copyright justin c. klein keane @madirish2600 security intelligence from what and why to how

Copyright Justin C. Klein Keane <[email protected]> @madirish2600

Security Intelligence

From What and Why to How


What is Security Intelligence?

Business intelligence principles applied to security data

Apply data to decision making More than just metrics

– Soft data points included as well Security data abounds

– Making useful decisions based on data is tough


Sample Sources of Data

Host based intrusion detection alerts Darknet data (network traffic) Port scans Honeypots (attempted logins, attack toolkits, etc.) Vulnerability scans Public vulnerability alerts and disclosures System event logs Incident response reports Etc.


Why

Anecdotal evidence often guides security

“Best practice” is often indefensible Change your password every 60 days - why???

Security isn't really engineering, or science No hard and fast rules (or laws)

Analysis should guide decision making

Security intelligence gathers data points to support analysis


Security Intelligence vs.

Vulnerability Remediation Traditional InfoSec relies on vulnerability

scanning Ideally:

– Find problems, fix them, find more, rinse, repeat In reality:

– Scanner generates a report full of extraneous and incorrect details, no reliable severity or impact

– report ignored– rinse, repeat


Why Vuln Centric Security Fails

Vulnerability scanning is “dumb” Asset owners don't request scans Defaults to an enforcement approach Vulnerability reports are massive and provide

little guidance Ultimately reports get filed in the trash bin


Security Intelligence Goals

Add perspective and analysis to security recommendations

Provide a good case for change requests Guide targeted campaigns to remediate

vulnerabilities Show good ROI for efforts Maximize your limited staff resources Encourage compliance


Use Case #1

Vulnerability disclosed in a well known service Look for spikes in scanning for that service on

darknet sensors Quickly identify all machines in the environment

running that service Build a contact list and alert admins to patch Implement targeted vulnerability scanning to

track remediation


Use Case #2

Attacker observed (malicious IP identified) Query all data sources for other evidence of

activity from that IP Darknet probes, honeypot data, IDS logs, etc.

Look for attack profile from data sources Alert admins of machines that fit the particular

profile Identify vulnerable machines Potentially uncover compromises


Issues with Security Intelligence

Problems of big data will crop up quickly Scale complicated development, deployment and

debugging Much of the effort of SI will be spent on middleware Interesting data only emerges when all data is

aggregated Getting access to other folks' data will be challenging Deliberate initial planning pays off – altering a table of

80 million rows is painful!


Specific Implementation - HECTOR

HECTOR is our solution for security intelligence


Open Source

HECTOR is based entirely on open source technologies

Runs best on a LAMP stack Uses PHP, Perl, Python, MySQL, iptables,

Kojoney, OSSEC, NMAP, and more... More info and download at:

https://sites.sas.upenn.edu/kleinkeane/software/hector


Principles Guiding Development

SAS has no access to network data for NIDS Over 15,000 internet addressable IP's Asset management was a huge challenge Vulnerability disclosure mitigation was ad-hoc Multiple different security data sources (darknet,

honeypots, HIDS logs, etc.) were scattered over different systems

Needed a way to query data across sources and guide intelligent security decision making


Fundamentals

No network span ports or taps required! HECTOR is designed to be an augmented

asset management platform All data is tied to hosts Each host includes contact information for

users as well as technical support HECTOR designed to allow supplementary

data to be linked with hosts, from port scans to incident histories to vulnerability reports


How It Works (Basics)

MySQL database aggregates data sources Web front end for querying and reporting Access control via CoSign (or fallback) Hosts are assigned to support groups, support

groups assigned a contact e-mail address Nightly NMAP scans updates host profiles Vulnerability scan data added to the database HECTOR is extensible – add your own scans


Currently Supports Data Sources

OSSEC host based intrusion detection logs Kojoney based SSH honeypots Iptables based darknet sensors NMAP port scans Vulnerability scans (Nikto, Nessus, etc.) Security news outlets (RSS feeds, vulnerability

announcements, etc.)


Summary Screen


Intrusion Detection Summary


Alerts Summary


Host Summary


Search for Malicious IP


Sample Report


Scan Schedule


Asset Management


System Configuration


Lessons Learned

Internal software development takes a really long time Logistical considerations are always the most difficult

challenge As soon as software enters a useful beta it tends to

migrate rapidly to essential service Bug fixes tend to weight towards feature use Simple NMAP scans are never simple Remediation tracking is as difficult as vulnerability

identification Querying large data sets takes careful planning


Thank You

[email protected]@madirish2600

http://www.MadIrish.net


Links to Resources

HECTOR download - https://sites.sas.upenn.edu/kleinkeane/software/hector

NMAP - http://nmap.org/ OSSEC - http://www.ossec.net/ Kojoney - http://kojoney.sourceforge.net/ Kippo - https://code.google.com/p/kippo/ Rsyslog - http://www.rsyslog.com/



http://nmap.org/

http://www.ossec.net/

http://kojoney.sourceforge.net/

https://code.google.com/p/kippo/

http://www.rsyslog.com/

copyright justin c. klein keane @madirish2600 security intelligence from what and why to how

Documents