Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework

•Télécharger en tant que ODP, PDF•

2 j'aime•1,244 vues

John Lowry's presentation on Using Nagios as a Security Monitoring Framework. The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna

Technologie Design

Using Nagios as a Security
Monitoring Framework
John Lowry
johnlowry@gmail.com

3
Frameworks > Out of the Box
OOTB is “one size fits all”

4
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure

5
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront

6
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve

7
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve
Framework means it is infinitely configurable

8
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve
Framework means it is infinitely configurable
Framework means it is as good as you want it
to be.

10
Why Nagios for security?
Alert framework is robust

11
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert

12
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert
It is built for anomaly detection.

13
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert
It is built for anomaly detection. <--HUGE PART
OF SECURITY

14
Basic Strategies for Anomaly Detection

15
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this

16
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this
Tells you when a service or a host has
problems.

17
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this
Tells you when a service or a host has
problems.
Security and sysadmins ask: Why is this HTTP
server throwing 500 messages? Why is this
SNMP trap getting generated?

18
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this
Tells you when a service or a host has
problems.
Security and sysadmins ask: Why is this HTTP
server throwing 500 messages? Why is this
SNMP trap getting generated?
Nagios, when setup correctly, knows what is
“normal” and when something anomalous
happens you get an alert.

20
Noise versus Signal
Rabbits versus the Army
There is such a thing as too much information
False positives train one to ignore alerts

21
Triage every alert
If it is a valid alert, you are SUPPOSED to fix it.
Make a ticket, prioritize it, fix it, DO
SOMETHING, do not ignore it.

22
Regularly update your monitoring
If you are getting false positives, fix the check
Tune the frequency, do not be the source of the
problem
Active tuning, daily, weekly, monthly.

23
Integrating External Tools
AV
IDS/IPS, HIDS, FIC
Log monitoring
Host and service detection (nmap)
SNMP Traps
If you get email from a tool and it runs under
cron, consider using Nagios to manage it.

25
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event

26
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.

27
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.

28
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.
Good for some forensics, not so good if
someone misses it.

29
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.
Good for some forensics, not so good if
someone misses it.
But this happens anyway.

31
Example
Workstation Incident Response

32
Example
Workstation Incident Response
Palo Alto or ePO detects some activity, sends a
SNMP trap to NSTI

33
Example
Workstation Incident Response
Palo Alto or ePO detects some activity, sends a
SNMP trap to NSTI
Nagios then uses an event handler to grab 24
hours of pcap data. Use Bro to look for
interesting traffic, file a ticket, with attached files

34
Example
Workstation Incident Response
Palo Alto or ePO detects some activity, sends a
SNMP trap to NSTI
Nagios then uses an event handler to grab 24
hours of pcap data. Use Bro to look for
interesting traffic, file a ticket, with attached files
All while I am getting coffee

Contenu connexe

Plus de Nagios

Janice Singh - Writing Custom Nagios Plugins

Nagios

Dave Williams - Nagios Log Server - Practical Experience

Nagios

Mike Weber - Nagios and Group Deployment of Service Checks

Nagios

Mike Guthrie - Revamping Your 10 Year Old Nagios Installation

Nagios

Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring...

Nagios

Matt Bruzek - Monitor Public Cloud Use Nagios to monitor your public cloud. - No debian installer for Nagios 4? No problem! Deploy your public cloud with Juju and you can connect Nagios core services to your Ubuntu instances in the cloud. In this session, Matt will quickly go over the basic concepts of Juju and spend the rest of the time walking through examples of deploying Nagios monitoring solutions

Matt Bruzek - Monitoring Your Public Cloud With Nagios

Nagios

Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.

Nagios

Eric Loyd - Fractal Nagios

Nagios

Marcelo Perazolo, Lead Software Architect, IBM Corporation - Monitoring a Pow...

Nagios

Thomas Schmainda - Tracking Boeing Satellites With Nagios - Nagios World Conf...

Nagios

Nagios World Conference 2015 - Scott Wilkerson Opening

Nagios

NRPE - Nagios Remote Plugin Executor - NRPE enables users to remotely execute Nagios plugins on any Linux/Unix machine, allowing remote metrics monitoring. In addition, users can communicate with Windows agent add-ons, which executes scripts and metrics checks on remote Windows machines. ============ Version: 2.14, 2.15 Source: nrpe-2.1[4|5].tar.gz Platform: Centos 6.5 x64 (Nagios client) Compile1: ./configure --enable-ssl --with-nrpe-user=nagios --with-nrpe-group=nagios --with-nagios-user=nagios --with-nagios-group=nagios --libexecdir=/opt/nagios/libexec/ --bindir=/opt/nagios/bin/ --prefix=/opt/nagios Compile2: ./configure --enable-ssl --with-nrpe-user=nagios --with-nrpe-group=nagios --with-nagios-user=nagios --with-nagios-group=nagios --libexecdir=/opt/nagios/libexec/ --bindir=/opt/nagios/bin/ --prefix=/opt/nagios --with-cacert-file --with-privatekey-file

Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core

Nagios

Nagios Log Server greatly simplifies the process of searching your log data. Set up alerts to notify you when potential threats arise, or simply filter your data to quickly audit your system. With Log Server, you get all of your data in one location, with high availability and fail-over built right in. Quickly monitor your servers with configuration wizards and start monitoring your logs in minutes. Learn more here: https://www.nagios.com/products/nagios-log-server/ Free download (60 day trial): https://www.nagios.com/downloads/nagios-log-server/

Nagios Log Server - Features

Nagios

Nagios Network Analyzer - Features

Nagios

Nagios Conference 2014 - Dorance Martinez Cortes - Customizing Nagios

Nagios

Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options

Nagios

Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core

Nagios

Nagios Conference 2014 - Trevor McDonald - Monitoring The Physical World With...

Nagios

Nagios Conference 2014 - Andy Brist - Nagios XI Failover and HA Solutions

Nagios

Nagios Conference 2014 - Shamas Demoret - An Overview of Nagios Solutions

Nagios

Plus de Nagios (20)

Janice Singh - Writing Custom Nagios Plugins

Dave Williams - Nagios Log Server - Practical Experience

Mike Weber - Nagios and Group Deployment of Service Checks

Mike Guthrie - Revamping Your 10 Year Old Nagios Installation

Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring...

Matt Bruzek - Monitoring Your Public Cloud With Nagios

Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.

Eric Loyd - Fractal Nagios

Marcelo Perazolo, Lead Software Architect, IBM Corporation - Monitoring a Pow...

Thomas Schmainda - Tracking Boeing Satellites With Nagios - Nagios World Conf...

Nagios World Conference 2015 - Scott Wilkerson Opening

Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core

Nagios Log Server - Features

Nagios Network Analyzer - Features

Nagios Conference 2014 - Dorance Martinez Cortes - Customizing Nagios

Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options

Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core

Nagios Conference 2014 - Trevor McDonald - Monitoring The Physical World With...

Nagios Conference 2014 - Andy Brist - Nagios XI Failover and HA Solutions

Nagios Conference 2014 - Shamas Demoret - An Overview of Nagios Solutions

Dernier

Ever caught yourself nodding along when someone mentions "delivering value" in Agile, but secretly wondering what the heck they actually mean? You're not alone! Join us for an eye-opening session where we'll strip away the buzzwords and dive into the heart of Agile—value delivery. But what is "value"? Is it a mythical unicorn in the world of software development, or is there more to this overused term? This isn't going to be a sit-and-get lecture. We're talking about a face-to-face, interactive meetup where YOU play a crucial role. Come along to: Define It: What does "value" really mean? We’ll build a definition that’s not just words, but a compass for your Agile journey. Contextualise It: Discover what value means specifically to you, your team, your company, and your industry. Because one size does not fit all. Deliver It: Share strategies and gather new ones for uncovering and delivering true value—no more shooting in the dark!

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

David Michel

WSO2CONMay2024OpenSourceConferenceDebrief.pptx

Jennifer Lim

Extensible Python: Robustness through Addition - PyCon 2024

Patrick Viafore

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf

FIDO Alliance

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “Enterprise Knowledge Graphs: The Importance of Semantics” on May 9, 2024, at the annual Data Summit in Boston. In her presentation, Hedden describes the components of an enterprise knowledge graph and provides further insight into the semantic layer – or knowledge model – component, which includes an ontology and controlled vocabularies, such as taxonomies, for controlled metadata. While data experts tend to focus on the graph database components (RDF triple store or a label property graph), Hedden emphasizes they should not overlook the importance of the semantic layer.

Enterprise Knowledge Graphs - Data Summit 2024

Enterprise Knowledge

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...

FIDO Alliance

Designing inclusive products is not only a social responsibility but also a business imperative. This talk delves into the journey of creating accessible hardware products that cater to diverse user needs. Key Topics Covered: 1. Introduction to Inclusive Design - Importance of accessibility in product design - Overview of Comcast's commitment to making products accessible to a wide audience 2. Case Study: Xfinity Large Button Voice Remote - Initial challenges and the evolution of the product - User research and feedback that shaped the design - Key features of the final product and their benefits 3. Designing for Diverse Needs - Understanding human-centered design and its historical context - The impact of designing for people with disabilities on overall product quality - Examples from other industries, such as architecture and industrial design 4. Integrating Accessibility from the Beginning - The cost and efficiency benefits of designing for accessibility from the start - The process of embedding accessibility as a core trait rather than an optional feature 5. Real-World Impact and Continuous Improvement - Insights from in-home studies with users having assistive needs - How continuous feedback and iterative design lead to better products - The role of inclusive research and development practices

Designing for Hardware Accessibility at Comcast

UXDXConf

Where to Learn More About FDO _ Richard at FIDO Alliance.pdf

FIDO Alliance

The presentation underscores the strategic advantage of treating design systems not just as technical assets but as vital business components that require thoughtful management, robust planning, and strategic alignment with organizational goals. Key Points Covered: - Understanding Design Systems as Business Entities: Conceptualizing design systems as internal business entities can streamline their integration and evolution within a company. - Adoption and Expansion: Elaborating on the importance of tactical adoption across organizational structures, enhancing product suites to cater to user needs and broadening scope to mobile and content authoring solutions. - Data-Driven Development: Utilizing data insights for component development ensures that resources are allocated to create valuable, widely used features. - Financial Modeling for Design Systems: Developing sustainable funding models is crucial for long-term support and success of design systems. - Promoting Internal Buy-In: Stressing on strategies for promoting design systems within the organization to increase engagement and investment from internal stakeholders.

A Business-Centric Approach to Design System Strategy

UXDXConf

Webinar Recording: https://www.panagenda.com/webinars/easier-faster-and-more-powerful-notes-document-properties-reimagined/ Have you ever felt frustrated by the small properties dialog in Notes? Had to create an agent or button to quickly change a field? Searched endlessly for the field you wanted to compare each time you selected a new document? Wished you could just make the damned thing bigger? Luckily, there is a solution – and you probably already have it installed! With the free panagenda Document Properties (Pro) you get the properties dialog you always needed. Big, resizable, full-text searchable. View multiple documents at once or compare them with a diff viewer. Modify any field, and finally have an easy way to handle profile documents for all users. Join HCL Lifetime Ambassador Julian Robichaux to discover how Document Properties can simplify your work and assist you daily when using Domino applications – in the client or the designer. You will never look back! Key takeaways from this session - What Document Properties is, which editions there are, and how you can find it in Notes and Domino Designer - How you can search for and edit any field, compare documents, or CSV export all data - How to find, edit, and even delete profile documents - Which configuration settings are available to customize feature

Easier, Faster, and More Powerful – Notes Document Properties Reimagined

panagenda

What's New in Teams Calling, Meetings and Devices April 2024

Stephanie Beckett

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...

FIDO Alliance

Explore the core of Salesforce success in 'Salesforce Adoption – Metrics, Methods, and Motivation.' We will discuss essential metrics, effective methods to drive adoption, and the driving force behind user engagement and explore strategies for onboarding, training, and continuous support that empower users to navigate the platform seamlessly. By leveraging these tools, you can effectively measure adoption against your company’s goals and create an environment where users not only adopt Salesforce but actively contribute to its ongoing success.

Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom

CzechDreamin

Using IESVE for Room Loads Analysis - UK & Ireland

IES VE

WebAssembly is Key to Better LLM Performance

Samy Fodil

Screen flow is a powerful automation tool that is commonly designed for internal and external users. However, what about the guest users? We will dive into various methods of launching screen flows and understand how to make them publicly accessible, extending their usability to a broader audience. The presentation will also cover the implementation of security layers and highlight best practices for a smooth and protected user experience. Discover the potential of screen flows beyond conventional use and learn how to leverage them effectively.

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

CzechDreamin

We're living the AI revolution and Salesforce is adapting and bring new value to their customers. Einstein products are evolving rapidly and navigating their limitations, language support, and use cases can be challenging. Let's make review of what Einstein product are available currently, what are the capabilities and what can be used for in CEE region and how Rossie.ai can help to learn Salesforce speak Czech. We will explore the Einstein roadmap and I will make a short live demo (based on your vote) of some Einstein feature.

AI revolution and Salesforce, Jiří Karpíšek

CzechDreamin

Intrigued by why some of the world's largest companies (Netflix, Google, Cisco, Twitter, Uber etc) are using gRPC? In this demo based talk we delve into the world of gRPC in .Net, what it does and why we should use it. We compare the interface with both Rest and graphQL. We will show you how to implement grpc server-side in .net and in the web. Finally, I will show you how the tooling helps you deliver powerful interfaces and interact with them quickly and simply.

Demystifying gRPC in .Net by John Staveley

John Staveley

PLAI - Acceleration Program for Generative A.I. Startups

Stefano

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

FIDO Alliance

Dernier (20)

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

WSO2CONMay2024OpenSourceConferenceDebrief.pptx

Extensible Python: Robustness through Addition - PyCon 2024

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf

Enterprise Knowledge Graphs - Data Summit 2024

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...

Designing for Hardware Accessibility at Comcast

Where to Learn More About FDO _ Richard at FIDO Alliance.pdf

A Business-Centric Approach to Design System Strategy

Easier, Faster, and More Powerful – Notes Document Properties Reimagined

What's New in Teams Calling, Meetings and Devices April 2024

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...

Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom

Using IESVE for Room Loads Analysis - UK & Ireland

WebAssembly is Key to Better LLM Performance

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

AI revolution and Salesforce, Jiří Karpíšek

Demystifying gRPC in .Net by John Staveley

PLAI - Acceleration Program for Generative A.I. Startups

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework

1. Using Nagios as a Security Monitoring Framework John Lowry johnlowry@gmail.com

2. 2 Frameworks > Out of the Box

3. 3 Frameworks > Out of the Box OOTB is “one size fits all”

4. 4 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure

5. 5 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront

6. 6 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve

7. 7 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve Framework means it is infinitely configurable

8. 8 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve Framework means it is infinitely configurable Framework means it is as good as you want it to be.

9. 9 Why Nagios for security?

10. 10 Why Nagios for security? Alert framework is robust

11. 11 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert

12. 12 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert It is built for anomaly detection.

13. 13 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert It is built for anomaly detection. <--HUGE PART OF SECURITY

14. 14 Basic Strategies for Anomaly Detection

15. 15 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this

16. 16 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems.

17. 17 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems. Security and sysadmins ask: Why is this HTTP server throwing 500 messages? Why is this SNMP trap getting generated?

18. 18 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems. Security and sysadmins ask: Why is this HTTP server throwing 500 messages? Why is this SNMP trap getting generated? Nagios, when setup correctly, knows what is “normal” and when something anomalous happens you get an alert.

19. 20 Noise versus Signal Rabbits versus the Army There is such a thing as too much information False positives train one to ignore alerts

20. 21 Triage every alert If it is a valid alert, you are SUPPOSED to fix it. Make a ticket, prioritize it, fix it, DO SOMETHING, do not ignore it.

21. 22 Regularly update your monitoring If you are getting false positives, fix the check Tune the frequency, do not be the source of the problem Active tuning, daily, weekly, monthly.

22. 23 Integrating External Tools AV IDS/IPS, HIDS, FIC Log monitoring Host and service detection (nmap) SNMP Traps If you get email from a tool and it runs under cron, consider using Nagios to manage it.

23. 24 Passive check strategies

24. 25 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event

25. 26 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check.

26. 27 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts.

27. 28 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts. Good for some forensics, not so good if someone misses it.

28. 29 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts. Good for some forensics, not so good if someone misses it. But this happens anyway.

29. 30 Some Automation

30. 31 Example Workstation Incident Response

31. 32 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI

32. 33 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI Nagios then uses an event handler to grab 24 hours of pcap data. Use Bro to look for interesting traffic, file a ticket, with attached files

33. 34 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI Nagios then uses an event handler to grab 24 hours of pcap data. Use Bro to look for interesting traffic, file a ticket, with attached files All while I am getting coffee

34. 35 FIN Questions?

Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework

Recommandé

Recommandé

Contenu connexe

Plus de Nagios

Plus de Nagios (20)

Dernier

Dernier (20)

Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework