ADVANCED OSSEC TRAINING:INTEGRATION STRATEGIES FOR OPEN SOURCE

SECURITY

Santiago BassettDirector Professional Services

@santiagobassett

AGENDA

Presentation contents (20 minutes)Learning the basics

• OSSEC capabilities

• AlienVault capabilitiesOSSEC and AlienVault integration

• Integration components

• OSSEC Collector anatomy

• OSSEC Correlation rules

• AlienVault Cross-correlation

• Management interface

Demo – See it in action (20 minutes)Deploying OSSEC agents

• Automatic deployment for Windows

• Manual deployment for LinuxAgentless monitoringManaging OSSEC

• Monitoring/Configuring agents

• Editing rulesCorrelating OSSEC events (Brute-force)OSSEC reports

ABOUT ME

Developer, security engineer, researcher and

consultant.

Member of AlienVault and OSSEC core teams.

Director of Professional Services at AlienVault

Born in Spain and relocated to Silicon Valley in

2010. Excuse my accent

LEARNING THE BASICS…OSSEC and AlienVault USM

OSSEC CAPABILITIES

Log analysis based intrusion detection

File integrity checking

Registry keys integrity checking (Windows)

Signature based malware/rootkits detection

Real time alerting and active response

OSSEC ARCHITECTURE

Agent components:

Logcollectord: Read logs (syslog, wmi, flat files)

Syscheckd: File integrity checking

Rootcheckd: Malware and rootkits detection

Agentd: Forwards data to the server

Server components:

Remoted: Receives data from agents

Analysisd: Processes data (main process)

Monitord: Monitor agents

ALIENVAULT USM CAPABILITIES

Provides threat detection capabilities

Monitors network assets

Centralizes Information and Management

Evaluates threats reliability and risk

Collaboratively learns about APT

ALIENVAULT USM ARCHITECTURE

Embedded tools:

Asset discovery: Nmap, Prads

Behavioral monitoring: Netflow, Ntop, Nagios

Threat detection: Snort, Suricata, OSSEC

Vulnerability assessment: Openvas

External collectors:

Syslog, FTP, SCP, NFS

Samba, SNMP, WMI, LEA

SDEE, SQL, Unix Socket

OSSEC INTEGRATIONOSSEC and AlienVault USM

INTEGRATION COMPONENTS

OSSEC COLLECTOR ANATOMY

OSSEC CORRELATION RULES

Common web attack detected

XSS (Cross Site Scripting) attempt

SQL injection attempt detected

Windows authentication failure attempts

MySQL authentication attempt failed detected

PostgreSQL authentication attempt failed detected

SonicWall authentication attempt failed detected

Remote access authentication attempt failed detected

SSH service authentication attempts failed detected

Multiple authentication attempt failed detected

Login authentication failed detected

OSSEC ALERTS RISK ASSESSMENTAlienVault USM automatically calculate risk based on OSSEC alerts priority, reliability and assets involved.

ALIENVAULT CROSS-CORRELATIONAlienVault USM correlates events from multiple sources, crossing OSSEC alerts with information collected from embedded detectors and external sources.

OSSEC MANAGEMENT INTERFACEAlienVault USM provides a comprehensive GUI for OSSEC alerts management:

Status monitorEvents viewerAgents control managerConfiguration managerRules viewer/editor

Logs viewerServer control managerDeployment managerRules viewer/editorPDF/HTML reports

LET’S SEE IT IN ACTION!OSSEC and AlienVault USM

NOW FOR SOME Q&A…

Three Ways to Test Drive AlienVault

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Site

http://www.alienvault.com/live-demo-site

Join our weekly LIVE Demohttp

://www.alienvault.com/marketing/alienvault-u

sm-live-

demo hello@alienvault.com

VIEW WEBINAR ON-DEMANDTo view the recorded version of this webinar Click Here