SlideShare a Scribd company logo

Continuous monitoring with OSSIM

Eguardian Global Services
Eguardian Global Services

This document provides an overview of setting up practical monitoring with the open source security information management (SIM) tool OSSIM. It discusses identifying assets and data sources, the OSSIM platform capabilities, architecture, requirements, and basic configuration steps. It also covers adding assets, configuring vulnerability assessment, setting up host and network intrusion detection systems, enabling plugins for integrating devices like CheckPoint firewalls, and configuring availability monitoring. The document provides details on key concepts like regular expressions, correlation rules, and using the OSSIM dashboard.

Technology
1 of 35
Contents
Contents  Practical Monitoring with OSSIM  Asset and Data Source Identification  OSSIM Platform  OSSIM Architecture  Minimum Requirements  Create OTX Account  Factors to Consider  Demo Environment  OSSIM Installation  Basic Configuration  AddingAssets & ConfiguringVA  IDS in OSSIM  Setting up HIDS  Setting up NIDS  Adding Devices Enabling Plugins  Plugins for CheckPoint Firewall  Availability Monitoring
Practical Monitoring with OSSIM  Cyber security is a challenge.  24 x 7 monitoring of critical networks.  OSSIM is a open source product.  PEOPLE PROCESSTECHNOLOGY  Strengths and weaknesses of OSSIM tool.
Asset and data source Identification  Asset –any device with an IP address.  Data Source – Assets Capable of creating and sending logs.  OSSIM support logs from databases, syslogs andWMI etc.
OSSIM Platform  Asset Discovery  Active Network Scanning  Passive Network Scanning  Asset Inventory  VulnerabilityAssessment  ContinuousVulnerability Monitoring  Authenticated Unauthenticated Active Scan  Threat Detection  Network IDS  Host IDS  File Integrity Monitoring  Behavioral Monitoring  NetFlow Analysis  Service Availability Monitoring  Security Intelligence  Log Collection  Event Correlation  Incident Response
OSSIM Architecture  Sensor  Asset Discovery  Vulnerability Scanning  Event Collection  Server  Policy  RiskAssessment  Correlation  SQL Storage  Forwarding  Logger  Log Storage for OSSIM  Digitally Signed long term Storage
Minimum Requirements  Hardware requirement  8 CPU cores  16 Gb RAM  1TB of HDD  3 Network Interfaces  Additional requirement  VMware or Hyper-V  OSSIM ISO file  OTX key (I’ll guide you on how to get it)
Create OTX Account
Factors to Consider Before the implementation of OSSIM it is necessary to check on the following areas.  EPS (Events Per Seconds)  Numbers of Assets  Bandwidth  Geographical locations  Network Boundaries  Time zones  Storage
Demo Environment
OSSIM Installation
Getting Started Wizard – Network Interfaces
Basic Configuration  Setting up the correct time zone  Configuring hostname  Setting up the correct time zone for the user  Configuring password for the configuration backup
Adding Assets & Configuring VA  Any device with an IP address is an asset.  Examples :-  Firewalls  servers  IP cameras  mobile device  network printers
IDS in OSSIM  HIDS – Host base intrusion detection system  NIDS – network base intrusion detection system IDS HIDS NIDS
Setting up HIDS  What is HIDS? Host base intrusion detection system means put the agent to the device and pull the device logs to the OSSIM and do the Correlations part inside the OSSIM and generate the alarms.  Ossec  Nxlog  File beat
Setting up NIDS Network base intrusion detections means it’s analyzed in and out network traffic in the environment and analyzed the behavior of the traffic generated. OSSIM is doing those part with out agent that’s why it called NIDS.
Adding devices and Enabling Plugins Next we’re going to integrate devices that send syslogs. So first ask your network admin to forward syslogs towards UDP port 514 of the log collector IP of OSSIM
DEMO
Create Plugins
Plugins for CheckPoint firewall  What is a plugin?  OSSIM has nearly 1000 plugins for different devices  For Example “Fw1.alt” is the plugin for CheckPoint
Fw1.alt Plugin
Creating a plugin  Regular Expressions  Regular Expressions – Combinations  Regular Expressions — Occurrence Matches  Regular Expressions — Complex Matches  Regular Expressions — Special Characters
Regular Expressions Operator Meaning c A non special character matches itself c Adds the special meaning of the character c; The $ matches with $ ^ Indicates the position at the beginning of the line $ Indicates the position at the end of the line . Any individual character […] One or any of the characters …; accepts intervals of the type a-z, 0-9, A-Z [^…] A character different from … ; accepts intervals of the type a-z, 0-9, A-Z
Regular Expressions - Combinations Regular expression Matches with a.b axb aab abb aSb a#b ... a..b axxb aaab abbb a4$b ... [abc] a b c (one character strings) [aA] a (one character strings) [aA][bB] ab aB AB (two character strings) [0123456789] 0 1 2 3 4 5 6 7 8 9 [0-9] 0 1 2 3 4 5 6 7 8 9 [A-Za-z] A B C ... Z a b c ... z [0-9][0-9][0-9] 000 001 .. 009 010 .. 019 100 .. 999
Regular Expressions — Occurrence MatchesOperator Meaning r* 0 or more occurrences of r r+ 1 or more occurrences of r r? 0 or 1 occurrence of r, and no more r{n} n occurrences of r r{,m} 0 or at most m occurrences of r r{n,m} n or more occurrences of r, but at most m r1|r2 r1 or r2
Regular Expressions — Special Characters Regular expression Matches with Equals d Any decimal character [0-9] D Any non-decimal character [^0-9] s Any space character [ tnrfv] S Any non-space character [^ tnrfv] w Any alphanumeric character and “_” [a-zA-Z0-9_] W Any non-alphanumeric character [^a-zA-Z0-9_] Z End of line
Regular Expressions — Complex Matches Regular expression Matches with [0-9]+ 0 1 9 00 99 123 456 999 9999 99999 99999999 .. [0-9]? empty_string 0 1 2 .. 9 (ab)* empty_string ab ababab abababababab ([0-9]+ab)* empty_string 1234ab 9ab9ab9ab 9876543210ab 99ab99ab ...
Create a Simple Correlation  Logical correlation uses correlation directives to detect attacks.  By default, OSSIM includes almost 80 built-in directives.  Users can customize existing directives or create custom ones.
Availability Monitoring The last option to enable in OSSIM will be the Availability monitoring. As the word means, it simply checks whether the resource/service is available or not.  Service Available Monitoring  Device Available Monitoring
Understanding the Dashboard
THANK YOU
FOLLOW US ON /econIntconference @econ_int @int.econ

Recommended

OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overviewn|u - The Open Security Community
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultAlienVault
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 

Recommended

OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overviewn|u - The Open Security Community
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultAlienVault
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalManageEngine EventLog Analyzer
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Soc
SocSoc
SocMukesh Chaudhari
 
SIEM and SOC
SIEM and SOCSIEM and SOC
SIEM and SOCAbolfazl Naderi
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEMPatten John
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptxneoalt
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programmingalpha0
 

More Related Content

What's hot

Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptxneoalt
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 

What's hot (20)

Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Soc
SocSoc
Soc
 
SIEM and SOC
SIEM and SOCSIEM and SOC
SIEM and SOC
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 

Similar to Continuous monitoring with OSSIM

Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programmingalpha0
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the CloudAmazon Web Services
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
iPhone Lecture #1
iPhone Lecture #1iPhone Lecture #1
iPhone Lecture #1Jaehyeuk Oh
 
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
Cluj JSHeroes 2017 - Liran Tal on Node.js SecurityCluj JSHeroes 2017 - Liran Tal on Node.js Security
Cluj JSHeroes 2017 - Liran Tal on Node.js SecurityLiran Tal
 
WSO2 Product Release Webinar - Introducing the WSO2 Complex Event Processor
WSO2 Product Release Webinar - Introducing the WSO2 Complex Event Processor WSO2 Product Release Webinar - Introducing the WSO2 Complex Event Processor
WSO2 Product Release Webinar - Introducing the WSO2 Complex Event Processor WSO2
 
Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features WSO2
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyFelipe Prado
 
AWS Summit Tel Aviv - Startup Track - Continuous Deployment
AWS Summit Tel Aviv - Startup Track - Continuous DeploymentAWS Summit Tel Aviv - Startup Track - Continuous Deployment
AWS Summit Tel Aviv - Startup Track - Continuous DeploymentAmazon Web Services
 
SEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOpsSEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
Aws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScaleAws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScalePuppet
 
Powershell Tech Ed2009
Powershell Tech Ed2009Powershell Tech Ed2009
Powershell Tech Ed2009rsnarayanan
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfAmazon Web Services
 
(ENT212) How Autodesk Leverages Splunk as an Assurance Platform on AWS | AWS ...
(ENT212) How Autodesk Leverages Splunk as an Assurance Platform on AWS | AWS ...(ENT212) How Autodesk Leverages Splunk as an Assurance Platform on AWS | AWS ...
(ENT212) How Autodesk Leverages Splunk as an Assurance Platform on AWS | AWS ...Amazon Web Services
 

Similar to Continuous monitoring with OSSIM (20)

Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programming
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the Cloud
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
iPhone Lecture #1
iPhone Lecture #1iPhone Lecture #1
iPhone Lecture #1
 
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
Cluj JSHeroes 2017 - Liran Tal on Node.js SecurityCluj JSHeroes 2017 - Liran Tal on Node.js Security
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
 
Ruby voip
Ruby voipRuby voip
Ruby voip
 
WSO2 Product Release Webinar - Introducing the WSO2 Complex Event Processor
WSO2 Product Release Webinar - Introducing the WSO2 Complex Event Processor WSO2 Product Release Webinar - Introducing the WSO2 Complex Event Processor
WSO2 Product Release Webinar - Introducing the WSO2 Complex Event Processor
 
Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
 
AWS Summit Tel Aviv - Startup Track - Continuous Deployment
AWS Summit Tel Aviv - Startup Track - Continuous DeploymentAWS Summit Tel Aviv - Startup Track - Continuous Deployment
AWS Summit Tel Aviv - Startup Track - Continuous Deployment
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
 
SEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOpsSEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOps
 
Aws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScaleAws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic Scale
 
Powershell Tech Ed2009
Powershell Tech Ed2009Powershell Tech Ed2009
Powershell Tech Ed2009
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdf
 
(ENT212) How Autodesk Leverages Splunk as an Assurance Platform on AWS | AWS ...
(ENT212) How Autodesk Leverages Splunk as an Assurance Platform on AWS | AWS ...(ENT212) How Autodesk Leverages Splunk as an Assurance Platform on AWS | AWS ...
(ENT212) How Autodesk Leverages Splunk as an Assurance Platform on AWS | AWS ...
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 

Continuous monitoring with OSSIM

  • 1.
  • 2.
  • 4. Contents  Practical Monitoring with OSSIM  Asset and Data Source Identification  OSSIM Platform  OSSIM Architecture  Minimum Requirements  Create OTX Account  Factors to Consider  Demo Environment  OSSIM Installation  Basic Configuration  AddingAssets & ConfiguringVA  IDS in OSSIM  Setting up HIDS  Setting up NIDS  Adding Devices Enabling Plugins  Plugins for CheckPoint Firewall  Availability Monitoring
  • 5. Practical Monitoring with OSSIM  Cyber security is a challenge.  24 x 7 monitoring of critical networks.  OSSIM is a open source product.  PEOPLE PROCESSTECHNOLOGY  Strengths and weaknesses of OSSIM tool.
  • 6. Asset and data source Identification  Asset –any device with an IP address.  Data Source – Assets Capable of creating and sending logs.  OSSIM support logs from databases, syslogs andWMI etc.
  • 7. OSSIM Platform  Asset Discovery  Active Network Scanning  Passive Network Scanning  Asset Inventory  VulnerabilityAssessment  ContinuousVulnerability Monitoring  Authenticated Unauthenticated Active Scan  Threat Detection  Network IDS  Host IDS  File Integrity Monitoring  Behavioral Monitoring  NetFlow Analysis  Service Availability Monitoring  Security Intelligence  Log Collection  Event Correlation  Incident Response
  • 8. OSSIM Architecture  Sensor  Asset Discovery  Vulnerability Scanning  Event Collection  Server  Policy  RiskAssessment  Correlation  SQL Storage  Forwarding  Logger  Log Storage for OSSIM  Digitally Signed long term Storage
  • 9. Minimum Requirements  Hardware requirement  8 CPU cores  16 Gb RAM  1TB of HDD  3 Network Interfaces  Additional requirement  VMware or Hyper-V  OSSIM ISO file  OTX key (I’ll guide you on how to get it)
  • 11. Factors to Consider Before the implementation of OSSIM it is necessary to check on the following areas.  EPS (Events Per Seconds)  Numbers of Assets  Bandwidth  Geographical locations  Network Boundaries  Time zones  Storage
  • 14. Getting Started Wizard – Network Interfaces
  • 15. Basic Configuration  Setting up the correct time zone  Configuring hostname  Setting up the correct time zone for the user  Configuring password for the configuration backup
  • 16. Adding Assets & Configuring VA  Any device with an IP address is an asset.  Examples :-  Firewalls  servers  IP cameras  mobile device  network printers
  • 17. IDS in OSSIM  HIDS – Host base intrusion detection system  NIDS – network base intrusion detection system IDS HIDS NIDS
  • 18. Setting up HIDS  What is HIDS? Host base intrusion detection system means put the agent to the device and pull the device logs to the OSSIM and do the Correlations part inside the OSSIM and generate the alarms.  Ossec  Nxlog  File beat
  • 19. Setting up NIDS Network base intrusion detections means it’s analyzed in and out network traffic in the environment and analyzed the behavior of the traffic generated. OSSIM is doing those part with out agent that’s why it called NIDS.
  • 20. Adding devices and Enabling Plugins Next we’re going to integrate devices that send syslogs. So first ask your network admin to forward syslogs towards UDP port 514 of the log collector IP of OSSIM
  • 21. DEMO
  • 23. Plugins for CheckPoint firewall  What is a plugin?  OSSIM has nearly 1000 plugins for different devices  For Example “Fw1.alt” is the plugin for CheckPoint
  • 25. Creating a plugin  Regular Expressions  Regular Expressions – Combinations  Regular Expressions — Occurrence Matches  Regular Expressions — Complex Matches  Regular Expressions — Special Characters
  • 26. Regular Expressions Operator Meaning c A non special character matches itself c Adds the special meaning of the character c; The $ matches with $ ^ Indicates the position at the beginning of the line $ Indicates the position at the end of the line . Any individual character […] One or any of the characters …; accepts intervals of the type a-z, 0-9, A-Z [^…] A character different from … ; accepts intervals of the type a-z, 0-9, A-Z
  • 27. Regular Expressions - Combinations Regular expression Matches with a.b axb aab abb aSb a#b ... a..b axxb aaab abbb a4$b ... [abc] a b c (one character strings) [aA] a (one character strings) [aA][bB] ab aB AB (two character strings) [0123456789] 0 1 2 3 4 5 6 7 8 9 [0-9] 0 1 2 3 4 5 6 7 8 9 [A-Za-z] A B C ... Z a b c ... z [0-9][0-9][0-9] 000 001 .. 009 010 .. 019 100 .. 999
  • 28. Regular Expressions — Occurrence MatchesOperator Meaning r* 0 or more occurrences of r r+ 1 or more occurrences of r r? 0 or 1 occurrence of r, and no more r{n} n occurrences of r r{,m} 0 or at most m occurrences of r r{n,m} n or more occurrences of r, but at most m r1|r2 r1 or r2
  • 29. Regular Expressions — Special Characters Regular expression Matches with Equals d Any decimal character [0-9] D Any non-decimal character [^0-9] s Any space character [ tnrfv] S Any non-space character [^ tnrfv] w Any alphanumeric character and “_” [a-zA-Z0-9_] W Any non-alphanumeric character [^a-zA-Z0-9_] Z End of line
  • 30. Regular Expressions — Complex Matches Regular expression Matches with [0-9]+ 0 1 9 00 99 123 456 999 9999 99999 99999999 .. [0-9]? empty_string 0 1 2 .. 9 (ab)* empty_string ab ababab abababababab ([0-9]+ab)* empty_string 1234ab 9ab9ab9ab 9876543210ab 99ab99ab ...
  • 31. Create a Simple Correlation  Logical correlation uses correlation directives to detect attacks.  By default, OSSIM includes almost 80 built-in directives.  Users can customize existing directives or create custom ones.
  • 32. Availability Monitoring The last option to enable in OSSIM will be the Availability monitoring. As the word means, it simply checks whether the resource/service is available or not.  Service Available Monitoring  Device Available Monitoring
  • 35. FOLLOW US ON /econIntconference @econ_int @int.econ

Editor's Notes

  1. I have been working soc analyst in past year and did
  2. Cyber security is the key challenge for any kind or any size of a company . Because of the rapid development of new technology There are multiple solutions to overcome this challenge. But when considering effectiveness of these solutions, Security operating center or we simply called SOC, leads the industry, with it’s continues monitoring capability. You know when it’s come to soc people believe it as an expensive solution . But to overcome this any one can go for an open solutions So let me introduce you a world recognize open source tool with many useful features Cyber security is a challenge for many organization today. Rapid Changes in the threat landscape forces many organizations to adopt expensive security solutions even when the organizations is not ready for such solution. Establishing an organization wide security operation center (SOC) is perceived as a solution to meet the challenges of cyber security by introducing 24 x 7 monitoring of critical networks. OSSIM is a open source product with many useful features that will allow you to take the first steps towards establishing a SOC. It will also allow you to adopt PEOPLE PROCESS TECHNOLOGY approach for your cyber security solution. It is important to understand the strengths and weaknesses of OSSIM tool.
  3. Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
  4. Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
  5. Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
  6. To perform the basic ossime functionality these are the requirement
  7. Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
  8. Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
  9. Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
  10. Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
  11. Any body know what is plugin?
  12. Let’s move to the simple correlation
  13. I’ll show simple dashboard and let’s try to understand it