OSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM Presentation CIO2013 v5
-
Upload
atharmahboob -
Category
Documents
-
view
98 -
download
3
description
Transcript of OSSIM Presentation CIO2013 v5
Security Information and Event Management for Private Clouds
Dr. Athar MahboobDean Faculty of Engineering & Applied Sciences
Director Information TechnologyProfessor of Electrical Engineering
DHA Suffa UniversityKarachi, Pakistan
Pakistan CIO Summit 2013May 21-22, 2013
2
Agenda● Introduction to Security Information and Event
Management ● Understand the business case for a SIEM
solution● Understand the technical architecture of a
SIEM solution● Get familiar with an economical and open
source SIEM solution – OSSIM
3
Typical Private Cloud
IT Applications LMS Email Timetable Student Feedback Online Admission Test Instant Messaging Network Mgmt Service Directory Services Terminals Services Desktop Applications Engineering Design Apps Online Admission Application Storage Services Video Conference Service ERP Accounting Student Records Library Management
Multiple redundant media high-speed Internet Links
DSU Private Cloud (Data Center)
SAN
Servers
DSU Data ERP, LMS, Email
Internet 10 + 10 MBPS
Web
HEC Digital Library
Social Media
Xen Hypervisor
DSU Firewall
Laptop PDA
Wireless Network Infrastructure Access Points and smaller access points provide wireless networking coverage to entire DSU campus.
Virtual Private Network – VPN VPN access to DSU Network for Faculty and Students. Through VPN all IT services can be accessed securely from any remote location
Thin Clients
High Speed Campus Network 600+ network nodes in 8 segments covering all offices and Labs at DSU connecting to a High Performance Network Core
PERN Video Conferencing
4
Threat Economy: Historic Attacker Motivations
End Value
Espionage (Corporate/ Government)
Fame
Theft
Writers Asset
Worms
Tool and Toolkit Writers
Viruses
Trojans
Malware Writers
Compromise Individual
Host or Application
Compromise Environment
Take Away: Fame was by far the dominant motivator
From: Security Information Management (SIM) Technology Brief, Ken Kaminski, Cisco Systems, Security Architect – Northeast US, CISSP, GCIA
5
Threat Economy: TodayWriters Middle Men Second Stage
Abusers
●Bot-Net Management: For
Rent, for Lease, for Sale
Bot-Net Creation
Personal Information
Electronic IP Leakage
Worms
Spyware
Tool and Toolkit Writers
Viruses
Trojans
Malware Writers
First Stage Abusers
Machine Harvesting
Information Harvesting
Hacker/Direct Attack
Internal Theft: Abuse of Privilege
Information Brokerage
Spammer
Phisher
Extortionist/ DDoS-for-Hire
Pharmer/DNS Poisoning
Identity Theft
Compromised Host and
Application
End Value
Financial Fraud
Commercial Sales
Fraudulent Sales
Advertising Revenue
Espionage (Corporate/
Government)
Fame
Extorted Pay-Offs
Theft
Take Away 1: For-Profit end values
Take Away 2: Multiple methods to achieve goal
Take Away 3: Sustainable economy, resilient to shocks
From: Security Information Management (SIM) Technology Brief, Ken Kaminski, Cisco Systems, Security Architect – Northeast US, CISSP, GCIA
6
New Threat Economy
From: http://www.scmagazineus.com/hacker-arrested-in-greece-for-stealing-selling-weapons-data/article/104718/
7
New Threat Economy
From: http://www.wired.com/threatlevel/2008/10/fed-blotter-new/
8
All is fair in love and war !!!STATE ACTORS ARE PART OF THE THREAT ECONOMY TOO
PUBLIC-PRIVATE PARTNERSHIP :-)
9
APT - Example
June, 2010 – StuxNet Worm
Target: Natanz Nuclear Facility
Motivation: Cyber Sabotage?
10
Advanced Persistent Threat - APT
The attack techniques started from self replicating code evolved into Advanced Persistent Threat Use 0-day Be stealthy Target users Target indirectly Exploit multi-attack vectors Use “state-of-the-art” technique Be Persistent
Hacking is no more about fun Corporate Espionage State Secrets Cyber “Sabotage”
11
StuxNet – How It Spread?
Exploited Four Zero Day Vulnerabilities
12
13
US Killer Spy Drones Controls Switch to Linux
14
Old – Windows
15
New – Linux
16
Drivers for Information Security Management
● Regulatory Compliance● HIPAA, SOX, FISMA, GLBA, FDA, PCI, Basel II,
OSHA and ISO 27002● Information security breaches are costly
● Need to respond timely to security events● Information systems environment is heterogeneous,
multi-vendor, and complexcompliance - a state or acts of accordance with established standards, specifications, regulations, or laws. Compliance more often connotes a very specific following of the provided model and is usually the term used for the adherence to government regulations and laws
http://searchcio.techtarget.com/sDefinition/0,,sid182_gci947386,00.html
HIPAA: Health Insurance Portability and Accountability ActSOX: Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOXFISMA: The Federal Information Security Management Act of 2002FDA: The Food and Drug AdministrationPCI Data Security Standard (PCI DSS): The Payment Card Industry (PCI) and Validation RegulationsBasel II: The New Accord: International Convergence of Capital Measurement and Capital StandardsGLBA: Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization ActISO/IEC 27002 (formerly 17799) is an information security standard published and most recently revised in June 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)OSHA: The United States Occupational Safety and Health Administration
17
18
Information Security Management
SIEMSecurity Information and Event
Management
SIEM versus ISM
SIMSecurity
Information Management
SEMSecurity Event
Management
19
SIEM
● “A SIEM or SIM is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software [or hardware] running on the network”
● A new concept (About 10 Years old)● A natural evolution of log management● A SIEM enables organizations to achieve round-
the-clock ‘pro-active’ security and compliance.
20
Beginnings of SIEM are in Log Management
● Log management● Automation in collection of logs in a central
place – e.g. syslog-ng● Tools for log searching and analysis● Still a dependence on expert human for
analysis● Typical human expert cannot process
more than a 1000 events a day● Conclusion - automate more
21
LogsWhat Logs?
Audit Logs
Transaction Logs
Intrusion Logs
Connection Logs
System Performance Records
User Activity Logs
Misc. alerts and other messages
From Where?
Firewalls/Intrusion Prevention
Routers/switches
Intrusion Detection
Servers, Desktops, Mainframes
Business Applications
Databases
Anti-virus
VPNs
22
Inverted Pyramid of Event Significance
3 MILLION
15,000
24
8
TOTAL EVENTS
CORRELATED EVENTS
DISTINCTIVE SECURITY ISSUES
INCIDENTS REQUIRING ACTION
UNIX Syslogs
85,000 Events
Windows Event Logs
1,036,800 Events
IDS and Access Logs
1,100,000 Events
Firewall787,000 Events
Antivirus12,000 Events
23
The Challenge of SIEM
● “Billions and Billions” of events● Firewalls, IDS, IPS, Anti-Virus, Databases,
Operating Systems, Content filters● Information overload
● Lack of standards● Difficult correlation
● Making sense of event sequences that appear unrelated
● False positives and validation issues● Heterogeneous IT environment
24
Technical Drivers of SIEM
React Faster!● Too much data, but not enough information
● High Signal To Noise Ratio
● No “situational awareness”
● Too many tools to isolate root cause
Improve Efficiency● Compliance requirements
● Nothing gets shut down
● Cost center reality
25
Reduce risk and cost
Time to remediate
Reduce risk and cost by dramatically reducing the time it takes to effectively respond
Ris
k/C
ost
26
Business Objectives of SIEM● Increase overall security posture of an
organization● Turn chaos into order● Aggregate log file data from disparate
sources ● Create holistic security views for compliance
reporting● Identify and track causal relationships in the
network in near real-time● Build a historical forensic foundation
27
Generic SIEM Architecture
Collect Inputs from target sourcesAgent and agentless methods
AggregateBring all the information to a central point
NormalizeTranslate disparate syntax into a standardized one
CorrelateIf A and B then C
ReportState of healthPolicy conformance
Archive
R Box
A Box K Box
D Box
C Box C Box
E Box E Box E Box E Box E BoxE BoxesEvent generators: sensors & pollers
C BoxesCollection boxes
D BoxFormatted messages database
A Box + K BoxIncident Analysis Knowledge base
R BoxReaction and reporting
28
NOC vs SOC
Separates auditing role from operations role
29
State-of-the-art Cyber Security Operations Center, a comprehensive cyber threat detection and response center that focuses on protecting Northrop Grumman and its customers’ networks and data worldwide.
(Northrop Grumman)
http://www.armybase.us/2009/07/northrop-grumman-opens-cyber-security-operations-center/
30
Reactive Proactive Predictive
SOC
Incident Response, Notification, Tracking, Analysis, Containment, Eradication, and Remediation
Network Vulnerability Scanning: Network, Systems
Strategic Analysis
Incident Detection Systems (IDS)
Vulnerability Handling Threat Management & Correlation System
Computer Forensics & MalwareAnalysis
Third-Party Pen. Testing (3rd Party)
Email Filtering & Blocking
DNS Sinkhole
Threat Tracking, Monitoring, & Mitigation
Patch/Asset Management
Situational Awareness: Log Monitoring, Event Aggregation and Correlation (SIM)
Flow/Network Behavior Monitoring
Host Based Monitoring System (HBSS): Antivirus, Firewall, Anti-Malware, Application White listing
Active Protection: Intrusion Prevention System (IPS)
Web & Application Scanning
Incident Scope Analysis & Remote Forensics
Content Monitoring/Data Loss Prevention
Red Team/Blue Team
31
Linux and Open Source
● Business model is based on services alone:– Implementation
– Customizations
– Training
– Documentation
– Support
● A fair and consumer friendly business model for software because:
● Software is incrementally developed● Software is infinitely replicable
32
Clearing Misconceptions About Open Source
● Open source is free software !● Software is free, people are not !● Free as in “freedom” not necessarily as in
“free beer”● Open source is a viable business model● Open source is a better software
engineering methodology
“Given enough eye-balls, all bugs are shallow”
Linus' Law
33
Why Open Source for SIEM?
● Commercial products have a high cost of entry barrier
● User can become confused with the:● Marketing terms● Feature bloat
● Open source SIEM has matured – can compete head-on with commercial offerings
● Open Source SIEM can even be used as a learning tool – requirements analysis tool for a commercial SIEM specifications
34
Open Source Security Information Management - OSSIM
● Made of best of breed open source security tools: snort, ntop, nmap, nagios
● Full installer – plug & play● Integrated Graphical Management Console● Includes Reporting Engine (JasperReports)
with pre-designed reports● Commercially supported - AlienVault● Implemented in local companies
35
Magic Quadrant for Security Information and Event Management - 2011
36
Magic Quadrant for Security Information and Event Management - 2012
Source: Gartner (May 2012)
37
OSSIM Pros
● Extendable● Stable● Low cost● Works with native tools and mechanisms
● Easier to integrate● Less overhead
● Wide range of tools combined into one solution
38
Snort Ntop Fprobe NFDump NFSen OCS Nagios
OpenVASNiktoOSVDBOSSECKISMETNMAPP0fArpWatch
OSSIM - Integrated Tools
39
OSSIM Web Interface
40
SIEM Concepts
Detection and Collection
41
Active Versus Passive Tools
● The different tools integrated in OSSIM can be classified into two categories:
● Active: They generate traffic within the network which is being monitored.
● Passive: They analyze network traffic without generating any traffic within the network being monitored.
The passive tools require a port mirroring /port span configured in the network equipment.
42
Data Source
Any application or device that generates events within the network that is being monitored
External Data Sources Network Devices: Routers, Switches, Wireless AP... Servers: Domain Controller, Email server, LDAP... Applications: Web Servers, Databases, Proxy... Operating Systems: Linux, Windows, Solaris...
Internal Data Sources Collect information on the network level
Intrusion Detection Vulnerability Detection Anomaly Detection Discovery, Learning & Network Profiling Inventory Systems
Collectors
Detectors
Sensors: Data Sources
43
The Sensor can aggregate events using multiple collection methods
Sensor: Collection
44
Detection is done by setting the Sensors NIC into promiscuous mode to collect all the traffic on the monitored network HUB Port Mirroring/Spanning Network Tap
Sensor: Detection
45
Any log entry generated by any Data Source at application, system or network level will be called an event.
For SIEM it is important to know: When has the event been generated? What is involved? (Systems, users, …) Which application generated the event? What’s the event type?
Event
46
The SIEM component provides the system with Security Intelligence and Data Mining capacities, featuring: Real-time Event processing Risk metrics Risk assessment Correlation Policies Management Active Response Incident Management Reporting
The SIEM
47
The Logger component stores events in raw format in the file system.
Events are digitally signed and stored en masse ensuring their admissibility as evidence in a court of law.
The logger component allows storage of an unlimited number of events for forensic purpose.
For this purpose the logger is usually configured so that events are stored in a NAS / SAN network storage system.
10:1 Compression to save Disk Space
Logger – Secure Reliable Storage
48
The AlienVault database runs on a MySQL server SIEM Events, configurations, and inventory
information are stored in the Database Database is a required component in any
AlienVault deployment, even if no Logger is being used
Database
49
Detection The process of identifying behavior that leads to
the generation of an event Multiple elements that can be used by SIEM to
provide detection capabilities:• Snort, Ntop, Arpwatch… (Example Data Sources included in
AlienVault)• Existing corporate applications/tools• Tools that have been deployed prior to SIEM installation
(Firewalls, Antivirus…)
50
The task that determines which events shall be collected into the Server
Collection is done by the Sensors Server can collect events using multiple methods:
• Some require configuring the Data Source to send events to the Sensor (E.g.: Syslog, FTP...)
• Other require the Sensor gathers the events from the application or device (WMI, SQL, SCP...)
Collection
51
End Device/App
The process of translating the events generated by different tools into a unique and normalized format Normalization is done in the Sensor Log information is normalized using regular expressions by
AlienVault Sensors
Raw EventNormalized Event
SIEM Server
Sensor
Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root
event type="detector" date="2008-03-22 20:40:15" sensor="192.168.1.109" interface="eth0“plugin_id="4005" plugin_sid="2" src_ip="192.168.1.109" dst_ip="192.168.1.109" username="root"log="Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root"
Normalization
52
A Data Source is any application or device that generates logs, events and information
AlienVault can collect events from any Data Source by using a Data Source Connector (Plugin)
Data Source
53
The Data Source ID (Formerly known as Plugin_id) is a unique number used by AlienVault to identify each of the Data Source types that send events to AlienVault This number is used in correlation rules and when defining Policy
Rules
Data Source ID
54
The Event Type (Formerly known as Plugin_sid) is a unique number (Within each Data Source) that identifies the different events a Data Source is able to generate. The Event Type always has to be associated to a Data Source ID,
since multiple Data Source ID can share common Event Types.
• (E.g.: 404 Event Type in Apache and IIS)
Event Type
55
An Asset is any device available on a network that is being monitored by SIEM Assets in AlienVault have a value (0-5). Each Asset will have a
different value depending on their task within the network Assets in AlienVault:
Assets
56
Every Asset in AlienVault has an Asset Value (0-5) Assets not defined within the AlienVault Inventory have a default
Asset Value of 2 Assets will have different values depending on their role within the
monitored network E.g.: A printing company
• Printers will be a very high asset value
E.g.: A company offering Web hosting
• Web servers and database servers will be a valuable asset while printers on the other hand won’t be so important.
Asset Value
57
Defining an Asset in OSSIM
58
Priority is the importance of the event itself It is a measure which tries to determine the relative impact
an event could have in our network. Priority is a value between 0 and 5
• 0 No importance• 1 Very Low• 2 Low• 3 Average• 4 Important• 5 Very Important
Event Priority
59
Reliability determines the probability of an attack being real or not. E.g.: A single authentication failure.
• Would you be able to determine if it is a real attack (Brute Force attack) using a single event?
Reliability can be a value between 0 and 10
• 0 False Positive• 1 – 10% chance of being an attack• 2 – 20% chance of being an attack• …• 10 Real attack
Event Reliability
60
The SIEM calculates a risk for each event processed in the SIEM The Event Risk is a numeric value (0-10)
Event Risk
61
Any event with a risk value greater than or equal to 1 will become an alarm. An alarm is a special type of event since it can have more
than one event originating it. Correlation doesn’t generate alarms (done by server
during R.A), it will generate new events that may or may not become alarms.
Alarm
62
Correlation is the process of transforming various input data into a new output data element
Using correlation we can transform two or more input events into a more reliable output event
Through correlation of various events from disparate data sources a SIEM delivers greater Security Intelligence
Correlation
63
Apart from calculating a risk value for each event, the AlienVault SIEM also maintains an Aggregated risk indicator for each asset of the network This aggregated risk is stored in two properties of each asset
within AlienVault
• Compromise: Compromise means a network element is generating lots of events as source, this is, it’s behaving like if it’s been compromised
• Attack: Attack is a value that measures the level of attack an element has received in our network, that is, how much it has been attacked
Aggregated Risk
64
Compromise value is increased by taking into account the risk of the event calculated using the Asset Value of the source (The Asset value of the destination is ignored even if it is higher) This value increases the compromise value of the host, the
compromise value of the host groups, networks and network groups the host belongs to, as well as the global compromise
Compromise Value
65
Attack value is increased by taking into account the risk of the event calculated using the Asset Value of the destination (The Asset value of the source is ignored even if it is higher) This value increases the attack value of the host, the attack
value of the host groups, networks and network groups the host belongs to, as well as the global attack value
Attack Value
66
From Alarm to Ticket Alarms can be ignored or can be converted to tickets Tickets can be assigned to IS or IT officers The ticket life cycle is the Security Event
handling/management
67
Security Event Management
68
Conclusions
OSSIM provides SIEM capabilities to small and medium sized organizations
OSSIM leverages best of breed open source tools and combines them into integrated SIEM to manage security events
OSSIM can be setup quickly – time is money
69
Thank You !