Date post: | 24-Jul-2015 |
Category: |
Technology |
Upload: | nu-the-open-security-community |
View: | 243 times |
Download: | 19 times |
nuSharad Chandra
CEH | CHFI
Agenda Introduction to OSSIM How to deploy & configure OSSEC agents Configuring syslog and enabling plugins Scanning your network for assets and
vulnerabilities OSSIM Demo
2 Types of Security Controls
Preventative ControlsUsed to Implement C-I-A
Crypto, Firewall, AntivirusPKI, VPN, SSL, DLP
Prevent an incident
Detective ControlsProvide visibility & response
Asset Discovery, VA, IDS/IPS, Log Management,
Analytics
Detect & respond to an incident
The Big Question IF WE ALREADY HAVE PREVENTATIVE CONTROLS…
WHY SHOULD WE CARE ABOUT DETECTIVE CONTROLS?
Prevention has proven to be elusive
A detailed study of 56 “Large US firms”
Results: 102 successful intrusions between them
EVERY WEEK!
“There are two types of companies that use computers. Victims of crime that know they
are victims of crime and victims of crime that don’t have a clue yet.”
- James Routh, 2007 CISO Depository Trust Clearing Corporation
Some pretty savvy recent victims
Get good at detection & response
Prevent Detect & Respond
The basics are in place. Beyond
that, enterprises beware!
New capabilities to develop
Many professional SOC’s are powered by open source
There’s an App for that!
PRADS NFSend
P0FOVALdi
MDL
OpenFPC
PADS
Challenge: How do we make sense of all these?
Lets get started!
The World’s Most Widely Used SIEMMEET OSSIM
OSSIM is trusted by 195,000+ security professionals in 175 countries…and countingEstablished and launched by security engineers out of necessityUsers enjoy all of the features of a traditional SIEM – and more
First We Categorize Them!
What is the state of my environment – anything strange?
Put it all together with external intelligence & determine a response!
The 5 essential
capabilities for effective detection &
response
Vulnerability Assessment
Threat Detection
BehavioralMonitoring
Intelligence & Analytics
What am I protecting & what is most valuable?
Asset Discovery
How, when and where am I being attacked?
Where are my assets exposed?
Example of How the tools work together
Tools ClassificationHOW IT WORKS
TOOLS integrated with AlienVault OSSIM are classified by behavior of the tool with the network
Active: they generate traffic in network being monitoredPassive: they analyze network traffic without generating any traffic
Passive tools require port mirroring (SPAN) configured in network equipment or virtual machines to analyze traffic
Host IDS
OSSIM comes with OSSEC host-based IDS, which provides:Log monitoring and collectionRootkit detectionFile integrity checkingWindows registry integrity checkingActive response
OSSEC uses authenticated server/agent architecture.
OSSIM SensorOSSEC Server
Servers
OSSEC Agent
OSSIM Server
UDP 1514
Normalized events
Deploying HIDS
1. Add an agent in OSSIM
2. Deploy HIDS agent to the target system.
3. Optionally change configuration file on the agent.
4. Verify HIDS operations.
Add an agent.
Save agent.
Specify name and IP address.
Add Agent in OSSIM
Required task for all operating systems
Can also be added through the manage_agents script
Environment > Detection > HIDS > Agents
Specify domain, username and password of the target system.
Download preconfigured agent for Windows.
Automatic deployment for Windows.
Extract key.
Deploy HIDS Agent to Target System
Automated deployment for Windows machines
Manual installation for other OS
Key extraction is required for manual installation
Configuration file.
Log file.
Change Configuration File on Agent
OSSEC configuration is controlled by a text file.
Agent needs to be restarted after configuration changes.
Log file is available for troubleshooting.
Agent status should be active.
Verify HIDS Operations
Displays overview of OSSEC events and agent information
Environment > Detection > HIDS > Overview
OSSEC events.
Verify HIDS Operations (Cont.) Verify if OSSEC
events are displayed in the SIEM console.
Utilize search filter to display only events from OSSEC data source.
Analysis > Security Events (SIEM) > SIEM
Verify HIDS Operations (Cont.)
Environment > Detection > HIDS > Agents > Agent Control
Verify registry integrity.
Verify presence of rootkits.
Verify file integrity.
Syslog & Plugins
Syslog Forwarding
Syslog configuration will vary based on source device/application but, usually, the necessary parameters are:Destination IPSource IPPort (default is UDP 514)
Enabling Plugins
Enable plugin at the asset level
General > Plugins > Edit Plugins
Green light under “Receiving Data” will confirm successful log collection
Vulnerability Assessment Uses a built-in OpenVAS scanner Detects vulnerabilities in assets
Vulnerabilities are correlated with events‘ cross-correlation rules
Useful for compliance reports and auditing
Managed from the central SIEM console: Running and scheduling vulnerability
scans Examining reports Updating vulnerability signatures
Advanced Options
Vulnerability assessment can be: Authenticated (SSH and SMB) Unauthenticated
Predefined profiles can be selected: Non destructive full and slow scan Non destructive full and fast scan Full and fast scan including destructive
tests Custom profiles can be created.
Vulnerability Assessment Configuration
1. (Optionally) tune global vulnerability assessment settings.
2. (Optionally) create a set of credentials.
3. (Optionally) create a scanning profile.
4. Create a vulnerability scan job.
5. Examine scanning results.
6. Optionally create a vulnerability or compliance report.
Update configuration.
Select vulnerability ticket threshold.
Tune Global Vulnerability Assessment Settings
The vulnerability assessment system opens a ticket for found vulnerabilities.
Start with a high threshold and fix important vulnerabilities first.
Configuration > Administration > Main
Specify login username.
Specify credential set name.
Select authentication type.
Click settings.
Create Set of Credentials
Used to log into a machine for authenticated scan
Supports the DOMAIN/USER username
Environment > Vulnerabilities > Overview
Examine 3 default profiles.
Enable/disable plugin family.
Create a new profle.
Edit profiles.
Create Scanning Profile
Enable profiles that apply to assets you are scanning.
Environment > Vulnerabilities > Overview
Create a new scan job.
Import Nessus scan report.
Select schedule method.
Specify scan job name.
Select profile.
Select server.
Select assets.
Select credential set for authenticated scan.
Save job.
Create Vulnerability Scan Job
Environment > Vulnerabilities > Scan Jobs
Examine vulnerability statistics. View
vulnerability report for all assets.
Examine reports for all scan jobs.
Examine Vulnerabilities Results
Environment > Vulnerabilities > Overview
OSSIM Demo
Questions & Answers