BruCON 2010 Lightning Talk
Click here to load reader
-
Upload
xavier-mertens -
Category
Business
-
view
956 -
download
3
Transcript of BruCON 2010 Lightning Talk
Detecting Fraudulent ActivityUsing OSSEC...
... A Recipe!
BruCON / Sep 2010
Detecting Fraudulent ActivityUsing OSSEC...
... A Recipe!
BruCON / Sep 2010
The Environment
� An e-Commerce company
� Complex IT infrastructure
� Increasing demand in security
By the management� By the management
� By the business (compliance)
� Security tools and procedures in place(I hope ;-)
The Environment
Commerce company
Complex IT infrastructure
Increasing demand in security
By the business (compliance)
Security tools and procedures in place
The Problem
� How to improve the detection of suspicious activity?
� How to reduce false positives?
� Restricted and overloaded security team� Restricted and overloaded security team(if there is one!).
How to improve the detection of suspicious
How to reduce false positives?
Restricted and overloaded security teamRestricted and overloaded security team
Security Convergence!
� Logical Security
� Passwords
� IP access lists
� Physical Security� Physical Security
� Access badges
� GeoIP
� Let’s mix them!
Security Convergence!
The Example
� The eCommerce company makes business in Europe.
� Implement security monitoring rules using security convergence.security convergence.
Example: detect sessions started from ...
(*) Insert your favorite suspicious countries here. No political engagement ;-)
The eCommerce company makes business
Implement security monitoring rules using security convergence.security convergence.
Example: detect sessions started from ... (*)
Insert your favorite suspicious countries here.
OSSEC to the Rescue
� OSSEC is ”an Open Source HostIntrusion Detection System. analysis, file integrity checking, policy monitoring, rootkit detection, realalerting and active responsealerting and active response
OSSEC to the Rescue
an Open Source Host-based Intrusion Detection System. It performs log
, file integrity checking, policy monitoring, rootkit detection, real-time
active response”.active response”.
The Ingredients
ApplicationLog
OSSECParser
ActiveResponse
OSSECParser
FraudAlert!
Active-Response
The Recipe
� Configure OSSEC for your application log file (parser)
� Create an “Active-Response” action to trigger when an denied access is detectedwhen an denied access is detected
� The “Active-Response” script will perform a geoIP lookup using the source IP address
� If the IP address belongs to another country, inject a new event into OSSEC
� OSSEC generates an alert based on this event.
Configure OSSEC for your application log file
Response” action to trigger when an denied access is detectedwhen an denied access is detected
Response” script will perform a geoIP lookup using the source IP address
If the IP address belongs to another country, inject a new event into OSSEC
OSSEC generates an alert based on this
The Results
� Adds value to the collected events.
� Increases visibility.
� Reduce the amount of alerts to process.
Better reaction time.� Better reaction time.
Adds value to the collected events.
Reduce the amount of alerts to process.
Interested?
� This lightning talk idea came from a post on my blog: http://blog.rootshell.be/
� Contact: @Xme
� More info? Maltego!� More info? Maltego!
Thank You!
This lightning talk idea came from a post on http://blog.rootshell.be/
Thank You!