizationSyslog
Comes default within *Nix operating systems. Sylog-NG
Can be installed in various configurations to take the place of default syslog.
Free to use or enterprise version available for purchase.Many configuration types to export data.
OSSECFree to useCan export via syslog to other systems.
June 18, 2013 – Securing Ubiquity
3
Solving the Open Source Security Puzzle
What are the standards?Why choose one product over another?How do the various security components
work together?How does this work in the real world, real
examples.
June 18, 2013 – Securing Ubiquity
4
June 18, 2013 – Securing Ubiquity
5
Understanding Rules
Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.
Host Event Detection
AIDE(Advanced Intrusion Detection Environment)
June 18, 2013 – Securing Ubiquity
6
Network Detection Systems
June 18, 2013 – Securing Ubiquity
7
June 18, 2013 – Securing Ubiquity
8
Event Management
What is ?Open Source SECurityOpen Source Host-based Intrusion Detection SystemProvides protection for Windows, Linux, Mac OS, Solaris
and many *nix systemshttp://www.ossec.netFounded by Daniel CidCurrent project managers – JB Cheng and Vic Hargrave
June 18, 2013 – Securing Ubiquity
9
OSSEC CapabilitiesLog analysisFile Integrity checking (Unix and Windows)Registry Integrity checking (Windows)Host-based anomaly detection (for Unix – rootkit
detection)Active Response
June 18, 2013 – Securing Ubiquity
10
HIDS AdvantagesMonitors system behaviors that are not evident from the
network trafficCan find persistent threats that penetrate firewalls and
network intrusion detection/prevention systems
June 18, 2013 – Securing Ubiquity
11
tail -f $ossec_alerts/alerts.log
June 18, 2013 – Securing Ubiquity
12
OSSEC Server
OSSEC Agents
logsUDP 1514
logsUDP 1514
OSSEC Architecture
alerts
File Integrity Alert Sample** Alert 1365550297.8499: mail - ossec,syscheck,2013 Apr 09 16:31:37 ubuntu->syscheckRule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).'Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels'
June 18, 2013 – Securing Ubiquity
13
Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed,2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.logRule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.'2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64
June 18, 2013 – Securing Ubiquity
14
PCI DSS Requirement10.5.5 - Use file-integrity monitoring or change-detection
software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)
11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly
June 18, 2013 – Securing Ubiquity
15
Annual gathering of OSSEC users and developers.Community members discuss how they are using OSSEC,
what new features they would like and set the roadmap for future releases.
OSSEC 2.7.1 soon to be released.Planning for OSSEC 3.0 is underway.OSSECCON 2013 will be held Thursday July 25th at Trend
Micro’s Cupertino office.Please join us there!
June 18, 2013 – Securing Ubiquity
16
June 18, 2013 – Securing Ubiquity
OSSIMUnified Open Source Security
Santiago González [email protected]
@santiagobassettAlien Vault
17
About meDeveloper, systems engineer, security administrator,
consultant and researcher in the last 10 years.Member of OSSIM project team since its inception.Implemented distributed Open Source security
technologies in large enterprise environments for European and US companies.
June 18, 2013 – Securing Ubiquity
http://santi-bassett.blogspot.com/@santiagobassett
18
What is OSSIM?OSSIM is the Open Source SIEM – GNU GPL version 3.0With over 195,000 downloads it is the most widely
used SIEM in the world.Created in 2003, is developed and maintained by
Alien Vault and community contributors.Provides Unified and Intelligent Security.
June 18, 2013 – Securing Ubiquity
http://communities.alienvault.com/
19
Why OSSIM?Because provides security IntelligenceDiscards false positivesAssesses the impact of an attackCollaboratively learns about APT
June 18, 2013 – Securing Ubiquity
Because Unifies security managementCentralizes informationIntegrates threats detection tools
20
OSSIM integrated tools
June 18, 2013 – Securing Ubiquity
Assetsnmapprads
Behavioral monitoringfprobenfdumpntoptcpdumpnagios
Vulnerability assessment
osvdbopenvas
Threat detection
ossecsnortsuricata
21
OSSIM +200 Collectors
June 18, 2013 – Securing Ubiquity
22
OSSIM Architecture
June 18, 2013 – Securing Ubiquity
Configuration &Management
NormalizedEvents
23
OSSIM Anatomy of a collector
June 18, 2013 – Securing Ubiquity
24
[apache-access]event_type=eventregexp=“((?P<dst>\S+)(:(?P<port>\d{1,5}))? )?(?P<src>\S+) (?P<id>\S+) (?P<user>\S+) \[(?P<date>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P<request>.*)\” (?P<code>\d{3}) ((?P<size>\d+)|-)( \"(?P<referer_uri>.*)\" \”(?P<useragent>.*)\")?$”src_ip={resolv($src)}dst_ip={resolv($dst)}dst_port={$port}date={normalize_date($date)}plugin_sid={$code}username={$user}userdata1={$request}userdata2={$size}userdata3={$referer_uri}userdata4={$useragent}filename={$id}
[Raw log]76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
OSSIM Reliability Assessment
June 18, 2013 – Securing Ubiquity
25
SSH Failed authentication event
SSH successful authentication event
10 SSH Failed authentication events
100 SSH Failed authentication events
Persistent connections
SSH successful authentication event
1000 SSH Failed authentication events
SSH successful authentication event
Reliability
OSSIM Risk Assessment
June 18, 2013 – Securing Ubiquity
26
RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25
Source DestinationEvent Priority = 2
Event Reliability = 10
Asset Value = 2 Asset Value = 5
OSSIM & OSSEC Integration
June 18, 2013 – Securing Ubiquity
Web management interfaceOSSEC alerts plugin
OSSEC correlation rulesOSSEC reports
27
OSSIM Deployment
June 18, 2013 – Securing Ubiquity
28
OSSIM Attack Detection
June 18, 2013 – Securing Ubiquity
29
OSSIM Demo Use CasesDetection & Risk assessmentOTXSnort NIDSLogical CorrelationVulnerability assessmentAsset discoveryCorrelating Firewall logs:Cisco ASA pluginNetwork Scan detection
Correlating Windows Events:OSSEC integrationBrute force attack detection
June 18, 2013 – Securing Ubiquity
30
June 18, 2013 – Securing Ubiquity
31
Disclaimer
The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought.
Thank you
Santiago Gonzalez [email protected]
@santiagobassettAlien Vault