Solving the Open Source Security Puzzle

transcript

June 18, 2013 – Securing Ubiquity

Vic HargraveJB Cheng

Santiago González Bassett

DisclaimerThe views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought.

Log NormalizationSyslog

Comes default within *Nix operating systems. Sylog-NG

Can be installed in various configurations to take the place of default syslog.

Free to use or enterprise version available for purchase.Many configuration types to export data.

OSSECFree to useCan export via syslog to other systems.

Solving the Open Source Security Puzzle

What are the standards?Why choose one product over another?How do the various security components

work together?How does this work in the real world, real

examples.

Understanding Rules

Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.

Host Event Detection

AIDE(Advanced Intrusion Detection Environment)

Network Detection Systems

Event Management

What is ?Open Source SECurityOpen Source Host-based Intrusion Detection SystemProvides protection for Windows, Linux, Mac OS, Solaris

and many *nix systemshttp://www.ossec.netFounded by Daniel CidCurrent project managers – JB Cheng and Vic Hargrave

OSSEC CapabilitiesLog analysisFile Integrity checking (Unix and Windows)Registry Integrity checking (Windows)Host-based anomaly detection (for Unix – rootkit

detection)Active Response

HIDS AdvantagesMonitors system behaviors that are not evident from the

network trafficCan find persistent threats that penetrate firewalls and

network intrusion detection/prevention systems

tail -f $ossec_alerts/alerts.log

OSSEC Server

OSSEC Agents

logsUDP 1514

OSSEC Architecture

alerts

File Integrity Alert Sample** Alert 1365550297.8499: mail - ossec,syscheck,2013 Apr 09 16:31:37 ubuntu->syscheckRule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).'Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels'

Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed,2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.logRule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.'2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64

PCI DSS Requirement10.5.5 - Use file-integrity monitoring or change-detection

software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)

11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly

Annual gathering of OSSEC users and developers.Community members discuss how they are using OSSEC,

what new features they would like and set the roadmap for future releases.

OSSEC 2.7.1 soon to be released.Planning for OSSEC 3.0 is underway.OSSECCON 2013 will be held Thursday July 25th at Trend

Micro’s Cupertino office.Please join us there!

OSSIMUnified Open Source Security

Santiago González Bassettsantiago@alienvault.com

@santiagobassettAlien Vault

About meDeveloper, systems engineer, security administrator,

consultant and researcher in the last 10 years.Member of OSSIM project team since its inception.Implemented distributed Open Source security

technologies in large enterprise environments for European and US companies.

http://santi-bassett.blogspot.com/@santiagobassett

What is OSSIM?OSSIM is the Open Source SIEM – GNU GPL version 3.0With over 195,000 downloads it is the most widely

used SIEM in the world.Created in 2003, is developed and maintained by

Alien Vault and community contributors.Provides Unified and Intelligent Security.

http://communities.alienvault.com/

Why OSSIM?Because provides security IntelligenceDiscards false positivesAssesses the impact of an attackCollaboratively learns about APT

Because Unifies security managementCentralizes informationIntegrates threats detection tools

OSSIM integrated tools

Assetsnmapprads

Behavioral monitoringfprobenfdumpntoptcpdumpnagios

Vulnerability assessment

osvdbopenvas

Threat detection

ossecsnortsuricata

OSSIM +200 Collectors

OSSIM Architecture

Configuration &Management

NormalizedEvents

OSSIM Anatomy of a collector

[apache-access]event_type=eventregexp=“((?P<dst>\S+)(:(?P<port>\d{1,5}))? )?(?P<src>\S+) (?P<id>\S+) (?P<user>\S+) \[(?P<date>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P<request>.*)\” (?P<code>\d{3}) ((?P<size>\d+)|-)( \"(?P<referer_uri>.*)\" \”(?P<useragent>.*)\")?$”src_ip={resolv($src)}dst_ip={resolv($dst)}dst_port={$port}date={normalize_date($date)}plugin_sid={$code}username={$user}userdata1={$request}userdata2={$size}userdata3={$referer_uri}userdata4={$useragent}filename={$id}

[Raw log]76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

OSSIM Reliability Assessment

SSH Failed authentication event

SSH successful authentication event

10 SSH Failed authentication events

Persistent connections

Reliability

OSSIM Risk Assessment

RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25

Source DestinationEvent Priority = 2

Event Reliability = 10

Asset Value = 2 Asset Value = 5

OSSIM & OSSEC Integration

Web management interfaceOSSEC alerts plugin

OSSEC correlation rulesOSSEC reports

OSSIM Deployment

OSSIM Attack Detection

OSSIM Demo Use CasesDetection & Risk assessmentOTXSnort NIDSLogical CorrelationVulnerability assessmentAsset discoveryCorrelating Firewall logs:Cisco ASA pluginNetwork Scan detection

Correlating Windows Events:OSSEC integrationBrute force attack detection

Disclaimer

The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought.

Thank you

Santiago Gonzalez Bassettsantiago@alienvault.com

@santiagobassettAlien Vault

Solving the Open Source Security Puzzle

Technology