June 18, 2013 Securing UbiquitySolving the Open Source Security PuzzleVic HargraveJB ChengSantiago Gonzlez Bassett

1DisclaimerThe views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought.

June 18, 2013 Securing Ubiquity22Log NormalizationSyslogComes default within *Nix operating systems. Sylog-NGCan be installed in various configurations to take the place of default syslog. Free to use or enterprise version available for purchase.Many configuration types to export data.OSSECFree to useCan export via syslog to other systems.June 18, 2013 Securing Ubiquity33Solving the Open Source Security PuzzleWhat are the standards?Why choose one product over another?How do the various security components work together?How does this work in the real world, real examples.June 18, 2013 Securing Ubiquity44June 18, 2013 Securing Ubiquity5Understanding RulesCustomizable rulesets - Enable a security practitioner to add true intelligence of their environment.

5Host Event Detection

AIDE(Advanced Intrusion Detection Environment)

June 18, 2013 Securing Ubiquity66Network Detection Systems

June 18, 2013 Securing Ubiquity77June 18, 2013 Securing Ubiquity8Event Management

8What is ?Open Source SECurityOpen Source Host-based Intrusion Detection SystemProvides protection for Windows, Linux, Mac OS, Solaris and many *nix systemshttp://www.ossec.netFounded by Daniel CidCurrent project managers JB Cheng and Vic Hargrave

June 18, 2013 Securing Ubiquity9

9OSSEC CapabilitiesLog analysisFile Integrity checking (Unix and Windows)Registry Integrity checking (Windows)Host-based anomaly detection (for Unix rootkit detection)Active Response

June 18, 2013 Securing Ubiquity1010HIDS AdvantagesMonitors system behaviors that are not evident from the network trafficCan find persistent threats that penetrate firewalls and network intrusion detection/prevention systems

June 18, 2013 Securing Ubiquity1111

tail -f $ossec_alerts/alerts.logJune 18, 2013 Securing Ubiquity12

OSSEC ServerOSSEC Agents

logsUDP 1514logsUDP 1514

OSSEC Architecture

alerts12File Integrity Alert Sample** Alert 1365550297.8499: mail - ossec,syscheck,2013 Apr 09 16:31:37 ubuntu->syscheckRule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).'Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels'June 18, 2013 Securing Ubiquity1313Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed,2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.logRule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.'2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64June 18, 2013 Securing Ubiquity1414PCI DSS Requirement10.5.5 - Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weeklyJune 18, 2013 Securing Ubiquity1515Annual gathering of OSSEC users and developers.Community members discuss how they are using OSSEC, what new features they would like and set the roadmap for future releases.OSSEC 2.7.1 soon to be released.Planning for OSSEC 3.0 is underway.OSSECCON 2013 will be held Thursday July 25th at Trend Micros Cupertino office.Please join us there! June 18, 2013 Securing Ubiquity16

16June 18, 2013 Securing UbiquityOSSIMUnified Open Source SecuritySantiago Gonzlez Bassettsantiago@alienvault.com@santiagobassettAlien Vault17

17About meDeveloper, systems engineer, security administrator, consultant and researcher in the last 10 years.Member of OSSIM project team since its inception.Implemented distributed Open Source security technologies in large enterprise environments for European and US companies.June 18, 2013 Securing Ubiquityhttp://santi-bassett.blogspot.com/@santiagobassett1818What is OSSIM?OSSIM is the Open Source SIEM GNU GPL version 3.0With over 195,000 downloads it is the most widely used SIEM in the world.Created in 2003, is developed and maintained by Alien Vault and community contributors.Provides Unified and Intelligent Security.June 18, 2013 Securing Ubiquityhttp://communities.alienvault.com/

1919Why OSSIM?Because provides security IntelligenceDiscards false positivesAssesses the impact of an attackCollaboratively learns about APTJune 18, 2013 Securing UbiquityBecause Unifies security managementCentralizes informationIntegrates threats detection tools

2020OSSIM integrated toolsJune 18, 2013 Securing Ubiquity

Assetsnmapprads

Behavioral monitoringfprobenfdumpntoptcpdumpnagiosVulnerability assessment

osvdbopenvasThreat detectionossecsnortsuricata

2121OSSIM +200 Collectors

June 18, 2013 Securing Ubiquity2222OSSIM ArchitectureJune 18, 2013 Securing Ubiquity

Configuration &ManagementNormalizedEvents2323OSSIM Anatomy of a collectorJune 18, 2013 Securing Ubiquity24[apache-access]event_type=eventregexp=((?P\S+)(:(?P\d{1,5}))? )?(?P\S+) (?P\S+) (?P\S+) \[(?P\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P.*)\ (?P\d{3}) ((?P\d+)|-)( \"(?P.*)\" \(?P.*)\")?$src_ip={resolv($src)}dst_ip={resolv($dst)}dst_port={$port}date={normalize_date($date)}plugin_sid={$code}username={$user}userdata1={$request}userdata2={$size}userdata3={$referer_uri}userdata4={$useragent}filename={$id}[Raw log]76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"24OSSIM Reliability AssessmentJune 18, 2013 Securing Ubiquity25Reliability

25OSSIM Risk AssessmentJune 18, 2013 Securing Ubiquity26RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25SourceDestinationEvent Priority = 2Event Reliability = 10Asset Value = 2Asset Value = 526OSSIM & OSSEC IntegrationJune 18, 2013 Securing Ubiquity

Web management interfaceOSSEC alerts pluginOSSEC correlation rulesOSSEC reports2727OSSIM DeploymentJune 18, 2013 Securing Ubiquity

2828OSSIM Attack DetectionJune 18, 2013 Securing Ubiquity

2929

OSSIM Demo Use CasesDetection & Risk assessmentOTXSnort NIDSLogical CorrelationVulnerability assessmentAsset discoveryCorrelating Firewall logs:Cisco ASA pluginNetwork Scan detection

Correlating Windows Events:OSSEC integrationBrute force attack detectionJune 18, 2013 Securing Ubiquity3030June 18, 2013 Securing Ubiquity31Disclaimer

The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought.

Thank youSantiago Gonzalez Bassettsantiago@alienvault.com@santiagobassettAlien Vault

31