solving the open source security puzzle

June 18, 2013 – Securing Ubiquity

Solving the Open Source Security Puzzle

Vic HargraveJB Cheng

Santiago González Bassett

DisclaimerThe views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought.


2

Log NormalizationSyslog

Comes default within *Nix operating systems. Sylog-NG

Can be installed in various configurations to take the place of default syslog.

Free to use or enterprise version available for purchase.Many configuration types to export data.

OSSECFree to useCan export via syslog to other systems.


3

Solving the Open Source Security Puzzle

What are the standards?Why choose one product over another?How do the various security components

work together?How does this work in the real world, real

examples.


4


5

Understanding Rules

Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.

Host Event Detection

AIDE(Advanced Intrusion Detection Environment)


6

Network Detection Systems


7


8

Event Management

What is ?Open Source SECurityOpen Source Host-based Intrusion Detection SystemProvides protection for Windows, Linux, Mac OS, Solaris

and many *nix systemshttp://www.ossec.netFounded by Daniel CidCurrent project managers – JB Cheng and Vic Hargrave


9

OSSEC CapabilitiesLog analysisFile Integrity checking (Unix and Windows)Registry Integrity checking (Windows)Host-based anomaly detection (for Unix – rootkit

detection)Active Response


10

HIDS AdvantagesMonitors system behaviors that are not evident from the

network trafficCan find persistent threats that penetrate firewalls and

network intrusion detection/prevention systems


11

tail -f $ossec_alerts/alerts.log


12

OSSEC Server

OSSEC Agents

logsUDP 1514

logsUDP 1514

OSSEC Architecture

alerts

File Integrity Alert Sample** Alert 1365550297.8499: mail - ossec,syscheck,2013 Apr 09 16:31:37 ubuntu->syscheckRule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).'Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels'


13

Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed,2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.logRule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.'2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64


14

PCI DSS Requirement10.5.5 - Use file-integrity monitoring or change-detection

software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)

11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly


15

Annual gathering of OSSEC users and developers.Community members discuss how they are using OSSEC,

what new features they would like and set the roadmap for future releases.

OSSEC 2.7.1 soon to be released.Planning for OSSEC 3.0 is underway.OSSECCON 2013 will be held Thursday July 25th at Trend

Micro’s Cupertino office.Please join us there!


16


OSSIMUnified Open Source Security

Santiago González [email protected]

@santiagobassettAlien Vault

17

About meDeveloper, systems engineer, security administrator,

consultant and researcher in the last 10 years.Member of OSSIM project team since its inception.Implemented distributed Open Source security

technologies in large enterprise environments for European and US companies.


http://santi-bassett.blogspot.com/@santiagobassett

18

What is OSSIM?OSSIM is the Open Source SIEM – GNU GPL version 3.0With over 195,000 downloads it is the most widely

used SIEM in the world.Created in 2003, is developed and maintained by

Alien Vault and community contributors.Provides Unified and Intelligent Security.


http://communities.alienvault.com/

19

Why OSSIM?Because provides security IntelligenceDiscards false positivesAssesses the impact of an attackCollaboratively learns about APT


Because Unifies security managementCentralizes informationIntegrates threats detection tools

20

OSSIM integrated tools


Assetsnmapprads

Behavioral monitoringfprobenfdumpntoptcpdumpnagios

Vulnerability assessment

osvdbopenvas

Threat detection

ossecsnortsuricata

21

OSSIM +200 Collectors


22

OSSIM Architecture


Configuration &Management

NormalizedEvents

23

OSSIM Anatomy of a collector


24

[apache-access]event_type=eventregexp=“((?P<dst>\S+)(:(?P<port>\d{1,5}))? )?(?P<src>\S+) (?P<id>\S+) (?P<user>\S+) \[(?P<date>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P<request>.*)\” (?P<code>\d{3}) ((?P<size>\d+)|-)( \"(?P<referer_uri>.*)\" \”(?P<useragent>.*)\")?$”src_ip={resolv($src)}dst_ip={resolv($dst)}dst_port={$port}date={normalize_date($date)}plugin_sid={$code}username={$user}userdata1={$request}userdata2={$size}userdata3={$referer_uri}userdata4={$useragent}filename={$id}

[Raw log]76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

OSSIM Reliability Assessment


25

SSH Failed authentication event

SSH successful authentication event

10 SSH Failed authentication events


Persistent connections




Reliability

OSSIM Risk Assessment


26

RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25

Source DestinationEvent Priority = 2

Event Reliability = 10

Asset Value = 2 Asset Value = 5

OSSIM & OSSEC Integration


Web management interfaceOSSEC alerts plugin

OSSEC correlation rulesOSSEC reports

27

OSSIM Deployment


28

OSSIM Attack Detection


29

OSSIM Demo Use CasesDetection & Risk assessmentOTXSnort NIDSLogical CorrelationVulnerability assessmentAsset discoveryCorrelating Firewall logs:Cisco ASA pluginNetwork Scan detection

Correlating Windows Events:OSSEC integrationBrute force attack detection


30


31

Disclaimer

The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought.

Thank you

Santiago Gonzalez [email protected]

@santiagobassettAlien Vault

solving the open source security puzzle

Technology

securing ubiquity http

mail ossec

ossec free

network detection systems

ossec server ossec agents

open source security

file integrity alert

security practitioner