Arkitekturfor ny porteføljeav sikkerhetsverktøy · Arkitekturfor ny porteføljeav...

Arkitektur for nyportefølje avsikkerhetsverktøyIRT fagsamling, 20. november 2017

Arne Øslebø, [email protected]

27. November 2017 SLIDE 2

“We are drowning in information butstarved for knowledge.”

John Naisbitt

Basic requirements

Modular

Scalable

Full auditing

Access control


Insert everything into Elastic Stack or Splunk?


Commercial SIEM?


ArcSight

LogRhythm

Splunk Enterprise Security

Open source SIEM?


OSSIM

Apache Metron


High level architecture


Data transport: Apache NiFi


Data transport: Apache MiNiFi


Storage: Elasticsearch withSiren Plugin


Vanguard Siren platform

Manual analysis: Kibi



Threat analysis/sharing: MISP


Detailed architecture


Siren platform

Wazuh


Wazuh: rulebased


<rule id="5700" level="0" noalert="1”><decoded_as>sshd</decoded_as><description>SSHD messages grouped.</description>

</rule>

<rule id="5710" level="5"><if_sid>5700</if_sid><match>illegal user|invalid user</match><description>sshd: Attempt to login using a non-

existent user</description></rule>

OpenSCAPOpenSCAP is a tool designed to check the security compliance and hardening of the systems using industry standard security baselines for enterprise environments.

Security Content Automation Protocol (SCAP)

�OVAL (Open Vulnerability Assessment Language)

�XCCDF (Extensible Configuration Checklist Description Format)

�ASR (Asset Reporting Format)

�CPE (Common Platform Enumeration)

�CVE (Common Vulnerabilities and Exposures)

�CWE (Common Weakness Enumeration)

Example: sudo chown root /etc/shadow


Wazuh: Kibana AppGeneralOverview


Wazuh: Kibana AppFile integrity


Current status and future workAll components have been tested individually with limited data set

Working on setting up SiLK for production

Working on Wazuh

Full prototype

�Will start working on it soon

�Anonymized data in the beginning

�Real data when things are secured

• Small scale from selected sources• UNINETT CERT will use it every day for analysis

Production

�Late 2018?


SiLKNetFlow/IPFIX tool

>50 commands

�Connected through pipes, named pipes or files

�Essential: Rwfilter, rwstats, rwcount, rwcut, rwsort, rwuniq

Flexiblearchitecture


SiLK traffic types


rwfilter


Multiple rwfilter


SiLK commands


$ rwfilter --start-date=2017/11/17T11 --end-date=2017/11/17T12 --type=all --ip-version=6 --print-volume-statistics

| Recs| Packets| Bytes| Files|Total| 31227822| 733951870| 581778614555| 12| Pass| 2200839| 17778318| 13850680377| | Fail| 29026983| 716173552| 567927934178| |

$ rwfilter --start-date=2017/11/17T11 --end-date=2017/11/17T12 --sensors=oslo-gw7 --type=in --protocol=6 --packets=100- --pass=stdout --max-pass-records=5 | rwcut--fields=1-5

sIP| dIP|sPort|dPort|pro|78.83.x.y| 128.39.x.y| 56084|33896| 6| 78.83.x.y| 128.39.x.y |56084| 3308| 6| 78.83.x.y| 128.39.x.y |56084| 3483| 6| 78.83.x.y| 128.39.x.y |56084| 3344| 6| 91.247x.y| 128.39.x.y |45762| 911| 6|

SiLK commands (2)


$ rwfilter --start-date=2017/11/17T11 --end-date=2017/11/17T12 --type=all --protocol=6 --pass=stdout | rwuniq --fields=sIP --values=Bytes,Packets,Flows,Distinct:dIP --flows=1000-

sIP| Bytes| Packets| Records|dIP-Distin| 13.33.x.y| 13028387| 29081| 6729| 81|

151.157.x.y| 8558322| 20683| 1490| 111| 40.101.x.y| 4038893| 7921| 1554| 51| 185.33.x.y| 4872539| 10564| 1195| 47| 37.252.x.y| 7671261| 14449| 1404| 52| 17.252.x.y| 1744592| 8616| 1058| 31|

Manual analysis: FlowViewer


SilkWeb


Automatic analysis: Analysis Pipeline

Processes flows in realtime

Simple but powerful scripting language


Router stops sending data:

FILE_EVALUATION sensorOutageCHECK FILE_OUTAGE

SENSOR_LIST ALL SENSORSTIME_WINDOW 2 HOURS

END CHECKEND FILE_EVALUATION

Outbound SSH scan:FILTER Ssh

DPORT == 22END FILTER

EVALUATION SSHScanFILTER SshFOREACH SIPCHECK THRESHOLD

DISTINCT DIP > 20TIME_WINDOW 5 MINUTES

END CHECKALERT 1 TIMES 7 DAYSALERT TYPE OutboundSSHScanCLEAR ALWAYS

END EVALUATION

Analysis Pipeline Alerts


{"@timestamp":"2017-11-16T13:24:05.135Z","_service":"certlogs","_token":"CSE1D7A0176X59CG","beat":{"hostname":"trd-col.cert.uninett.no","name":"trd-col.cert.uninett.no","version":"5.6.4"},"input_type":"log","message":"{\n\"envelope\": {\n \"generator\": \"org.cert.netsa.pipeline\",\n\"generator_version\": \"4.5.1\",\n \"severity\": 3,\n\"timestamp\": \"2017-11-16T13:23:58.837102Z\",\n\"analysis_tags\": [\"type:OutboundSSHScan\",\"analysis:SSHScan\"]\n},\n \"body\": {\n\"flow\": [{\"stime\": \"2017-11-16T13:22:44.744000Z\", \"elapsed\": 2.304, \"sip\": \"158.38.x.y\", \"dip\": \"158.39.x.y\", \"sport\": 60941, \"dport\": 22, \"proto\": 6, \"packets\": 32, \"bytes\": 5001, \"flags\": \"\", \"flags_initial\": \"\", \"sensor_name\": \"teknobyen-gw2\", \"flow_class\": \"all\", \"flow_type\": \"int2int\", \"application_id\": 0, \"icmp_type\": 0, \"icmp_code\": 0}],\n \"sip.cc\": [\"no\"],\n\"dip.cc\": [\"no\"],\n \"pipeline.unique.field\": [\"SIP\"],\n\"pipeline.unique.value\": [158.38.x.y],\n\"pipeline.metric.type\": [\"DISTINCT\"],\n\"pipeline.metric.fields\": [\"DIP\"],\n\"pipeline.metric.value\": [3]}\n}","offset":5068063,"source":"/data/pipeline/log/pipeline-20171116.log","type":"analysis_pipeline"}

Questions?

Arne Oslebo

[email protected]


Date post:	10-Mar-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Arkitekturfor ny porteføljeav sikkerhetsverktøy · Arkitekturfor ny porteføljeav...

Documents