OSSIM Overview
-
Upload
nu-the-open-security-community -
Category
Technology
-
view
239 -
download
19
Transcript of OSSIM Overview
![Page 1: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/1.jpg)
nuSharad Chandra
CEH | CHFI
![Page 2: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/2.jpg)
Agenda Introduction to OSSIM How to deploy & configure OSSEC agents Configuring syslog and enabling plugins Scanning your network for assets and
vulnerabilities OSSIM Demo
![Page 3: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/3.jpg)
2 Types of Security Controls
Preventative ControlsUsed to Implement C-I-A
Crypto, Firewall, AntivirusPKI, VPN, SSL, DLP
Prevent an incident
Detective ControlsProvide visibility & response
Asset Discovery, VA, IDS/IPS, Log Management,
Analytics
Detect & respond to an incident
![Page 4: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/4.jpg)
The Big Question IF WE ALREADY HAVE PREVENTATIVE CONTROLS…
WHY SHOULD WE CARE ABOUT DETECTIVE CONTROLS?
Prevention has proven to be elusive
A detailed study of 56 “Large US firms”
Results: 102 successful intrusions between them
EVERY WEEK!
![Page 5: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/5.jpg)
“There are two types of companies that use computers. Victims of crime that know they
are victims of crime and victims of crime that don’t have a clue yet.”
- James Routh, 2007 CISO Depository Trust Clearing Corporation
Some pretty savvy recent victims
![Page 6: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/6.jpg)
Get good at detection & response
Prevent Detect & Respond
The basics are in place. Beyond
that, enterprises beware!
New capabilities to develop
![Page 7: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/7.jpg)
Many professional SOC’s are powered by open source
There’s an App for that!
PRADS NFSend
P0FOVALdi
MDL
OpenFPC
PADS
Challenge: How do we make sense of all these?
![Page 8: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/8.jpg)
Lets get started!
![Page 9: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/9.jpg)
The World’s Most Widely Used SIEMMEET OSSIM
OSSIM is trusted by 195,000+ security professionals in 175 countries…and countingEstablished and launched by security engineers out of necessityUsers enjoy all of the features of a traditional SIEM – and more
![Page 10: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/10.jpg)
First We Categorize Them!
What is the state of my environment – anything strange?
Put it all together with external intelligence & determine a response!
The 5 essential
capabilities for effective detection &
response
Vulnerability Assessment
Threat Detection
BehavioralMonitoring
Intelligence & Analytics
What am I protecting & what is most valuable?
Asset Discovery
How, when and where am I being attacked?
Where are my assets exposed?
![Page 11: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/11.jpg)
Example of How the tools work together
![Page 12: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/12.jpg)
Tools ClassificationHOW IT WORKS
TOOLS integrated with AlienVault OSSIM are classified by behavior of the tool with the network
Active: they generate traffic in network being monitoredPassive: they analyze network traffic without generating any traffic
Passive tools require port mirroring (SPAN) configured in network equipment or virtual machines to analyze traffic
![Page 13: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/13.jpg)
Host IDS
OSSIM comes with OSSEC host-based IDS, which provides:Log monitoring and collectionRootkit detectionFile integrity checkingWindows registry integrity checkingActive response
OSSEC uses authenticated server/agent architecture.
OSSIM SensorOSSEC Server
Servers
OSSEC Agent
OSSIM Server
UDP 1514
Normalized events
![Page 14: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/14.jpg)
Deploying HIDS
1. Add an agent in OSSIM
2. Deploy HIDS agent to the target system.
3. Optionally change configuration file on the agent.
4. Verify HIDS operations.
![Page 15: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/15.jpg)
Add an agent.
Save agent.
Specify name and IP address.
Add Agent in OSSIM
Required task for all operating systems
Can also be added through the manage_agents script
Environment > Detection > HIDS > Agents
![Page 16: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/16.jpg)
Specify domain, username and password of the target system.
Download preconfigured agent for Windows.
Automatic deployment for Windows.
Extract key.
Deploy HIDS Agent to Target System
Automated deployment for Windows machines
Manual installation for other OS
Key extraction is required for manual installation
![Page 17: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/17.jpg)
Configuration file.
Log file.
Change Configuration File on Agent
OSSEC configuration is controlled by a text file.
Agent needs to be restarted after configuration changes.
Log file is available for troubleshooting.
![Page 18: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/18.jpg)
Agent status should be active.
Verify HIDS Operations
Displays overview of OSSEC events and agent information
Environment > Detection > HIDS > Overview
![Page 19: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/19.jpg)
OSSEC events.
Verify HIDS Operations (Cont.) Verify if OSSEC
events are displayed in the SIEM console.
Utilize search filter to display only events from OSSEC data source.
Analysis > Security Events (SIEM) > SIEM
![Page 20: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/20.jpg)
Verify HIDS Operations (Cont.)
Environment > Detection > HIDS > Agents > Agent Control
Verify registry integrity.
Verify presence of rootkits.
Verify file integrity.
![Page 21: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/21.jpg)
Syslog & Plugins
![Page 22: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/22.jpg)
Syslog Forwarding
Syslog configuration will vary based on source device/application but, usually, the necessary parameters are:Destination IPSource IPPort (default is UDP 514)
![Page 23: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/23.jpg)
Enabling Plugins
Enable plugin at the asset level
General > Plugins > Edit Plugins
Green light under “Receiving Data” will confirm successful log collection
![Page 24: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/24.jpg)
Vulnerability Assessment Uses a built-in OpenVAS scanner Detects vulnerabilities in assets
Vulnerabilities are correlated with events‘ cross-correlation rules
Useful for compliance reports and auditing
Managed from the central SIEM console: Running and scheduling vulnerability
scans Examining reports Updating vulnerability signatures
![Page 25: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/25.jpg)
Advanced Options
Vulnerability assessment can be: Authenticated (SSH and SMB) Unauthenticated
Predefined profiles can be selected: Non destructive full and slow scan Non destructive full and fast scan Full and fast scan including destructive
tests Custom profiles can be created.
![Page 26: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/26.jpg)
Vulnerability Assessment Configuration
1. (Optionally) tune global vulnerability assessment settings.
2. (Optionally) create a set of credentials.
3. (Optionally) create a scanning profile.
4. Create a vulnerability scan job.
5. Examine scanning results.
6. Optionally create a vulnerability or compliance report.
![Page 27: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/27.jpg)
Update configuration.
Select vulnerability ticket threshold.
Tune Global Vulnerability Assessment Settings
The vulnerability assessment system opens a ticket for found vulnerabilities.
Start with a high threshold and fix important vulnerabilities first.
Configuration > Administration > Main
![Page 28: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/28.jpg)
Specify login username.
Specify credential set name.
Select authentication type.
Click settings.
Create Set of Credentials
Used to log into a machine for authenticated scan
Supports the DOMAIN/USER username
Environment > Vulnerabilities > Overview
![Page 29: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/29.jpg)
Examine 3 default profiles.
Enable/disable plugin family.
Create a new profle.
Edit profiles.
Create Scanning Profile
Enable profiles that apply to assets you are scanning.
Environment > Vulnerabilities > Overview
![Page 30: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/30.jpg)
Create a new scan job.
Import Nessus scan report.
Select schedule method.
Specify scan job name.
Select profile.
Select server.
Select assets.
Select credential set for authenticated scan.
Save job.
Create Vulnerability Scan Job
Environment > Vulnerabilities > Scan Jobs
![Page 31: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/31.jpg)
Examine vulnerability statistics. View
vulnerability report for all assets.
Examine reports for all scan jobs.
Examine Vulnerabilities Results
Environment > Vulnerabilities > Overview
![Page 32: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/32.jpg)
OSSIM Demo
![Page 33: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/33.jpg)
Questions & Answers
![Page 34: OSSIM Overview](https://reader033.fdocuments.us/reader033/viewer/2022061419/55b2253bbb61ebee028b4739/html5/thumbnails/34.jpg)