ossec in the enterprise - immutable security
TRANSCRIPT
![Page 1: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/1.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
OSSEC in the Enterprise
Open Source Log Management, Analysis and Intrusion Detection
Rochester Security SummitOctober 29, 2009
Michael Starks, CISSP, CISA, GSNA
![Page 2: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/2.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Agenda
What is OSSEC?Log AnalysisIntegrity MonitoringRootkit DetectionPolicy MonitoringAlertingActive ResponseOSSEC WebUI
Why OSSEC?Risks & CountermeasuresEnterprise ConsiderationsDemoQuestions
![Page 3: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/3.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
What is OSSEC?
OSSEC is an Open Source Host-based Intrusion Detection System. It performs log
analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting
and active response.
Source: http://www.ossec.net
![Page 4: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/4.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
What is OSSEC?
Put another way...
OSSEC is security software that looks for bad stuff on the actual host
![Page 5: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/5.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Multi-Platform
Works on Windows and most Unix-like systems
![Page 6: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/6.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Centrally Managed
Client/server architecture
Almost everything can be managed from the OSSEC manager
Restart agentsStart integrity checks
Tune rulesBlock attacks
![Page 7: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/7.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Single Installation
Manager and agent on one machine
![Page 8: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/8.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Distributed
Centralized manager and distributed agents
![Page 9: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/9.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Distributed
Multiple managers and multiple agents
![Page 10: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/10.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Redundant
Fail over to one or more managers
![Page 11: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/11.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Flexible and Extensible
Easily add support for custom applications
Integrate with commercial SIEMs
Analyze logs on existing syslog servers
![Page 12: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/12.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Secure by Default
Privilege separated processes
Chroot where possible
Secure programming practices
Encrypted message transport using IP restrictions and replay prevention
![Page 13: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/13.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Supported
Community
IRC: #OSSEC on Freenode
Mailing lists:
ossec-list
ossec-dev
www.ossec.net
Commercial
Trend Micro
OSSEC Host-Based Intrusion Detection Guide
![Page 14: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/14.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Fast and Efficient
Analyze millions of events per day
...in real-time
...using commodity hardware
![Page 15: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/15.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Extensive Application Support
Dozens of decoders and hundreds of rules out of the box
Unix Pam, sshd (OpenSSH), Solaris telnetd, Samba, Su, Sudo, Proftpd, Pure-ftpd, vsftpd, Microsoft FTP server, Solaris ftpd, Imapd, Postfix, Sendmail, vpopmail, Microsoft Exchange, Apache, IIS5, IIS6,
Horde IMP, Iptables, IPF. PF, Netscreen, Cisco PIX/ASA/FWSM, Snort, Cisco IOS, Nmap, Symantec AV, Arpwatch, Named, Squid,
Windows event logs, VMWare
![Page 16: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/16.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Free
Open source
Budget friendly
![Page 17: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/17.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Analysis
The heart of OSSEC
![Page 18: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/18.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
LIDS
Log-based Intrusion Detection
Not a log management tool
Analyzes (but does not store) every log
![Page 19: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/19.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
A Slight Detour
What if the attacker deletes the logs?
Will you have all the pieces of the puzzle?
Robust log management strategies help OSSEC do its job
![Page 20: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/20.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Corporate policy should define the need for logging
![Page 21: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/21.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Corporate standards should define system audit settings, such as:
What to auditFrequency of log rotationLog formatMethod of communication
![Page 22: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/22.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Logs should, wherever possible, be converted from a proprietary format to a standardized
and normalized format (e.g. syslog)
![Page 23: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/23.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Logs should be centralized and stored on ahardened, purpose-specific server, with nounnecessary or unrelated services running
![Page 24: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/24.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Systems should be synchronized with a common, trusted time source
![Page 25: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/25.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Logs contain sensitive information and should be encrypted in transit wherever possible
![Page 26: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/26.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
A copy of each log should be available both locally and centrally
In the event of a compromise, the trusted log server can be compared with the local logs
![Page 27: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/27.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Logs should be maintained online and archived offline according to
regulatory or policy requirements
![Page 28: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/28.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Access to logs should be on a need-to-know and least-privileged basis
![Page 29: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/29.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Access to logs should always be read-only
![Page 30: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/30.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Flow Through OSSEC
Tree-like structure
Alert
Analysis
Decode
Pre-decode
Log enters system
![Page 31: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/31.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Enters System
Secure (encrypted)
Insecure (syslog)
Localhost
![Page 32: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/32.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Pre-Decoding and Decoding
Extracts individual parts of the log and places them into “buckets”
Useful later on when writing rules
Bob172.16.3.4
528 nsa.gov
user src_ip idurl
![Page 33: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/33.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
SSHd Log Pre-Decoded
Extracts known fields from logs (e.g. time) Compiled in for efficiency
Log comes in as:Apr 14 17:32:06 hostname sshd[1025]:
OSSEC pre-decodes it as:time/date -> Apr 14 17:32:06hostname -> hostnameprogram_name -> sshd
Pre-decoded
![Page 34: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/34.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
SSHd Log Fully Decoded
Log comes in as:Apr 14 17:32:06 hostname sshd[1025]: Accepted password for root from 192.168.2.190 port 1618 ssh2
OSSEC decodes it as:time/date -> Apr 14 17:32:06hostname -> hostnameprogram_name -> sshd
log -> Accepted password for root from 192.168.2.190 port ...srcip -> 192.168.2.190user -> root
Pre-decoded
Decoded
![Page 35: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/35.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
SSHd Log Decoder
<decoder name="sshd"><program_name>^sshd</program_name></decoder>
<decoder name="sshd-success"><parent>sshd</parent><prematch>^Accepted</prematch><regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex><order>user, srcip</order></decoder>
Will there be a test?
![Page 36: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/36.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Analysis (Rules)
Rules are also called signatures
Simple XML files on the manager
Independent of original log format
![Page 37: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/37.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Two Types of Rules
Atomic: single event
Bob mistyped his password once
Composite: multiple events across logs
Bob mistyped his password 3,561 times in 3 minutes
on 16 different systems
![Page 38: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/38.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
That Looks Suspicious
I know Bob forgets his password, but...
![Page 39: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/39.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rules
Rules pick up where decoders leave off
Instead of writing rules for raw logs, they can be written to normalized data
(e.g. “Bob” is a “user”)
Data flows through the tree until a rule matches or doesn't match
![Page 40: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/40.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rules
Severity-based: levels 0 (low) to 15 (high)
Nest multiple rules for granular control
Rule groups further normalize data
●web_scan●firewall_drop●account_changed...
![Page 41: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/41.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Simplest Rule
If the log was decoded as SSHd, generate rule 111
Not very useful yet
<rule id = "111" level = "5"><decoded_as>sshd</decoded_as><description>Logging every decoded sshd message</description></rule>
![Page 42: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/42.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Dependent Rule
If rule 111 matched and the log contains “Failed Password”
set the severity (level) to 7 and the group to “authentication_failed”
<rule id=”122” level=”7”><if_sid>111</if_sid><match>^Failed password</match><description>Failed password attempt</description><group>authentication_failed</group></rule>
![Page 43: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/43.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
2nd Dependent Rule
If rule 122 matchedand it's that pesky Bob
Raise the severity (level) to 12
<rule id=”133” level=”12”><if_sid>122</if_sid><user>Bob</user><description>That pesky Bob again</description></rule>
![Page 44: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/44.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
In Other Words
Put another way...
Record all events decoded as SSHd
Alert at level 7 on every authentication failure
If the user is Bob, raise the alert level to 12
![Page 45: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/45.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Wait a Minute
What if Bob has 3,561 login failures again?
![Page 46: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/46.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Wait a Minute
What if his login failures aren't just through SSH?
![Page 47: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/47.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Revised Rule Thoughts
Alert me if Bob has a few authentication failures in a short time, from anywhere,
but don't flood me with alerts
![Page 48: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/48.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Revised Rule for Bob
Let's try that last rule again
<rule id=”133” level=”12” frequency=”10” timeframe=”300” ignore=”60”><if_matched_group>authentication_failed</if_matched_group><user>Bob</user><description>Bob is acting up</description></rule>
![Page 49: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/49.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rule Examples
Other interesting rules
![Page 50: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/50.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Attack Followed by Account
<group name="syslog,elevation_of_privilege,"> <rule id="40501" level="15" timeframe="300" frequency="2"> <if_group>adduser</if_group> <if_matched_group>attacks</if_matched_group> <description>Attacks followed by the addition of an user.</description> </rule></group>
![Page 51: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/51.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Really Long URL
<rule id="31115" level="13" maxsize="2900"><if_sid>31100</if_sid><description>URL too long. Higher than allowed on most browsers. Possible attack.</description><group>invalid_access,</group></rule>
![Page 52: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/52.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Multiple Windows Errors
<rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240"> <if_matched_sid>18103</if_matched_sid> <description>Multiple Windows error events.</description> </rule>
![Page 53: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/53.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Windows Application Installed
<rule id="18147" level="5"> <if_sid>18101</if_sid> <id>^11707</id> <options>alert_by_email</options> <description>Application Installed.</description> </rule>
![Page 54: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/54.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Windows Audit Policy Changed
<rule id="18113" level="8"> <if_sid>18104</if_sid> <id>^612|^643|^4719|^4907|^4912</id> <description>Windows Audit Policy changed.</description> <group>policy_changed,</group> </rule>
![Page 55: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/55.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Virus Found, Not Removed
<rule id="7504" level="12"> <if_sid>7500</if_sid> <regex>$MCAFEE_VIRUS</regex> <group>virus</group> <description>McAfee Windows AV - Virus detected and not removed.</description> </rule>
![Page 56: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/56.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Integrity Monitoring
Keeping a Known Good State
![Page 57: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/57.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
File Integrity
SHA-1 and MD5 of critical system files and registry keys
Performed in real-time or on a schedule
Auto-ignores files that change too often
![Page 58: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/58.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
File Integrity
Also checks owner, group, permissions
Hashes forwarded to manager for safe keeping (excellent for forensics)
Use the full power of rules to manage alerts(e.g. alert only on changes outside patch window)
![Page 59: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/59.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
World Writable File
OSSEC HIDS Notification.2009 Oct 21 12:02:27
Received From: hostname->syscheckRule: 100018 fired (level 7) -> "World Writable File"Portion of the log(s):
Integrity checksum changed for: '/etc/httpd/conf/httpd.conf'Permissions changed from 'rw-------' to 'rw-r--rw-'
--END OF NOTIFICATION
![Page 60: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/60.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
No Longer World Writable
OSSEC HIDS Notification.2009 Oct 21 12:05:11
Received From: hostname->syscheckRule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)."Portion of the log(s):
Integrity checksum changed for: '/etc/httpd/conf/httpd.conf'Permissions changed from 'rw-r--rw-' to 'rw-------'
--END OF NOTIFICATION
![Page 61: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/61.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Agentless Integrity
Periodic diff of firewalls and routers
Checksum and diff of remote 'nix systems
It's nice to know something changed, but what?Agentless check of /etc/password
shows what changed
![Page 62: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/62.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Agentless Alerts
OSSEC HIDS Notification.2009 May 14 16:32:20
Received From: (ssh_pixconfig_diff) [email protected]>agentlessRule: 555 fired (level 7) -> "Integrity checksum for agentless device changed."Portion of the log(s):
ossec: agentless: Change detected:206a207> port-object eq 4241556c557
...
![Page 63: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/63.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rootkit Detection
Exposing the Hidden
![Page 64: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/64.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Unix Rootkit Detection
Signature and anomaly-based
Signatures automatically sent to agents
Can be run stand-alone
![Page 65: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/65.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Signature Method
Signatures for Adore, Knark, LOC, etc
Attempt to stats, fopen and opendir each specified file
Some rootkits don't fully hide themselves
![Page 66: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/66.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Anomaly Method
Detects known and unknown rootkits
Files in /dev which aren't device files
“Unusual” files(hidden directories, files owned by root
which are world-writable)
![Page 67: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/67.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Anomaly Method
Running processes hidden from “ps”
Listening ports hidden from “netstat”
Promiscuous interfaces hidden from “ifconfig”
![Page 68: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/68.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rootcheck Alert
OSSEC HIDS Notification.2009 Oct 06 17:45:17
Received From: XXXX->rootcheckRule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."Portion of the log(s):
Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/YYYY.com/httpdocs/language/lang_english/ /... /.log'.
--END OF NOTIFICATION
Source: http://www.void.gr/kargig/blog/2009/10/06/ossec-to-the-rescue/
![Page 69: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/69.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Windows Rootkit Detection
Not as advanced as Unix-based detection
Alternate data streams
(Files hidden within files)
![Page 70: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/70.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Policy Monitoring
Detect Insecure Conditions
![Page 71: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/71.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Policy Monitoring
Is your system configured securely?
Identify situation which can lead to a breach
Benchmark system against CIS standard or create your own
![Page 72: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/72.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Policy Monitoring
File, registry setting, or process exists or does not exist
Combine values with logical AND/OR
Is anti-virus installed but not running?
![Page 73: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/73.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Policy Monitoring
Has the host firewall been disabled?
Is LanMan authentication allowed?
*Does not alert by default
![Page 74: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/74.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
Getting Notified
![Page 75: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/75.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
E-mail, syslog and database output
Built-in e-mail flood protection
Send alerts to different teamsbased on granular rules, severity or group
![Page 76: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/76.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
On second thought, maybe it wasn'tBob who tried to login to his account
Someone should get a page if this happens again
![Page 77: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/77.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Can't Miss the Game
What if it's the weekend and I'm watching the game?
![Page 78: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/78.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
That someone should beHenry, the Jr. Security Analyst
What a wonderful opportunityfor “professional development”
![Page 79: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/79.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
Create another rule without restricting it to Bob,which will only fire on the weekends
<rule id=”144” level=”12” frequency=”10” timeframe=”300” ignore=”60”><if_matched_group>authentication_failed</if_matched_group><weekday>Saturday,Sunday</weekday><description>Multiple Weekend Authentication Failures</description></rule>
![Page 80: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/80.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
Followed by an alert configuration is ossec.conf
<email_alerts> <email_to>[email protected]</email_to> <rule_id>144</rule_id> <format>sms</format></email_alerts>
![Page 81: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/81.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
Syslog or database output easilyintegrated with commercial SIEMs
Use OSSEC for the analysis
Use the SIEM GUI for advanced correlation
![Page 82: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/82.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rule Examples
Other interesting alerts
![Page 83: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/83.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Excessive Events
OSSEC HIDS Notification.2009 Oct 21 04:31:50
Received From: hostname->/var/log/httpd/error_logRule: 11 fired (level 8) -> "Excessive number of events (above normal)."Portion of the log(s):
The average number of logs between 4:00 and 5:00 is 936. We reached 1218.
![Page 84: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/84.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
First-Time Login
OSSEC HIDS Notification.2009 Oct 22 11:24:34
Received From: hostname->/var/log/secureRule: 10100 fired (level 4) -> "First time user logged in."Portion of the log(s):
Oct 22 11:24:33 hostname sshd[2998]: Accepted password for kevin_mitnick from 12.174.169.111 port 52387 ssh2
![Page 85: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/85.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
First Sudo Attempt
OSSEC HIDS Notification.2009 Oct 22 11:27:49
Received From: hostname->/var/log/secureRule: 5403 fired (level 4) -> "First time user executed sudo."Portion of the log(s):
Oct 22 11:27:49 hostname sudo: kevin_mitnick : user NOT in sudoers ; TTY=pts/1 ; PWD=/ ; USER=root ; COMMAND=/bin/su -
![Page 86: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/86.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Preventing Breaches
![Page 87: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/87.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Attackers follow common patterns
1. Reconnaissance2. Scan3. Exploit
OSSEC can often prevent breaches by detecting attacks in the early stages
![Page 88: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/88.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Not an IPS, but effective
![Page 89: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/89.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Time-based security implementation
Protection time should be greater than the sum of detection time, plus reaction time
(D+R)>P
This is good!
![Page 90: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/90.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
If severity > 6, add the attacker's IPto the host firewall for 10 minutes
Or the perimeter firewall...Or disable an account...Or shut down the system...
![Page 91: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/91.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Execute responses on the manager, one particular agent, a firewall or everywhere
Worldwide?
![Page 92: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/92.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
OSSEC WebUI
A Face to OSSEC
![Page 93: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/93.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Benefits of GUIs
GUI interfaces allow you to see trends and patterns over time
FTP account gets locked out every day at 4:15 AM
What alerts does OSSEC think aren't worthy of an e-mail?
![Page 94: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/94.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
OSSEC WebUI
![Page 95: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/95.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
OSSEC WebUI
![Page 96: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/96.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
OSSEC WebUI
![Page 97: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/97.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Other GUI Options
Other options include:
Splunk
OSSIM
Picviz
![Page 98: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/98.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Why OSSEC?
![Page 99: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/99.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
PCI DSS 1.2
10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added shouldnot cause an alert).
![Page 100: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/100.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
PCI DSS 1.2
10.6 Review logs for all system components at least daily...
...Note: Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6
![Page 101: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/101.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Closing the NIDs Circle
Network-based IDS
Only half the picture
![Page 102: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/102.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Closing the NIDs Circle
Host-based IDS
The other half
![Page 103: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/103.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Closing the NIDs Circle
Network and Host-based IDS
A new level of insight into your environment
![Page 104: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/104.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Closing the NIDs Circle
Of course, OSSEC reads NIDs logs
![Page 105: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/105.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Forensics
Everything is forwarded to the manager for analysis and possible storage
Attackers like to delete logs
![Page 106: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/106.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Policy Compliance
How do you know your systems are still hardened?
Are admins logging in with unique accounts?
Is anti-virus running?
![Page 107: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/107.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Keep Employees Honest
Insider threats cost companies millions per year
Employees who know their activitiesare monitored tend to be more honest
![Page 108: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/108.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Budget
OSSEC can be used for free
![Page 109: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/109.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Risks & Countermeasures
![Page 110: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/110.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Mass Deployment
Deploying large amounts of agents is challenging
Each agent uses a unique key
How can a single package be created?
![Page 111: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/111.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Attackers who know Active Response is in use may try to use that to their advantage
IPs can be spoofed, thereby triggering an incorrect response
![Page 112: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/112.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alert Flooding
You have 6,972 new messages!
Will you read them all?
![Page 113: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/113.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Injection
Attacker uses poorly written regular expressions to bypass rules
root@slacker:~# ftp 192.168.3.4220 Welcome to labs ossec candy FTP service.Name (192.168.2.3:root): lala] FAIL LOGIN: Client “2.3.4.54″
Normal LogMon Jun 2 21:05:30 2007 [pid 1448] [myuser] FAIL LOGIN: Client “192.168.3.1″Log InjectionMon Jun 2 21:06:02 2007 [pid 1452] [lala] FAIL LOGIN: Client “2.3.4.54″ ] FAIL LOGIN: Client “192.168.3.1″
![Page 114: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/114.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Risk Countermeasures
E-mail floodingBy default, OSSEC will only send 12 alerts per hour, queuing the rest until the next hour
Active ResponseResponse timeoutIP whitelists
Log InjectionTight regular expressions
![Page 115: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/115.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Enterprise Considerations
![Page 116: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/116.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Define the Problem
What problem are you trying to solve?
What are your primary drivers?
What are the obstacles?
![Page 117: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/117.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Codify in Policy
Explicitly state the need in policy
![Page 118: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/118.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Set Requirements
Requirements are a measure of success
![Page 119: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/119.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Define the Scope
Will you monitor all systems?
What is the budget?
What is the time-frame?
![Page 120: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/120.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Make a Desicion
Is OSSEC a good fit?
Don't design a solutionlooking for a problem!
![Page 121: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/121.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Plan, Do, Check, Act
Plan your OSSEC rollout
Do the actual rollout
Check the requirements against the rollout
Act on the lessons learned
![Page 122: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/122.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Demo
![Page 123: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/123.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Summary
OSSEC can add a new level of insight into your environment
Only use OSSEC if it fits a need
If you do use OSSEC, contribute yourdecoders, rules and lessons learnedback to the community!
![Page 124: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/124.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Questions?
![Page 125: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/125.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Acknowledgements
Daniel B. Cid, OSSEC creator
Trend Micro
Rochester Security Summit
OSSEC Aucert presentation
![Page 126: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/126.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Image CreditsAgenda: http://www.sxc.hu/photo/807162Question mark: http://www.sxc.hu/photo/1147438Tree: http://www.sxc.hu/photo/1195970Vintage Mac: http://www.sxc.hu/photo/1028528Rubber band ball: http://www.sxc.hu/photo/168735Padlock: http://www.sxc.hu/photo/865986Fast car: http://www.sxc.hu/photo/1081680Cardboard box: http://www.sxc.hu/photo/1036068Jumping man: http://www.sxc.hu/photo/1212299Camera lid: http://www.sxc.hu/photo/450946Buckets: http://www.sxc.hu/photo/807354Ruler: http://www.sxc.hu/photo/1010158Bob: http://www.sxc.hu/photo/912662OSSEC WUI: http://www.ossec.net/dcid/?p=29Road sign: http://www.sxc.hu/photo/1157986
The following images were used under fair use provisions of US copyright and trademark law:Logos: Windows, Tux, FreeBSD, PCI and AIXOSSEC WebUI screenshots
![Page 127: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/127.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Image CreditsFiles in basket: http://www.sxc.hu/photo/456727Potato: http://www.sxc.hu/photo/1132394Paper stack: http://www.sxc.hu/photo/251979Old phone: http://www.sxc.hu/photo/1146563Little guy and stop sign: http://www.sxc.hu/photo/1197499Fence: http://www.sxc.hu/photo/1044635Clock: http://www.sxc.hu/photo/1026820Retro TV: http://www.sxc.hu/photo/981522Sunglasses: http://www.sxc.hu/photo/621374Happy face: http://www.sxc.hu/photo/1147441Thumb print: http://www.sxc.hu/photo/1231735Fist: http://www.sxc.hu/photo/621374Money symbol: http://www.sxc.hu/photo/983478Crowd: http://www.sxc.hu/photo/893433E-mail: http://www.sxc.hu/photo/1102040Red cross: http://www.sxc.hu/photo/971655
![Page 128: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/128.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Text Credits
“Attacking Log Analysis Tools,” Daniel B. Cid: http://www.ossec.net/main/attacking-log-analysis-tools
“OSSEC at AusCERT,” Daniel B Cid: http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
![Page 129: OSSEC in the Enterprise - Immutable Security](https://reader030.vdocuments.us/reader030/viewer/2022021120/6206079ccf456418c32f1c65/html5/thumbnails/129.jpg)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Presentation LicenseThis presentation is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 license. The license does not extend to images, which hold their own copyrights attributed to various authors.
You are free:
to Share — to copy, distribute and transmit the workto Remix — to adapt the work
Under the following conditions:
Attribution — You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work).Noncommercial — You may not use this work for commercial purposes.Share Alike — If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
With the understanding that:
Waiver — Any of the above conditions can be waived if you get permission from the copyright holder.Other Rights — In no way are any of the following rights affected by the license:Your fair dealing or fair use rights;Apart from the remix rights granted under this license, the author's moral rights;Rights other persons may have either in the work itself or in how the work is used, such as publicity or privacy rights.Notice — For any reuse or distribution, you must make clear to others the license terms of this work.