mcgyver's siem -- building the best free hud
DESCRIPTION
My Blackhat Webcast of October 21nd 2010, the webcast is available on http://www.blackhat.com/html/webcast/webcast-home.htmlTRANSCRIPT
![Page 1: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/1.jpg)
McGyver’s SIEMBuilding the best free HUD
Wim Remes
Thursday 21 October 2010
![Page 2: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/2.jpg)
What we won’t need today ...
Thursday 21 October 2010
![Page 3: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/3.jpg)
The views and opinions expressed in this presentation arethose of the presenter and do not reflect those of past,
current or future employers, associates or clients.
Thursday 21 October 2010
![Page 4: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/4.jpg)
FOSS will never ever provide you with a complete SIEMsolution. Implementing SIEM is hard work and requires
dedication and vision. The premise of this talk is to enable you to build the skillset required to implement a SIEM solution and
for you to understand your needs using free and open source software. With that skillset you will then be enabled to to make an informed choice, lower the
actual implementation cost and improve ROI.
More importantly, it will teach your technical people how to interpret data, build use cases and apply a common-sensical methodology.
Instead of making them button-clicking drones (again),here’s your chance to make your people the strongest link not the weakest.
Thursday 21 October 2010
![Page 5: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/5.jpg)
Who am I ?
Wim Remes
Ernst & Young (Belgium)
infosecmentors.com
eurotrashsecurity.eu
Thursday 21 October 2010
![Page 6: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/6.jpg)
1. What is SIEM ?2. A common-sensical approach.3. Let’s get it on !4. Ask away ...
What is this about ?
Thursday 21 October 2010
![Page 7: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/7.jpg)
What is SIEM ?1
(Definition)
Thursday 21 October 2010
![Page 8: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/8.jpg)
Security Information & Event Management
Software/Hardware that gathers, analyzes and presents information from multiple sources
of security-relevant data.(thanks to wikipedia)
Thursday 21 October 2010
![Page 9: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/9.jpg)
Security Information & Event Management
SIEM
SEM SIMESIM
Log Management
(+ everything your vendor wants it or it’s name to be)
Thursday 21 October 2010
![Page 10: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/10.jpg)
DATA INFORMATION
Thursday 21 October 2010
![Page 11: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/11.jpg)
Information
Knowledge
Understanding
Wisdom
Thursday 21 October 2010
![Page 12: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/12.jpg)
What is SIEM ?1
(Functionality we want)
Thursday 21 October 2010
![Page 13: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/13.jpg)
Collection
syslog
scp
ftp
Thursday 21 October 2010
![Page 14: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/14.jpg)
Normalization
FW_1
FW_2
I dropped a packet from x to z on port 80 at 13:22
rejected x:1234 to z:22 at 1:23pm
time : 13:22action : droppedsource: xdestination : zport : 80
time : 13:23action : droppedsource: xdestination : zport : 22
Thursday 21 October 2010
![Page 15: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/15.jpg)
Correlationtime : 04:22action : failedsrc_ip : a.b.c.duser : craig
time : 04:23action : failedsrc_ip : a.b.c.duser : craig
time : 04:24action : failedsrc_ip : a.b.c.duser : craig
time : 04:25action : successsrc_ip : a.b.c.duser : craig
Brute-forceattack ? Brute-force
attack ?(look at this in the morning)
(wake the f* up now !)
Thursday 21 October 2010
![Page 16: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/16.jpg)
3 base use cases
React Faster
Improve Efficiency
Automate Compliance
Securosis : Understanding and Selecting SIEM/Log Management
Thursday 21 October 2010
![Page 17: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/17.jpg)
Thursday 21 October 2010
![Page 18: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/18.jpg)
common-sensical approach2
Thursday 21 October 2010
![Page 19: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/19.jpg)
Architecture
FLAT
Thursday 21 October 2010
![Page 20: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/20.jpg)
Architecture
HIERARCHICAL
Thursday 21 October 2010
![Page 21: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/21.jpg)
Architecture
MESH
Thursday 21 October 2010
![Page 22: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/22.jpg)
Data Sources
Data Points
Use Cases
integrating SIEM
Thursday 21 October 2010
![Page 23: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/23.jpg)
Let’s get it on !3
Thursday 21 October 2010
![Page 24: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/24.jpg)
Our arsenal
ossechttp://www.ossec.net
syslog-nghttp://www.balabit.com/network-security/syslog-ng
ossimhttp://www.alienvault.com
davixhttp://www.secviz.org
(+ some golden nuggets)
Thursday 21 October 2010
![Page 25: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/25.jpg)
OSSEC
Host Based Intrusion Detection/Prevention
- Log Monitoring- Integrity Control & Host Checking- Policy Monitoring- Real-time alerting & Active Response
Running on :Windows, AIX,Solaris,HP-UX,MacOS & Linux
Thursday 21 October 2010
![Page 26: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/26.jpg)
OSSEC
ossec-logcollector
agentd remoted
analysisd
maild execdClient
Server
Thursday 21 October 2010
![Page 27: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/27.jpg)
OSSEC
OSSECOSSEC
SIEM
syslog
= OSSEC agent
agentless !
* observation : none of the leading SIEM solutions support OSSEC as an event source out of the box, why ?
Thursday 21 October 2010
![Page 28: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/28.jpg)
OSSEC
pre-decoding
decoding
signatures
Thursday 21 October 2010
![Page 29: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/29.jpg)
OSSEC
thanks to Xavier Mertens (@xme)
Aug 26 13:56:07 192.168.0.5 1,2010/08/26 13:56:07,0003A100245,THREAT,\ vulnerability,8,2010/08/26 13:56:01,10.0.0.1,10.0.0.2,0.0.0.0,\ 0.0.0.0,rule2,domain\user,,netbios-ns,vsys1,TAP-ZONE,TAP-ZONE,ethernet1/1,\ ethernet1/1,Logger,2010/08/26 13:56:07,136674,3,137,137,0,0,0x8000,udp,\ alert,"",NetBIOS nbtstat query(31707),any,low,client-to-server
palo alto threat detection
Thursday 21 October 2010
![Page 30: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/30.jpg)
OSSECpalo alto threat detection
(decoder)
<-- Custom decoder for PaloAlto Firewalls Threat Events --><decoder name="paloalto-threat"> <prematch>^\d,\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d,\.+,THREAT,</prematch> <regex>(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),\d+.\d+.\d+.\d+,\d+.\d+.\d+.\d+,\.+,(\.*),(\.*),\.+,alert,\.+,(\.+),\.+$</regex> <order>srcip,dstip,srcuser,dstuser,extra_data</order></decoder>
thanks to Xavier Mertens (@xme)
Thursday 21 October 2010
![Page 31: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/31.jpg)
<group name="syslog,paloalto-threat,"> <rule id="150000" level="0"> <decoded_as>paloalto-threat</decoded_as> <description>PaloAlto Firewalls Threat Events</description> </rule>
<rule id="150001" level="10"> <if_sid>150000</if_sid> <match>NetBIOs</match> <description>Possible NetBIOS attack detected!</description> </rule>
<rule id="150002" level="10"> <if_sid>150000</if_sid> <user>domain\administrator</user> <description>Possible attack detected against Administrator!</description> </rule></group>
OSSECpalo alto threat detection
(rules)
thanks to Xavier Mertens (@xme)
Thursday 21 October 2010
![Page 32: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/32.jpg)
OSSEC
rules
login
success
from unauthorized ip address !
failed
100 times in the last 10
minutes
on critical server wake the f* up !
Thursday 21 October 2010
![Page 33: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/33.jpg)
OSSEC
rules
login
success
from unauthorized ip address !
failed
100 times in the last 10
minutes
on critical server
AR
AR don’t bother, everything is under control
Thursday 21 October 2010
![Page 34: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/34.jpg)
OSSIM(includes OSSEC)
sensor sensor sensor
serverDB
frontend
snort, nessus, Spade, p0f,Ntop, arpwatch, OSSEC, ...
normalization, prioritization, collection, risk assessment,
correlation, ...
< you are here !
Thursday 21 October 2010
![Page 35: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/35.jpg)
OSSIMrisk maps
Thursday 21 October 2010
![Page 36: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/36.jpg)
OSSIMcompliance reporting
Thursday 21 October 2010
![Page 37: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/37.jpg)
OSSIMevent analysis
Thursday 21 October 2010
![Page 38: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/38.jpg)
OSSIMincident response
Thursday 21 October 2010
![Page 39: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/39.jpg)
Let’s get it on !3
a few words on data visualization(because it’s important !)
Thursday 21 October 2010
![Page 40: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/40.jpg)
Choosing the right chart !
http://ebiquity.umbc.edu/blogger/2009/01/25/how-to-choose-the-right-chart-for-your-data/
Thursday 21 October 2010
![Page 41: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/41.jpg)
DAVIX
Data visualization Live CD
- free data processing and visualization tools- Bootable CD- available from http://www.secviz.org- part of “Applied Security Visualization” by Raffael Marty
Thursday 21 October 2010
![Page 42: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/42.jpg)
source : http://www.secviz.org
a firewall log treemap
Thursday 21 October 2010
![Page 43: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/43.jpg)
source : http://www.secviz.org
radial firewall visualization
Thursday 21 October 2010
![Page 44: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/44.jpg)
source : http://www.secviz.org
windows event log types
Thursday 21 October 2010
![Page 45: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/45.jpg)
source : http://www.secviz.org
1 day of firewall logs
Thursday 21 October 2010
![Page 48: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/48.jpg)
Recap
Focus on approach, not tools
Use open source to facilitate & learn
Integrate in architecture later
Thursday 21 October 2010
![Page 49: McGyver's SIEM -- Building the best free HUD](https://reader033.vdocuments.site/reader033/viewer/2022052504/5549cfc2b4c9051c778b4b52/html5/thumbnails/49.jpg)
Thank you !interesting people to follow :
@andrewsmhay@zrlram
@anton_chuvakin@rockyd
@xme
podcast :LogChat (see Anton’s blog or iTunes)
websites : http://www.securosis.com
http://www.secviz.orghttp://www.ossec.net
http://www.alienvault.comhttp://chuvakin.blogspot.com/
http://blog.rootshell.behttp://www.decurity.com
[email protected]@wimremes
Thursday 21 October 2010