Copyright Justin C. Klein Keane [email protected] Drupal Threat Landscape.
Copyright Justin C. Klein Keane @madirish2600 Security Intelligence From What and Why to How.
-
Upload
loraine-george -
Category
Documents
-
view
213 -
download
0
Transcript of Copyright Justin C. Klein Keane @madirish2600 Security Intelligence From What and Why to How.
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Security Intelligence
From What and Why to How
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
What is Security Intelligence?
Business intelligence principles applied to security data
Apply data to decision making More than just metrics
– Soft data points included as well Security data abounds
– Making useful decisions based on data is tough
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Sample Sources of Data
Host based intrusion detection alerts Darknet data (network traffic) Port scans Honeypots (attempted logins, attack toolkits, etc.) Vulnerability scans Public vulnerability alerts and disclosures System event logs Incident response reports Etc.
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Why
Anecdotal evidence often guides security
“Best practice” is often indefensible Change your password every 60 days - why???
Security isn't really engineering, or science No hard and fast rules (or laws)
Analysis should guide decision making
Security intelligence gathers data points to support analysis
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Security Intelligence vs.
Vulnerability Remediation Traditional InfoSec relies on vulnerability
scanning Ideally:
– Find problems, fix them, find more, rinse, repeat In reality:
– Scanner generates a report full of extraneous and incorrect details, no reliable severity or impact
– report ignored– rinse, repeat
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Why Vuln Centric Security Fails
Vulnerability scanning is “dumb” Asset owners don't request scans Defaults to an enforcement approach Vulnerability reports are massive and provide
little guidance Ultimately reports get filed in the trash bin
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Security Intelligence Goals
Add perspective and analysis to security recommendations
Provide a good case for change requests Guide targeted campaigns to remediate
vulnerabilities Show good ROI for efforts Maximize your limited staff resources Encourage compliance
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Use Case #1
Vulnerability disclosed in a well known service Look for spikes in scanning for that service on
darknet sensors Quickly identify all machines in the environment
running that service Build a contact list and alert admins to patch Implement targeted vulnerability scanning to
track remediation
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Use Case #2
Attacker observed (malicious IP identified) Query all data sources for other evidence of
activity from that IP Darknet probes, honeypot data, IDS logs, etc.
Look for attack profile from data sources Alert admins of machines that fit the particular
profile Identify vulnerable machines Potentially uncover compromises
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Issues with Security Intelligence
Problems of big data will crop up quickly Scale complicated development, deployment and
debugging Much of the effort of SI will be spent on middleware Interesting data only emerges when all data is
aggregated Getting access to other folks' data will be challenging Deliberate initial planning pays off – altering a table of
80 million rows is painful!
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Specific Implementation - HECTOR
HECTOR is our solution for security intelligence
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Open Source
HECTOR is based entirely on open source technologies
Runs best on a LAMP stack Uses PHP, Perl, Python, MySQL, iptables,
Kojoney, OSSEC, NMAP, and more... More info and download at:
https://sites.sas.upenn.edu/kleinkeane/software/hector
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Principles Guiding Development
SAS has no access to network data for NIDS Over 15,000 internet addressable IP's Asset management was a huge challenge Vulnerability disclosure mitigation was ad-hoc Multiple different security data sources (darknet,
honeypots, HIDS logs, etc.) were scattered over different systems
Needed a way to query data across sources and guide intelligent security decision making
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Fundamentals
No network span ports or taps required! HECTOR is designed to be an augmented
asset management platform All data is tied to hosts Each host includes contact information for
users as well as technical support HECTOR designed to allow supplementary
data to be linked with hosts, from port scans to incident histories to vulnerability reports
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
How It Works (Basics)
MySQL database aggregates data sources Web front end for querying and reporting Access control via CoSign (or fallback) Hosts are assigned to support groups, support
groups assigned a contact e-mail address Nightly NMAP scans updates host profiles Vulnerability scan data added to the database HECTOR is extensible – add your own scans
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Currently Supports Data Sources
OSSEC host based intrusion detection logs Kojoney based SSH honeypots Iptables based darknet sensors NMAP port scans Vulnerability scans (Nikto, Nessus, etc.) Security news outlets (RSS feeds, vulnerability
announcements, etc.)
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Summary Screen
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Intrusion Detection Summary
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Alerts Summary
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Host Summary
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Search for Malicious IP
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Sample Report
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Scan Schedule
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Asset Management
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
System Configuration
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Lessons Learned
Internal software development takes a really long time Logistical considerations are always the most difficult
challenge As soon as software enters a useful beta it tends to
migrate rapidly to essential service Bug fixes tend to weight towards feature use Simple NMAP scans are never simple Remediation tracking is as difficult as vulnerability
identification Querying large data sets takes careful planning
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Thank You
[email protected]@madirish2600
http://www.MadIrish.net
Copyright Justin C. Klein Keane <[email protected]> @madirish2600
Links to Resources
HECTOR download - https://sites.sas.upenn.edu/kleinkeane/software/hector
NMAP - http://nmap.org/ OSSEC - http://www.ossec.net/ Kojoney - http://kojoney.sourceforge.net/ Kippo - https://code.google.com/p/kippo/ Rsyslog - http://www.rsyslog.com/