Published on March 13, 2014
LEVERAGING OPEN SOURCE THE ESSENTIAL DETECTIVE SECURITY CONTROLS The Open and Collaborative Alternative
AGENDA v The Case for Detective Security Controls v Leveraging Open Source: The Essential Controls v A Guided Tour/Demo: § Asset Discovery: Nmap & PRADS § Wireless IDS: Kismet § Unified Security Management: OSSIM (OSSEC, SNORT, Ntop, OpenVAS) v Open Source Threat Sharing § MDL (Malware Domain List) & OTX (Open Threat Exchange) v Q&A
Preventative Controls Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP, EIEIO Prevent an incident Detective Controls Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident 2 Types of Security Controls
IF WE ALREADY HAVE PREVENTATIVE CONTROLS… WHY SHOULD WE CARE ABOUT DETECTIVE CONTROLS?
PREVENTION HAS PROVEN TO BE ELUSIVE Example: 2012 “Cost of Cybercrime Study”, Ponemon Institute A detailed study of 56 “Large US firms” Results: 102 successful intrusions between them EVERY WEEK !
“There are two types of companies that use computers. Victims of crime that know they are victims of crime and victims of crime that don’t have a clue yet.” - James Routh, 2007 CISO Depository Trust Clearing Corporation Some pretty savvy recent victims
“How would you change your strategy if you knew for certain that you were going to be compromised?” - Martin Roesch, 2013 Founder & CTO Sourcefire, Author SNORT
Prevent Detect & Respond GET GOOD AT DETECTION & RESPONSE The basics are in place. Beyond that, buyer beware! New prevention thingy 9.0 with advanced fuzzy logic. Stops 100% of all web-born threats at the perimeter! New capabilities to develop
Many professional SOC’s are powered by open source THERE’S AN APP FOR THAT! PRADS NFSend P0F OVALdi MDL OpenFPC PADS Challenge: How do we make sense of all these?
FIRST WE CATEGORIZE THEM! What is the state of my environment – anything strange? Put it all together with external intelligence & determine a response! The 5 essential capabilities for effective detection & response Vulnerability Assessment Threat Detection Behavioral Monitoring Intelligence & Analytics What am I protecting & what is most valuable? Asset Discovery How, when and where am I being attacked? Where are my assets exposed?
CHALLENGE: NAME THAT TOOL! Vulnerability Assessment Threat Detection Behavioral Monitoring Analytics & Intelligence Asset Discovery
THE ESSENTIAL CONTROLS Vulnerability Assessment Threat Detection Behavioral Monitoring Analytics & Intelligence Asset Discovery P0F OpenFPC NFSen OVALdi PRADS PADS open source alternatives for each of the 5 categories
LETS SEE THEM IN ACTION " Asset Discovery with Nmap & PRADS " Wireless IDS with Kismet " Unified Security Management with OSSIM includes (OSSEC, SNORT, ntop, opnVAS)
NMAP & PRADS Problem it solves: I need an inventory of assets on my network (Nmap) and I need to continuously keep it up to date as things change (PRADS). Pros: Nmap is very mature, robust & feature rich. Both tools produce verbose output. Cons: Both tools produce extremely very verbose output. PRADS does not have a GUI Why we like it: These cover both active and passive asset discovery. PRADS is relatively new but it covers the same functionality as two older tools (PADS and p0f).
KISMET Problem it solves: I need to know how are wireless networks being accessed and if anyone setup a rogue access point in my facility. Pros: Great command line interface. Outputs log events for WIDS events and a periodic XML report for observed networks. Cons: Wireless adapter can’t transmit when in monitor mode- need a dedicated adapter Why we like it: This tool is very versatile. There are plugins for DECT and Ubertooth devices.
OSSIM Problem it solves: I need all the essential detective controls, but it takes too long to install them and I have way too many dashboards to look at when I am done. Pros: USM: Unifies management of these tools and offers correlation between event sources. Includes incident response templates & workflows Cons: Full intelligence feed, log management and management features requires commercial version Why we like it: The company I work for makes OSSIM J and It makes it easy to implement and manage all these tools at once. (OSSEC, Snort, Ntop, OpenVAS & others)
OPEN SOURCE IS NOT JUST FOR SOFTWARE ANYMORE…. Open Threat Sharing
OPEN SOURCE THREAT INTELLIGENCE
OPEN SOURCE THREAT INTELLIGENCE Expert Sourced Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP, EIEIO Prevent an incident Crowd Sourced Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident
OPEN SOURCE THREAT INTELLIGENCE
MDL AND OTX Problem it solves: My detective controls only show me what’s happening in my environment. What are the experts seeing (MDL), what are my peers seeing (OTX)? Pros: Allows me to collect threats from security researchers (MDL) and from peers (OTX). Allows me to share threats with my peers (OTX). These add an intelligence layer to traditional tools, like NIDS and SIEM. Cons: Most feeds are a teaser to a commercial offering. Why we like it: If we get this right and everyone involved, the bad guys only get one “first attack” for the entire network – attack one and all will detect and respond.
THE PRACTITIONER’S GUIDE Open Source Asset Discovery Tools Nmap http://nmap.org The de-facto standard utility for network mapping. Use to scan network on a periodic basis to create and update inventory of assets. PADS http://passive.sourceforge.net Passive Asset detection system is a network sniffer that detects (infers) assets by monitoring traffic. Use to augment Nmap scans. P0f http://lcamtuf.coredump.cx/p0f3/ Passive OS fingerprinting tool. Use to identify and profile assets on your network (including that of the attackers). PRADS http://gamelinux.github.io/prads Passive Real-Time Asset Detection. Alternative to PADS - listens to network and gathers information on hosts and services. Open Source Threat Detection Tools Snort http://www.snort.org The world’s most popular network IDS/IPS. Provides signature, protocol, and anomaly-based inspection. Use to identify attacks. Suricata http://suricata-ids.org “Next Generation” alternative (or not) to SNORT funded by US DHS/DoD. Use to identify attacks and extract malware from network traffic. Kismet http://www.kismetwireless.net An 802.11 layer 2 wireless IDS. Use to identify and monitor (legitimate and rogue) networks via passively monitoring traffic. OSSEC http://www.ossec.net Host-based Intrusion Detection System. Use to perform log analysis, file integrity monitoring, policy monitoring and rootkit detection on endpoint assets.
THE PRACTITIONER’S GUIDE Open Source Behavioral Monitoring Tools Ntop http://www.ntop.org A Unix tool that shows the network usage, similar to what the popular top Unix command does Use to determine what processes and services are running. Nfsen http://nfsen.sourceforge.net A web-based GUI for the nfdump netflow tools. Use to monitor netfows. OpenFPC http://www.openfpc.org A set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. Use to monitor network traffic & flows. Nagios http://www.nagios.org Open source IT monitoring system. Use to monitor activity on servers. Open Source Vulnerability Assessment Tools OpenVAS http://openvas.org Framework of services and tools for vulnerability scanning and vulnerability management. The open source fork of Nessus that converted to closed source. OVALdi http://www.decalage.info/en/ovaldi An open source reference implementation of a vulnerability scanner based on the OVAL definition. Alternative to OpenVAS. Open Source Intelligence and Analytics Tools OSSIM http://www.alienvault.com/ossim Unified security management & the world’s most popular SIEM. Use to combine essential controls into a single unified system managed from single pane of glass. Logstash http://http://logstash.net/ A tool for managing events and logs. Use to collect logs, parse them, and store for later use or analysis.
THE PRACTITIONER’S GUIDE Open Threat Intelligence Feeds & Threat Sharing Communities MDL http://www.malwaredomainlist.com A continuously updated list of malware-related sites plus a discussion forum on new threats. Use to tune threat detection tools. ETO http://www.emergingthreats.net A platform independent (SNORT & Suricata) ruleset for tuning IDS. Us to make your IDS more effective at identifying threats. OTX http://www.alienvault.com/otx The world’s largest collaborative threat sharing network. Use to share threat information in real-time with others on the exchange. Several free risk- monitoring tools also available.
AlienVault has unified the security products, ... (Open Source) OSSIM Overview; ... AlienVault unifies five essential security tools into one integrated
Get The New Guide More Resources . Open ... OSSIM, AlienVault’s Open Source Security Information and ... one unified platform with many of the essential ...
Mosaic Security is an independent online buyer’s guide for IT security ... AlienVault Open Source ... integrated tools, and the security ...
Learn how to use behavioral monitoring within OSSIM, AlienVault’s Open Source Security ... new guide on the modern botnet ... Leveraging proven open ...
Provides the essential... into the security of their ... alienvault. Integrated Tools in AlienVault ... AlienVault leveraging open source security tools ...
Compare AlienVault USM to alternative Security ... best of breed open source security tools and ... the essential security controls ...
... combines the essential security ... one of the most popular and effective open source HIDS tools. ... Sit down with AlienVault and open source ...