AlienVault leveraging open source security tools the essential guide

56 %
44 %
Information about AlienVault leveraging open source security tools the essential guide

Published on March 13, 2014

Author: albertspijkers



AlienVault leveraging open source security tools the essential guide


AGENDA v  The Case for Detective Security Controls v  Leveraging Open Source: The Essential Controls v  A Guided Tour/Demo: §  Asset Discovery: Nmap & PRADS §  Wireless IDS: Kismet §  Unified Security Management: OSSIM (OSSEC, SNORT, Ntop, OpenVAS) v  Open Source Threat Sharing §  MDL (Malware Domain List) & OTX (Open Threat Exchange) v  Q&A

Preventative Controls Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP, EIEIO Prevent an incident Detective Controls Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident 2 Types of Security Controls


PREVENTION HAS PROVEN TO BE ELUSIVE Example: 2012 “Cost of Cybercrime Study”, Ponemon Institute A detailed study of 56 “Large US firms” Results: 102 successful intrusions between them EVERY WEEK !

“There are two types of companies that use computers. Victims of crime that know they are victims of crime and victims of crime that don’t have a clue yet.” - James Routh, 2007 CISO Depository Trust Clearing Corporation Some pretty savvy recent victims

“How would you change your strategy if you knew for certain that you were going to be compromised?” - Martin Roesch, 2013 Founder & CTO Sourcefire, Author SNORT

Prevent Detect & Respond GET GOOD AT DETECTION & RESPONSE The basics are in place. Beyond that, buyer beware! New prevention thingy 9.0 with advanced fuzzy logic. Stops 100% of all web-born threats at the perimeter! New capabilities to develop


Many professional SOC’s are powered by open source THERE’S AN APP FOR THAT! PRADS NFSend P0F OVALdi MDL OpenFPC PADS Challenge: How do we make sense of all these?

FIRST WE CATEGORIZE THEM! What is the state of my environment – anything strange? Put it all together with external intelligence & determine a response! The 5 essential capabilities for effective detection & response Vulnerability Assessment Threat Detection Behavioral Monitoring Intelligence & Analytics What am I protecting & what is most valuable? Asset Discovery How, when and where am I being attacked? Where are my assets exposed?

CHALLENGE: NAME THAT TOOL! Vulnerability Assessment Threat Detection Behavioral Monitoring Analytics & Intelligence Asset Discovery

THE ESSENTIAL CONTROLS Vulnerability Assessment Threat Detection Behavioral Monitoring Analytics & Intelligence Asset Discovery P0F OpenFPC NFSen OVALdi PRADS PADS open source alternatives for each of the 5 categories

LETS SEE THEM IN ACTION " Asset Discovery with Nmap & PRADS " Wireless IDS with Kismet " Unified Security Management with OSSIM includes (OSSEC, SNORT, ntop, opnVAS)

NMAP & PRADS Problem it solves: I need an inventory of assets on my network (Nmap) and I need to continuously keep it up to date as things change (PRADS). Pros: Nmap is very mature, robust & feature rich. Both tools produce verbose output. Cons: Both tools produce extremely very verbose output. PRADS does not have a GUI Why we like it: These cover both active and passive asset discovery. PRADS is relatively new but it covers the same functionality as two older tools (PADS and p0f).

KISMET Problem it solves: I need to know how are wireless networks being accessed and if anyone setup a rogue access point in my facility. Pros: Great command line interface. Outputs log events for WIDS events and a periodic XML report for observed networks. Cons: Wireless adapter can’t transmit when in monitor mode- need a dedicated adapter Why we like it: This tool is very versatile. There are plugins for DECT and Ubertooth devices.

OSSIM Problem it solves: I need all the essential detective controls, but it takes too long to install them and I have way too many dashboards to look at when I am done. Pros: USM: Unifies management of these tools and offers correlation between event sources. Includes incident response templates & workflows Cons: Full intelligence feed, log management and management features requires commercial version Why we like it: The company I work for makes OSSIM J and It makes it easy to implement and manage all these tools at once. (OSSEC, Snort, Ntop, OpenVAS & others)



OPEN SOURCE THREAT INTELLIGENCE Expert Sourced Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP, EIEIO Prevent an incident Crowd Sourced Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident


MDL AND OTX Problem it solves: My detective controls only show me what’s happening in my environment. What are the experts seeing (MDL), what are my peers seeing (OTX)? Pros: Allows me to collect threats from security researchers (MDL) and from peers (OTX). Allows me to share threats with my peers (OTX). These add an intelligence layer to traditional tools, like NIDS and SIEM. Cons: Most feeds are a teaser to a commercial offering. Why we like it: If we get this right and everyone involved, the bad guys only get one “first attack” for the entire network – attack one and all will detect and respond.

THE PRACTITIONER’S GUIDE Open Source Asset Discovery Tools Nmap The de-facto standard utility for network mapping. Use to scan network on a periodic basis to create and update inventory of assets. PADS Passive Asset detection system is a network sniffer that detects (infers) assets by monitoring traffic. Use to augment Nmap scans. P0f Passive OS fingerprinting tool. Use to identify and profile assets on your network (including that of the attackers). PRADS Passive Real-Time Asset Detection. Alternative to PADS - listens to network and gathers information on hosts and services. Open Source Threat Detection Tools Snort The world’s most popular network IDS/IPS. Provides signature, protocol, and anomaly-based inspection. Use to identify attacks. Suricata “Next Generation” alternative (or not) to SNORT funded by US DHS/DoD. Use to identify attacks and extract malware from network traffic. Kismet An 802.11 layer 2 wireless IDS. Use to identify and monitor (legitimate and rogue) networks via passively monitoring traffic. OSSEC Host-based Intrusion Detection System. Use to perform log analysis, file integrity monitoring, policy monitoring and rootkit detection on endpoint assets.

THE PRACTITIONER’S GUIDE Open Source Behavioral Monitoring Tools Ntop A Unix tool that shows the network usage, similar to what the popular top Unix command does Use to determine what processes and services are running. Nfsen A web-based GUI for the nfdump netflow tools. Use to monitor netfows. OpenFPC A set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. Use to monitor network traffic & flows. Nagios Open source IT monitoring system. Use to monitor activity on servers. Open Source Vulnerability Assessment Tools OpenVAS Framework of services and tools for vulnerability scanning and vulnerability management. The open source fork of Nessus that converted to closed source. OVALdi An open source reference implementation of a vulnerability scanner based on the OVAL definition. Alternative to OpenVAS. Open Source Intelligence and Analytics Tools OSSIM Unified security management & the world’s most popular SIEM. Use to combine essential controls into a single unified system managed from single pane of glass. Logstash http:// A tool for managing events and logs. Use to collect logs, parse them, and store for later use or analysis.

THE PRACTITIONER’S GUIDE Open Threat Intelligence Feeds & Threat Sharing Communities MDL A continuously updated list of malware-related sites plus a discussion forum on new threats. Use to tune threat detection tools. ETO A platform independent (SNORT & Suricata) ruleset for tuning IDS. Us to make your IDS more effective at identifying threats. OTX The world’s largest collaborative threat sharing network. Use to share threat information in real-time with others on the exchange. Several free risk- monitoring tools also available.

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

AlienVault Unified Security Management & Threat Intelligence

AlienVault has unified the security products, ... (Open Source) OSSIM Overview; ... AlienVault unifies five essential security tools into one integrated
Read more

OSSIM: The Open Source SIEM | AlienVault

Get The New Guide More Resources . Open ... OSSIM, AlienVault’s Open Source Security Information and ... one unified platform with many of the essential ...
Read more

AlienVault Software Guide | Mosaic Security Research

Mosaic Security is an independent online buyer’s guide for IT security ... AlienVault Open Source ... integrated tools, and the security ...
Read more

AlienVault in Spiceworks - Spiceworks

Learn how to use behavioral monitoring within OSSIM, AlienVault’s Open Source Security ... new guide on the modern botnet ... Leveraging proven open ...
Read more

Alienvault | LinkedIn

Provides the essential... into the security of their ... alienvault. Integrated Tools in AlienVault ... AlienVault leveraging open source security tools ...
Read more

AlienVault Unified Security Management Reviews & Ratings ...

Compare AlienVault USM to alternative Security ... best of breed open source security tools and ... the essential security controls ...
Read more

AlienVault - BrightTALK

... combines the essential security ... one of the most popular and effective open source HIDS tools. ... Sit down with AlienVault and open source ...
Read more