SlideShare une entreprise Scribd logo

Leveraging Open Source Security Tools: The Essential Guide

Télécharger en tant que PPTX, PDF
AlienVault
AlienVault

Find out why open source is not just for software anymore! Get a comprehensive directory of best of breed, open source security tools including: Nmap, PRADS, OpenVAS, Snort, OSSEC, Nagios, ntop and more. Learn how to use these free resources for improved threat detection and incident response in your environment.

Technologie
1  sur  26
LEVERAGING OPEN SOURCE THE ESSENTIAL DETECTIVE SECURITY CONTROLS The Open and Collaborative Alternative
AGENDA  The Case for Detective Security Controls  Leveraging Open Source: The Essential Controls  A Guided Tour/Demo:  Asset Discovery: Nmap & PRADS  Wireless IDS: Kismet  Unified Security Management: OSSIM (OSSEC, SNORT, Ntop, OpenVAS)  Open Source Threat Sharing  MDL (Malware Domain List) & OTX (Open Threat Exchange)  Q&A
Preventative Controls Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP, EIEIO Prevent an incident Detective Controls Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident 2 Types of Security Controls
IF WE ALREADY HAVE PREVENTATIVE CONTROLS… WHY SHOULD WE CARE ABOUT DETECTIVE CONTROLS?
PREVENTION HAS PROVEN TO BE ELUSIVE Example: 2012 “Cost of Cybercrime Study”, Ponemon Institute A detailed study of 56 “Large US firms” Results: 102 successful intrusions between them EVERY WEEK !
“There are two types of companies that use computers. Victims of crime that know they are victims of crime and victims of crime that don’t have a clue yet.” - James Routh, 2007 CISO Depository Trust Clearing Corporation Some pretty savvy recent victims
“How would you change your strategy if you knew for certain that you were going to be compromised?” - Martin Roesch, 2013 Founder & CTO Sourcefire, Author SNORT
Prevent Detect & Respond GET GOOD AT DETECTION & RESPONSE The basics are in place. Beyond that, buyer beware! New prevention thingy 9.0 with advanced fuzzy logic. Stops 100% of all web-born threats at the perimeter! New capabilities to develop
GOOD NEWS!
Many professional SOC’s are powered by open source THERE’S AN APP FOR THAT! PRADS NFSend P0F OVALdi MDL OpenFPC PADS Challenge: How do we make sense of all these?
FIRST WE CATEGORIZE THEM! What is the state of my environment – anything strange? Put it all together with external intelligence & determine a response! The 5 essential capabilities for effective detection & response Vulnerability Assessment Threat Detection Behavioral Monitoring Intelligence & Analytics What am I protecting & what is most valuable? Asset Discovery How, when and where am I being attacked? Where are my assets exposed?
CHALLENGE: NAME THAT TOOL! Vulnerability Assessment Threat Detection Behavioral Monitoring Analytics & Intelligence Asset Discovery
THE ESSENTIAL CONTROLS Vulnerability Assessment Threat Detection Behavioral Monitoring Analytics & Intelligence Asset Discovery P0F OpenFPC NFSen OVALdi PRADS PADS open source alternatives for each of the 5 categories
LETS SEE THEM IN ACTION Asset Discovery with Nmap & PRADS Wireless IDS with Kismet Unified Security Management with OSSIM includes (OSSEC, SNORT, ntop, opnVAS)
NMAP & PRADS Problem it solves: I need an inventory of assets on my network (Nmap) and I need to continuously keep it up to date as things change (PRADS). Pros: Nmap is very mature, robust & feature rich. Both tools produce verbose output. Cons: Both tools produce extremely very verbose output. PRADS does not have a GUI Why we like it: These cover both active and passive asset discovery. PRADS is relatively new but it covers the same functionality as two older tools (PADS and p0f).
KISMET Problem it solves: I need to know how are wireless networks being accessed and if anyone setup a rogue access point in my facility. Pros: Great command line interface. Outputs log events for WIDS events and a periodic XML report for observed networks. Cons: Wireless adapter can’t transmit when in monitor mode- need a dedicated adapter Why we like it: This tool is very versatile. There are plugins for DECT and Ubertooth devices.
OSSIM Problem it solves: I need all the essential detective controls, but it takes too long to install them and I have way too many dashboards to look at when I am done. Pros: USM: Unifies management of these tools and offers correlation between event sources. Includes incident response templates & workflows Cons: Full intelligence feed, log management and management features requires commercial version Why we like it: The company I work for makes OSSIM  and It makes it easy to implement and manage all these tools at once. (OSSEC, Snort, Ntop, OpenVAS & others)
OPEN SOURCE IS NOT JUST FOR SOFTWARE ANYMORE…. Open Threat Sharing
OPEN SOURCE THREAT INTELLIGENCE
OPEN SOURCE THREAT INTELLIGENCE Expert Sourced Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP, EIEIO Prevent an incident Crowd Sourced Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident
OPEN SOURCE THREAT INTELLIGENCE
MDL AND OTX Problem it solves: My detective controls only show me what’s happening in my environment. What are the experts seeing (MDL), what are my peers seeing (OTX)? Pros: Allows me to collect threats from security researchers (MDL) and from peers (OTX). Allows me to share threats with my peers (OTX). These add an intelligence layer to traditional tools, like NIDS and SIEM. Cons: Most feeds are a teaser to a commercial offering. Why we like it: If we get this right and everyone involved, the bad guys only get one “first attack” for the entire network – attack one and all will detect and respond.
THE PRACTITIONER’S GUIDE Open Source Asset Discovery Tools Nmap http://nmap.org The de-facto standard utility for network mapping. Use to scan network on a periodic basis to create and update inventory of assets. PADS http://passive.sourceforge.net Passive Asset detection system is a network sniffer that detects (infers) assets by monitoring traffic. Use to augment Nmap scans. P0f http://lcamtuf.coredump.cx/p0f3/ Passive OS fingerprinting tool. Use to identify and profile assets on your network (including that of the attackers). PRADS http://gamelinux.github.io/prads Passive Real-Time Asset Detection. Alternative to PADS - listens to network and gathers information on hosts and services. Open Source Threat Detection Tools Snort http://www.snort.org The world’s most popular network IDS/IPS. Provides signature, protocol, and anomaly-based inspection. Use to identify attacks. Suricata http://suricata-ids.org “Next Generation” alternative (or not) to SNORT funded by US DHS/DoD. Use to identify attacks and extract malware from network traffic. Kismet http://www.kismetwireless.net An 802.11 layer 2 wireless IDS. Use to identify and monitor (legitimate and rogue) networks via passively monitoring traffic. OSSEC http://www.ossec.net Host-based Intrusion Detection System. Use to perform log analysis, file integrity monitoring, policy monitoring and rootkit detection on endpoint assets.
THE PRACTITIONER’S GUIDE Open Source Behavioral Monitoring Tools Ntop http://www.ntop.org A Unix tool that shows the network usage, similar to what the popular top Unix command does Use to determine what processes and services are running. Nfsen http://nfsen.sourceforge.net A web-based GUI for the nfdump netflow tools. Use to monitor netfows. OpenFPC http://www.openfpc.org A set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. Use to monitor network traffic & flows. Nagios http://www.nagios.org Open source IT monitoring system. Use to monitor activity on servers. Open Source Vulnerability Assessment Tools OpenVAS http://openvas.org Framework of services and tools for vulnerability scanning and vulnerability management. The open source fork of Nessus that converted to closed source. OVALdi http://www.decalage.info/en/ovaldi An open source reference implementation of a vulnerability scanner based on the OVAL definition. Alternative to OpenVAS. Open Source Intelligence and Analytics Tools OSSIM http://www.alienvault.com/ossim Unified security management & the world’s most popular SIEM. Use to combine essential controls into a single unified system managed from single pane of glass. Logstash http://http://logstash.net/ A tool for managing events and logs. Use to collect logs, parse them, and store for later use or analysis.
THE PRACTITIONER’S GUIDE Open Threat Intelligence Feeds & Threat Sharing Communities MDL http://www.malwaredomainlist.com A continuously updated list of malware-related sites plus a discussion forum on new threats. Use to tune threat detection tools. ETO http://www.emergingthreats.net A platform independent (SNORT & Suricata) ruleset for tuning IDS. Us to make your IDS more effective at identifying threats. OTX http://www.alienvault.com/otx The world’s largest collaborative threat sharing network. Use to share threat information in real-time with others on the exchange. Several free risk- monitoring tools also available.
Leveraging Open Source Security Tools: The Essential Guide

Recommandé

Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultAlienVault
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overviewn|u - The Open Security Community
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?AlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 

Recommandé

Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultAlienVault
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overviewn|u - The Open Security Community
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?AlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICAlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides finalAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesAlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware WorksAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than EverAlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMAlienVault
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlienVault
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Contenu connexe

Plus de AlienVault

SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICAlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides finalAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesAlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware WorksAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than EverAlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMAlienVault
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlienVault
 

Plus de AlienVault (20)

SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
 

Dernier

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Dernier (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Leveraging Open Source Security Tools: The Essential Guide

  • 1. LEVERAGING OPEN SOURCE THE ESSENTIAL DETECTIVE SECURITY CONTROLS The Open and Collaborative Alternative
  • 2. AGENDA  The Case for Detective Security Controls  Leveraging Open Source: The Essential Controls  A Guided Tour/Demo:  Asset Discovery: Nmap & PRADS  Wireless IDS: Kismet  Unified Security Management: OSSIM (OSSEC, SNORT, Ntop, OpenVAS)  Open Source Threat Sharing  MDL (Malware Domain List) & OTX (Open Threat Exchange)  Q&A
  • 3. Preventative Controls Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP, EIEIO Prevent an incident Detective Controls Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident 2 Types of Security Controls
  • 4. IF WE ALREADY HAVE PREVENTATIVE CONTROLS… WHY SHOULD WE CARE ABOUT DETECTIVE CONTROLS?
  • 5. PREVENTION HAS PROVEN TO BE ELUSIVE Example: 2012 “Cost of Cybercrime Study”, Ponemon Institute A detailed study of 56 “Large US firms” Results: 102 successful intrusions between them EVERY WEEK !
  • 6. “There are two types of companies that use computers. Victims of crime that know they are victims of crime and victims of crime that don’t have a clue yet.” - James Routh, 2007 CISO Depository Trust Clearing Corporation Some pretty savvy recent victims
  • 7. “How would you change your strategy if you knew for certain that you were going to be compromised?” - Martin Roesch, 2013 Founder & CTO Sourcefire, Author SNORT
  • 8. Prevent Detect & Respond GET GOOD AT DETECTION & RESPONSE The basics are in place. Beyond that, buyer beware! New prevention thingy 9.0 with advanced fuzzy logic. Stops 100% of all web-born threats at the perimeter! New capabilities to develop
  • 10. Many professional SOC’s are powered by open source THERE’S AN APP FOR THAT! PRADS NFSend P0F OVALdi MDL OpenFPC PADS Challenge: How do we make sense of all these?
  • 11. FIRST WE CATEGORIZE THEM! What is the state of my environment – anything strange? Put it all together with external intelligence & determine a response! The 5 essential capabilities for effective detection & response Vulnerability Assessment Threat Detection Behavioral Monitoring Intelligence & Analytics What am I protecting & what is most valuable? Asset Discovery How, when and where am I being attacked? Where are my assets exposed?
  • 12. CHALLENGE: NAME THAT TOOL! Vulnerability Assessment Threat Detection Behavioral Monitoring Analytics & Intelligence Asset Discovery
  • 13. THE ESSENTIAL CONTROLS Vulnerability Assessment Threat Detection Behavioral Monitoring Analytics & Intelligence Asset Discovery P0F OpenFPC NFSen OVALdi PRADS PADS open source alternatives for each of the 5 categories
  • 14. LETS SEE THEM IN ACTION Asset Discovery with Nmap & PRADS Wireless IDS with Kismet Unified Security Management with OSSIM includes (OSSEC, SNORT, ntop, opnVAS)
  • 15. NMAP & PRADS Problem it solves: I need an inventory of assets on my network (Nmap) and I need to continuously keep it up to date as things change (PRADS). Pros: Nmap is very mature, robust & feature rich. Both tools produce verbose output. Cons: Both tools produce extremely very verbose output. PRADS does not have a GUI Why we like it: These cover both active and passive asset discovery. PRADS is relatively new but it covers the same functionality as two older tools (PADS and p0f).
  • 16. KISMET Problem it solves: I need to know how are wireless networks being accessed and if anyone setup a rogue access point in my facility. Pros: Great command line interface. Outputs log events for WIDS events and a periodic XML report for observed networks. Cons: Wireless adapter can’t transmit when in monitor mode- need a dedicated adapter Why we like it: This tool is very versatile. There are plugins for DECT and Ubertooth devices.
  • 17. OSSIM Problem it solves: I need all the essential detective controls, but it takes too long to install them and I have way too many dashboards to look at when I am done. Pros: USM: Unifies management of these tools and offers correlation between event sources. Includes incident response templates & workflows Cons: Full intelligence feed, log management and management features requires commercial version Why we like it: The company I work for makes OSSIM  and It makes it easy to implement and manage all these tools at once. (OSSEC, Snort, Ntop, OpenVAS & others)
  • 18. OPEN SOURCE IS NOT JUST FOR SOFTWARE ANYMORE…. Open Threat Sharing
  • 19. OPEN SOURCE THREAT INTELLIGENCE
  • 20. OPEN SOURCE THREAT INTELLIGENCE Expert Sourced Used to Implement C-I-A Crypto, Firewall, Antivirus PKI, VPN, SSL, DLP, EIEIO Prevent an incident Crowd Sourced Provide visibility & response Asset Discovery, VA, IDS/IPS, Log Management, Analytics Detect & respond to an incident
  • 21. OPEN SOURCE THREAT INTELLIGENCE
  • 22. MDL AND OTX Problem it solves: My detective controls only show me what’s happening in my environment. What are the experts seeing (MDL), what are my peers seeing (OTX)? Pros: Allows me to collect threats from security researchers (MDL) and from peers (OTX). Allows me to share threats with my peers (OTX). These add an intelligence layer to traditional tools, like NIDS and SIEM. Cons: Most feeds are a teaser to a commercial offering. Why we like it: If we get this right and everyone involved, the bad guys only get one “first attack” for the entire network – attack one and all will detect and respond.
  • 23. THE PRACTITIONER’S GUIDE Open Source Asset Discovery Tools Nmap http://nmap.org The de-facto standard utility for network mapping. Use to scan network on a periodic basis to create and update inventory of assets. PADS http://passive.sourceforge.net Passive Asset detection system is a network sniffer that detects (infers) assets by monitoring traffic. Use to augment Nmap scans. P0f http://lcamtuf.coredump.cx/p0f3/ Passive OS fingerprinting tool. Use to identify and profile assets on your network (including that of the attackers). PRADS http://gamelinux.github.io/prads Passive Real-Time Asset Detection. Alternative to PADS - listens to network and gathers information on hosts and services. Open Source Threat Detection Tools Snort http://www.snort.org The world’s most popular network IDS/IPS. Provides signature, protocol, and anomaly-based inspection. Use to identify attacks. Suricata http://suricata-ids.org “Next Generation” alternative (or not) to SNORT funded by US DHS/DoD. Use to identify attacks and extract malware from network traffic. Kismet http://www.kismetwireless.net An 802.11 layer 2 wireless IDS. Use to identify and monitor (legitimate and rogue) networks via passively monitoring traffic. OSSEC http://www.ossec.net Host-based Intrusion Detection System. Use to perform log analysis, file integrity monitoring, policy monitoring and rootkit detection on endpoint assets.
  • 24. THE PRACTITIONER’S GUIDE Open Source Behavioral Monitoring Tools Ntop http://www.ntop.org A Unix tool that shows the network usage, similar to what the popular top Unix command does Use to determine what processes and services are running. Nfsen http://nfsen.sourceforge.net A web-based GUI for the nfdump netflow tools. Use to monitor netfows. OpenFPC http://www.openfpc.org A set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. Use to monitor network traffic & flows. Nagios http://www.nagios.org Open source IT monitoring system. Use to monitor activity on servers. Open Source Vulnerability Assessment Tools OpenVAS http://openvas.org Framework of services and tools for vulnerability scanning and vulnerability management. The open source fork of Nessus that converted to closed source. OVALdi http://www.decalage.info/en/ovaldi An open source reference implementation of a vulnerability scanner based on the OVAL definition. Alternative to OpenVAS. Open Source Intelligence and Analytics Tools OSSIM http://www.alienvault.com/ossim Unified security management & the world’s most popular SIEM. Use to combine essential controls into a single unified system managed from single pane of glass. Logstash http://http://logstash.net/ A tool for managing events and logs. Use to collect logs, parse them, and store for later use or analysis.
  • 25. THE PRACTITIONER’S GUIDE Open Threat Intelligence Feeds & Threat Sharing Communities MDL http://www.malwaredomainlist.com A continuously updated list of malware-related sites plus a discussion forum on new threats. Use to tune threat detection tools. ETO http://www.emergingthreats.net A platform independent (SNORT & Suricata) ruleset for tuning IDS. Us to make your IDS more effective at identifying threats. OTX http://www.alienvault.com/otx The world’s largest collaborative threat sharing network. Use to share threat information in real-time with others on the exchange. Several free risk- monitoring tools also available.