mayday-conf 2019-oct cluj...osquery–endpoint visibility incident management & response...
TRANSCRIPT
![Page 2: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/2.jpg)
It’s all about Open Source.
![Page 3: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/3.jpg)
- Cloud Security enthusiast
- 10+ years in Cybersecurity (7 in DLP and Endpoint Protection)
- 2 products in Gartner Magic Quadrant (Enterprise DLP and IIoT)
- OWASP Chapter Leader for Cluj-Napoca
- Chief Information Security Officer as a Service – multiple companies
Who am I – Ovidiu – Founder Cyscale
![Page 4: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/4.jpg)
What should my Cybersecurity Platform contain?
Detection and Response
Endpoint Protection,Endpoint Detection and Response,
DLP, SOAR, OpenC2
Network Protection
Firewall, IDS, IPS, Traffic Analysis
Malware Analysis
Sandboxes for file/email detonation and inspection
Threat Intelligence
Collaborate, Collect, Evaluate, Analyze
Cloud Security
Public, Private and HybridCloud Security tools
Blue Teams perspective
Centralized Logs & Management
Compliance, Policies, Logs, Analysis
![Page 5: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/5.jpg)
Network Security – great OSS optionspfSenseFirewall
Zeek – Network Security Monitor
pfSense is one of the leading network firewalls with a commercial level of features.
Powerful network analysisframework
IPS offered by Cisco. Capable of real-time traffic analysis andpacket logging on IP networks.
Features:
ü Great Firewall & Router
ü High Performanceü Load Balancingü IDS/IPS with Snortü VPNü Proxy & Content
filtering
Features:
ü Anomali and Signature detections
ü IDS / IPS APIü High Performanceü Automatic protocol
detectionü Industry standard outputsü MIME Type Statistics
Features:
ü Most widely deployed IDS in the world
ü 600,000+ Registered usersü Real-time traffic analysisü Protocol analysisü Content searching/matching
Other great tools:
Firewalls:NG Firewall (untangle)Smoothwall (free)OPNSenseIPFire
WAF:ModSecurity *and WAF-FLE UI
IDS/IPS:SuricataOSSECSamhain Labs
Wireshark – network traffic inspection
OSQuery – Endpoint Visibility
![Page 6: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/6.jpg)
Incident Management &
Response
TheHive – Security Incident Response PlatformCyphon.io – Incident Response Platform
Offers:
• Collect & Store – SIEM, DLP, EPP, Firewall
• Elaborate – investigate cases
• Analyze/Investigate – collaborate & assign
• Respond – ticketing, process, contain incidents, API calls, automatic actions
![Page 7: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/7.jpg)
Cybersecurity Threat
Intelligence
OTX – Open Threat Exchange: AlienVault Open Threat Exchange
ThreatConnect Open - Access to 100+ open source intelligence feeds (OSINT)
https://threatfeeds.io – List of open-source threat feeds
github.com/hslatman/awesome-threat-intelligence
![Page 8: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/8.jpg)
Cybersecurity Threat
Intelligence
YETI - Your Everyday Threat Intelligence
Open, distributed, machine andanalyst-friendly threat intelligence repository.
![Page 9: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/9.jpg)
Malware Analysis
YARA - pattern matching swiss knife for malware researchers
Used in:
• Airbnb BinaryAlert (free)• Crowdstrike• FireEye• Kaspersky• Raytheon• Websense• Symantec
![Page 10: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/10.jpg)
Malware Analysis
Cuckoo Sandbox
automated malware analysis system
![Page 11: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/11.jpg)
Cloud Security
Github – AWS security tools
Forseti Security – GCP
Cloud Discovery – Twistlock – AWS, Azure and GCP
They offer:• Inventory of VMs, Kubernetes,
Container Registries, Serverless• Security Scanning for weak settings
and authentication• Compliance (some)
![Page 12: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/12.jpg)
Big Data Security Analytics
Framework
OpenSOC &Apache Metron
Features: • Monitor any telemetry source• Anomaly detection and real-time rules-based alerts• Hadoop-backed storage for telemetry stream• Automated real-time indexing backed by Elastic Search
![Page 13: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/13.jpg)
Centralized Logs & Analysis
HELK – Hunting ELK
Features:• ELK stack for log analysis• ES-Hadoop + Spark -> interact with ELK Stack to analyze data• GraphFrames - DataFrame-based Graphs for Spark• Jupyter Notebooks – Team collaboration on ML and AI algorithms
Incoming features:• OSQuery Data Ingestion• MITRE ATT&CK mapping to logs or dashboards• Terraform integration (AWS, Azure, GCP)
![Page 14: MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:](https://reader035.vdocument.in/reader035/viewer/2022071406/60fb69401f0d5a5cdd37db6e/html5/thumbnails/14.jpg)
Open Source Security - ToolsOvidiu Cical – [email protected]
Vulnerability Scanning
• OWASP Vulnerability Scanning Tools List• OWASP Zed Attack Proxy (ZAP) - Free• https://pentest-tools.com - Freemium• Burp Suite• Accunetix Free• Qualys FreeScan• SUCURI Free• UpGuard Web Scan, Tennable, Rapid7 ...
IAM APIs
• OpenIAM – Community Edition• Keycloak – Open Source• Soffid – Open Source• OneLogin, OKTA• Amazon AWS• Googe IAM• Microsoft AD ...
Infrastructure/Cloud/Server Security
• Let’s Encrypt free SSL Certificates - Free• Qualys SSL Labs (server, browser tests) - Free• CloudStack - Free• Kali Linux• Metasploit• HPE ConvergedSystem• ...
Threat detection/prevention• AlienVault Open Source SIEM (OSSIM)• Suricata Intrusion Detection/Prevention• OSSEC• OPSWAT• Snort IPS• Security Onion• Fail2ban …
Web Apps/Code Security• OWASP – Follow Top 10 lists• OWASP SonarQube – 20+ languages• OWASP Orizon – Mostly Java• Bandit – Python code analysis - Free• w3af.org, Kali Linux + Nikto• Contrast Security, Kiuwan, Puma Sec• Fortify - HP...
Container Security• Peekr from Aqua Security• Platform9• Twistlock• Red Hat Atomic Scan• Clair from CoreOS• Anchore