2. The Environment
An e-Commerce company
Commerce
Complex IT infrastructure
Increasing demand in security
By the management
By the business (compliance)
Security tools and procedures in place
(I hope ;-)
3. The Problem
How to improve the detection of suspicious
activity?
How to reduce false positives?
Restricted and overloaded security team
(if there is one!).
5. The Example
The eCommerce company makes business
in Europe.
Implement security monitoring rules using
security convergence.
Example: detect sessions started from ... (*)
(*) Insert your favorite suspicious countries here.
No political engagement ;-)
6. OSSEC to the Rescue
OSSEC is ”an Open Source Host
an Host-based
Intrusion Detection System. It performs log
analysis, file integrity checking, policy
,
monitoring, rootkit detection, real
real-time
alerting and active response
response”.
8. The Recipe
Configure OSSEC for your application log file
(parser)
Create an “Active-Response” action to trigger
Response”
when an denied access is detected
The “Active-Response” script will perform a
Response”
geoIP lookup using the source IP address
If the IP address belongs to another country,
inject a new event into OSSEC
OSSEC generates an alert based on this
event.
9. The Results
Adds value to the collected events.
Increases visibility.
Reduce the amount of alerts to process.
Better reaction time.
10. Interested?
This lightning talk idea came from a post on
my blog: http://blog.rootshell.be/
Contact: @Xme
More info? Maltego!
Thank You!