all your security events are belong to ... you!
DESCRIPTION
These are the slides of my talks performed @ B-Sides London on 20/04/2011.TRANSCRIPT
![Page 1: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/1.jpg)
All Your Security Events are Belong to ... You!
BSidesLondon 2011 - Xavier Mertens
![Page 2: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/2.jpg)
$ whoami
• Xavier Mertens (@xme)
• Security Consultant
• CISSP, CISA, CeH
• Security Blogger
• Volunteer for security projects:
![Page 3: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/3.jpg)
$ cat disclaimer.txt
“The opinions expressed in this presentation are those of the speaker and do not reflect those of past, present or future employers, partners or customers”
![Page 4: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/4.jpg)
Today’s Situation
![Page 5: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/5.jpg)
How is Your Log-Fu?
• Logs? Which logs?
• It’s BORING!
• Most organizations are NOT prepared to deal with security incidents
• If anything can go wrong, it will!(Murphy’s law)
• Enough internal resources?
![Page 6: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/6.jpg)
Need for Visibility!• Computer: “programmable electronic machine
that performs high-speed mathematical or logical operations or that assembles, stores, correlates, or otherwise processes information”Too cool!
• Integration with multiple sources increases the change to detect suspicious events.
• Detect activity below the radar.
![Page 7: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/7.jpg)
Technical Issues
• Networks are complex
• Some components/knowledge are outsourced
• Millions of daily events
• Lot of console/tools
• Lot of protocols/applications
![Page 8: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/8.jpg)
Find the Differences
Aug 27 14:33:01 macosx ipfw: 12190 Deny TCP 192.168.13.1:2060 192.168.13.104:5000 in via en1
%PIX-3-313001: Denied ICMP type=11, code=0 from 192.168.30.2 on interface 2
![Page 9: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/9.jpg)
Economic Issues• “Time is money”
• Real-time operations
• Downtime has a huge financial impact
• Reduced staff & budget
• Happy shareholders
• Log management == Insurance(Risk management)
![Page 10: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/10.jpg)
Legal Issues
• Compliance requirements
• Big names
• Initiated by the group or business
• Local laws
• Due diligence & due care
![Page 11: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/11.jpg)
Legal Requirements• Internal
• You are not Big-Brother!
• Team-members must be aware of the procedures
• External
• Notify your users & visitors which information is logged, how and for which purposes
![Page 12: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/12.jpg)
Belgian Example: CBFA
From a document published in April 2009:
“Any institution that connects to the Internet must have a security policy which takes into account:...the creation, the archiving of event logs which permit the analyze, follow-up and reporting.”
![Page 13: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/13.jpg)
Challenges
• Creation & archiving of log files
• Analyze (Normalization)
• Follow-up
• Reporting
• (Correlation)
![Page 14: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/14.jpg)
Layer Approach
Log Collection
Normalization
Storage
Search
Reporting
Correlation
![Page 15: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/15.jpg)
Raw Material
• Your logs are belong to you!
• If not stored internally (cloud, outsourcing), claim access to them
• All applications/devices generate events
• Developers, you MUST generate GOOD events
![Page 16: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/16.jpg)
3rd Party Sources
• Vulnerabilities Databases
• Blacklists (IP addresses, ASNs)
• “Physical” Data
• Geolocalization
• Badge readers
![Page 17: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/17.jpg)
Security Convergence
• Mix of logical control:
• Passwords, access-lists
• Blacklists (IP addresses, AS’s, domains)
• and physical control:
• Badge readers
• Geo-localization
![Page 18: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/18.jpg)
The Recipe
![Page 19: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/19.jpg)
Collection
• Push or pull methods
• Use a supported protocols
• Open vs. Proprietary
• Ensure integrity
• As close as the source
![Page 20: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/20.jpg)
Normalization
• Parse events
• Fill in common fields
• Date, Src, Dst, User, Device, Type, Port, ...
![Page 21: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/21.jpg)
Storage
• Index
• Store
• Archive
• Ensure integrity (again)
![Page 22: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/22.jpg)
Search
• CLI tools remain used (grep|awk|sort|tail|...)
• You know Google?
• Investigations / Forensic
• Looking for “smoke signals”
![Page 23: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/23.jpg)
Reporting
• Automated / On-demand
• Reliable only if first steps are successful
• Reports must address the audience (technical vs business)
![Page 24: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/24.jpg)
Correlation
• Generation of new events based on the way other events occurred (based on their logic, their time or recurrence)
• Correlation will be successful only of the other layers are properly working
• Is a step to incident management
![Page 25: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/25.jpg)
Build Your Toolbox
![Page 26: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/26.jpg)
<warning>Please keep v€ndor$
away from the next slide
</warning>
![Page 27: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/27.jpg)
Let’s Kill Some Myths
• Big players do not always provide the best solutions. A Formula-1 is touchy to drive!
• Why pay $$$ and use <10% of the features? (the “Microsoft Office” effect)
• But even free softwares have costs!
• False sense of security
![Page 28: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/28.jpg)
LM vs. SIEM
• A LM (“Log Management”) addresses the lowest layers from the collection to reporting.
• A SIEM (“Security Information & Event Management”) adds the correlation layer (and often incidents management tools)
![Page 29: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/29.jpg)
Grocery Shopping
• Compliance
• Suspicious activity
• Web applications monitoring
• Correlation
• Supported devices
• Buying a SIEM is a very specific project
![Page 30: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/30.jpg)
Free Tools to the Rescue
![Page 31: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/31.jpg)
Syslog Daemons• Syslog is well implemented
• Lot of forked implementations
• syslogd, rsyslogd, syslog-ng
• Multiple sources
• Supports TLS, TCP
• Several tools exists to export to Syslog (ex: SNARE)
• But a hell to parse
![Page 32: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/32.jpg)
SEC• “Simple Event Correlation”
• Performs correlation of logs based on Perl regex
• Produces new events, triggers scripts, writes to files
• Example: track IOS devices reloadtype=singlecontinue=takeNextptype=regexppattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SYS-5-RELOAD: (.*)desc=(WARNING) reload requested for $1action=pipe '%s details:$2' mail -s 'cisco event' [email protected]
![Page 33: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/33.jpg)
OSSEC• HIDS
• Log collection & parsing
• Active-Response
• Rootkit detection
• File integrity checking
• Agents (UNIX, Windows)
• Log archiving
![Page 34: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/34.jpg)
Protocols
• CEF - “Common Event Format” | ArcSight
• CEE - “Common Event Expression” | Mitre
• RELP - “Reliable Event Logging Protocol”
• SDEE - “Security Device Event Exchange” | Cisco
![Page 35: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/35.jpg)
Miscellaneous
• MySQL
• iptables / ulogd
• GoogleMaps API
• Some Perl code
• liblognorm
• Cloud Services (don’t be afraid)
![Page 36: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/36.jpg)
Some Recipes UsingOSSEC
![Page 37: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/37.jpg)
USB Stick Detection
• Purpose:
• Protection against data leak
• Security policies enforcment
• Ingredients:
• OSSEC Windows Agents
• Windows Registry
![Page 38: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/38.jpg)
USB Stick Detection
• Each time an USB stick is inserted, Windows creates a new registry entry:
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_USB&Prod_Flash_Disk&Rev_0.00
• Create a new OSSEC rule:
[USB Storage Detected] [any] [] r:HKLM\SYSTEM\CurrentControlSet
\Services\USBSTOR;
![Page 39: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/39.jpg)
MySQL Integrity Audit
• Purpose:
• Track changes on some MySQL tables.
• Ingredients:
• MySQL Triggers
• MySQL UDF (“User Defined Functions”)
• OSSEC parser + rules
![Page 40: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/40.jpg)
MySQL Integrity Audit
![Page 41: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/41.jpg)
Temporary Tables
• Purpose:
• To detect suspicious users & IP’s
• Ingredients:
• MySQL
• Patch ossec-analysisd
• External public sources
![Page 42: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/42.jpg)
Temporary Tables
![Page 43: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/43.jpg)
Using Google Maps
• Purpose: What’s the difference between: 195.75.200.200 (Netherlands) 195.76.200.200 (Spain)
• Ingredients:
• Google Maps API
• Perl scripting
• Geo-IP API (Geocity Lite)
![Page 44: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/44.jpg)
Using Google Maps
![Page 45: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/45.jpg)
OSSEC Dashboard
• Because one picture is worth a thousand words!
• Ingredients
• MySQL OSSEC support
• LAMP server
![Page 46: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/46.jpg)
OSSEC Dashboard
![Page 47: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/47.jpg)
More Visibility
• LaaS (Loggly)
• Splunk
• Secviz.org
![Page 48: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/48.jpg)
Conclusions• The raw material is already yours!
• The amount of data cannot be reviewed manually.
• Suspicious activity occurs below the radar.
• Stick to your requirements!
• It costs $$$ and HH:MM
• Make your logs more valuable via external sources
![Page 49: All Your Security Events Are Belong to ... You!](https://reader034.vdocument.in/reader034/viewer/2022051816/54628c07b1af9f86228b50a8/html5/thumbnails/49.jpg)
Thank You!Q&A?
http://blog.rootshell.behttp://twitter.com/xme