Date post: | 19-May-2015 |
Category: |
Technology |
Upload: | alienvault |
View: | 5,318 times |
Download: | 5 times |
ADVANCED OSSEC TRAINING:INTEGRATION STRATEGIES FOR OPEN SOURCE
SECURITY
Santiago BassettDirector Professional Services
@santiagobassett
AGENDA
Presentation contents (20 minutes)Learning the basics
• OSSEC capabilities
• AlienVault capabilitiesOSSEC and AlienVault integration
• Integration components
• OSSEC Collector anatomy
• OSSEC Correlation rules
• AlienVault Cross-correlation
• Management interface
Demo – See it in action (20 minutes)Deploying OSSEC agents
• Automatic deployment for Windows
• Manual deployment for LinuxAgentless monitoringManaging OSSEC
• Monitoring/Configuring agents
• Editing rulesCorrelating OSSEC events (Brute-force)OSSEC reports
ABOUT ME
Developer, security engineer, researcher and
consultant.
Member of AlienVault and OSSEC core teams.
Director of Professional Services at AlienVault
Born in Spain and relocated to Silicon Valley in
2010. Excuse my accent
LEARNING THE BASICS…OSSEC and AlienVault USM
OSSEC CAPABILITIES
Log analysis based intrusion detection
File integrity checking
Registry keys integrity checking (Windows)
Signature based malware/rootkits detection
Real time alerting and active response
OSSEC ARCHITECTURE
Agent components:
Logcollectord: Read logs (syslog, wmi, flat files)
Syscheckd: File integrity checking
Rootcheckd: Malware and rootkits detection
Agentd: Forwards data to the server
Server components:
Remoted: Receives data from agents
Analysisd: Processes data (main process)
Monitord: Monitor agents
ALIENVAULT USM CAPABILITIES
Provides threat detection capabilities
Monitors network assets
Centralizes Information and Management
Evaluates threats reliability and risk
Collaboratively learns about APT
ALIENVAULT USM ARCHITECTURE
Embedded tools:
Asset discovery: Nmap, Prads
Behavioral monitoring: Netflow, Ntop, Nagios
Threat detection: Snort, Suricata, OSSEC
Vulnerability assessment: Openvas
External collectors:
Syslog, FTP, SCP, NFS
Samba, SNMP, WMI, LEA
SDEE, SQL, Unix Socket
OSSEC INTEGRATIONOSSEC and AlienVault USM
INTEGRATION COMPONENTS
OSSEC COLLECTOR ANATOMY
OSSEC CORRELATION RULES
Common web attack detected
XSS (Cross Site Scripting) attempt
SQL injection attempt detected
Windows authentication failure attempts
MySQL authentication attempt failed detected
PostgreSQL authentication attempt failed detected
SonicWall authentication attempt failed detected
Remote access authentication attempt failed detected
SSH service authentication attempts failed detected
Multiple authentication attempt failed detected
Login authentication failed detected
OSSEC ALERTS RISK ASSESSMENTAlienVault USM automatically calculate risk based on OSSEC alerts priority, reliability and assets involved.
ALIENVAULT CROSS-CORRELATIONAlienVault USM correlates events from multiple sources, crossing OSSEC alerts with information collected from embedded detectors and external sources.
OSSEC MANAGEMENT INTERFACEAlienVault USM provides a comprehensive GUI for OSSEC alerts management:
Status monitorEvents viewerAgents control managerConfiguration managerRules viewer/editor
Logs viewerServer control managerDeployment managerRules viewer/editorPDF/HTML reports
LET’S SEE IT IN ACTION!OSSEC and AlienVault USM
NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join our weekly LIVE Demohttp
://www.alienvault.com/marketing/alienvault-u
sm-live-
demo [email protected]
VIEW WEBINAR ON-DEMANDTo view the recorded version of this webinar Click Here