My Blackhat Webcast of October 21nd 2010, the webcast is available on http://www.blackhat.com/html/webcast/webcast-home.html

1. McGyver’s SIEM
Building the best free HUD
Wim Remes
Thursday 21 October 2010

2. What we won’t need today ...
Thursday 21 October 2010

3. The views and opinions expressed in this presentation are
those of the presenter and do not reflect those of past,
current or future employers, associates or clients.
Thursday 21 October 2010

4. FOSS will never ever provide you with a complete SIEM
solution. Implementing SIEM is hard work and requires
dedication and vision. The premise of this talk is to enable
you to build the skillset required to implement a SIEM solution and
for you to understand your needs using free and open source software.
With that skillset you will then be enabled to to make an informed choice, lower the
actual implementation cost and improve ROI.
More importantly, it will teach your technical people how to
interpret data, build use cases and apply a common-sensical methodology.
Instead of making them button-clicking drones (again),
here’s your chance to make your people the strongest link not the weakest.
Thursday 21 October 2010

5. Who am I ?
Wim Remes
Ernst & Young (Belgium)
infosecmentors.com
eurotrashsecurity.eu
Thursday 21 October 2010

6. What is this about ?
1. What is SIEM ?
2. A common-sensical approach.
3. Let’s get it on !
4. Ask away ...
Thursday 21 October 2010

7. 1
What is SIEM ?
(Definition)
Thursday 21 October 2010

8. Security Information & Event Management
Software/Hardware that gathers, analyzes and presents
information from multiple sources
of security-relevant data.
(thanks to wikipedia)
Thursday 21 October 2010

9. SIEM
Log Management
Security Information & Event Management
SEM SIM
ESIM
(+ everything your vendor wants it or it’s name to be)
Thursday 21 October 2010

10. DATA INFORMATION
Thursday 21 October 2010

11. Information
Knowledge
Understanding
Wisdom
Thursday 21 October 2010

12. 1
What is SIEM ?
(Functionality we want)
Thursday 21 October 2010

13. Collection
syslog
scp
ftp
Thursday 21 October 2010

14. Normalization
FW_1 I dropped a packet from x to z on port 80 at 13:22
time : 13:22
action : dropped
source: x
destination : z
port : 80
FW_2 rejected x:1234 to z:22 at 1:23pm
time : 13:23
action : dropped
source: x
destination : z
port : 22
Thursday 21 October 2010

15. Correlation
time : 04:22 time : 04:23 time : 04:24 time : 04:25
action : failed action : failed action : failed action : success
src_ip : a.b.c.d src_ip : a.b.c.d src_ip : a.b.c.d src_ip : a.b.c.d
user : craig user : craig user : craig user : craig
Brute-force
attack ? Brute-force
(look at this in the morning) attack ?
(wake the f* up now !)
Thursday 21 October 2010

16. 3 base use cases
React Faster
Improve Efficiency
Automate Compliance
Securosis : Understanding and Selecting SIEM/Log Management
Thursday 21 October 2010

17. Thursday 21 October 2010

18. 2
common-sensical approach
Thursday 21 October 2010

19. Architecture
FLAT
Thursday 21 October 2010

20. Architecture
HIERARCHICAL
Thursday 21 October 2010

21. Architecture
MESH
Thursday 21 October 2010

22. integrating SIEM
Data Sources
Data Points
Use Cases
Thursday 21 October 2010

23. 3
Let’s get it on !
Thursday 21 October 2010

24. Our arsenal
ossec
http://www.ossec.net ossim
http://www.alienvault.com
syslog-ng
http://www.balabit.com/network-security/syslog-ng
davix
http://www.secviz.org
(+ some golden nuggets)
Thursday 21 October 2010

25. OSSEC
Host Based Intrusion Detection/Prevention
- Log Monitoring
- Integrity Control & Host Checking
- Policy Monitoring
- Real-time alerting & Active Response
Running on :
Windows, AIX,Solaris,HP-UX,MacOS & Linux
Thursday 21 October 2010

26. OSSEC
ossec-logcollector
agentd remoted
analysisd
Client
maild execd
Server
Thursday 21 October 2010

27. OSSEC
SIEM
OSSEC OSSEC
agentless !
syslog
= OSSEC agent
* observation : none of the leading SIEM solutions support OSSEC as an event source out of the box, why ?
Thursday 21 October 2010

28. OSSEC
pre-decoding
decoding
signatures
Thursday 21 October 2010

29. OSSEC
palo alto threat detection
Aug 26 13:56:07 192.168.0.5 1,2010/08/26 13:56:07,0003A100245,THREAT,
vulnerability,8,2010/08/26 13:56:01,10.0.0.1,10.0.0.2,0.0.0.0,
0.0.0.0,rule2,domainuser,,netbios-ns,vsys1,TAP-ZONE,TAP-ZONE,ethernet1/1,
ethernet1/1,Logger,2010/08/26 13:56:07,136674,3,137,137,0,0,0x8000,udp,
alert,"",NetBIOS nbtstat query(31707),any,low,client-to-server
thanks to Xavier Mertens (@xme)
Thursday 21 October 2010

30. OSSEC
palo alto threat detection
(decoder)
<-- Custom decoder for PaloAlto Firewalls Threat Events -->
<decoder name="paloalto-threat">
<prematch>^d,dddd/dd/dd dd:dd:dd,.+,THREAT,</prematch>
<regex>(d+.d+.d+.d+),(d+.d+.d+.d+),d+.d+.d+.d+,d+.d+.d+.d+,.+,(.*),(.*),.+,alert,.+,(.+),.
+$</regex>
<order>srcip,dstip,srcuser,dstuser,extra_data</order>
</decoder>
thanks to Xavier Mertens (@xme)
Thursday 21 October 2010

31. OSSEC
palo alto threat detection
(rules)
<group name="syslog,paloalto-threat,">
<rule id="150000" level="0">
<decoded_as>paloalto-threat</decoded_as>
<description>PaloAlto Firewalls Threat Events</description>
</rule>
<rule id="150001" level="10">
<if_sid>150000</if_sid>
<match>NetBIOs</match>
<description>Possible NetBIOS attack detected!</description>
</rule>
<rule id="150002" level="10">
<if_sid>150000</if_sid>
<user>domainadministrator</user>
<description>Possible attack detected against Administrator!</description>
</rule>
</group>
thanks to Xavier Mertens (@xme)
Thursday 21 October 2010

32. OSSEC
rules
login
failed success
100 times in
from unauthorized
the last 10
ip address !
minutes
on critical
server wake the f* up !
Thursday 21 October 2010

33. OSSEC
rules
login
failed success
100 times in
from unauthorized
the last 10 AR ip address !
minutes
on critical
server
AR don’t bother, everything is
under control
Thursday 21 October 2010

34. OSSIM
(includes OSSEC)
front < you are here !
end
normalization, prioritization,
DB server collection, risk assessment,
correlation, ...
snort, nessus, Spade, p0f,
Ntop, arpwatch, OSSEC, ... sensor sensor sensor
Thursday 21 October 2010

35. OSSIM
risk maps
Thursday 21 October 2010

36. OSSIM
compliance reporting
Thursday 21 October 2010

37. OSSIM
event analysis
Thursday 21 October 2010

38. OSSIM
incident response
Thursday 21 October 2010

39. 3
Let’s get it on !
a few words on data visualization
(because it’s important !)
Thursday 21 October 2010

40. Choosing the right chart !
http://ebiquity.umbc.edu/blogger/2009/01/25/how-to-choose-the-right-chart-for-your-data/
Thursday 21 October 2010

41. DAVIX
Data visualization Live CD
- free data processing and visualization tools
- Bootable CD
- available from http://www.secviz.org
- part of “Applied Security Visualization” by
Raffael Marty
Thursday 21 October 2010

42. a firewall log treemap
source : http://www.secviz.org
Thursday 21 October 2010

43. radial firewall visualization
source : http://www.secviz.org
Thursday 21 October 2010

44. windows event log types
source : http://www.secviz.org
Thursday 21 October 2010

45. 1 day of firewall logs
source : http://www.secviz.org
Thursday 21 October 2010

46. gl-tail
http://www.fudgie.org/
Thursday 21 October 2010

47. gl-tail
http://www.fudgie.org/
Thursday 21 October 2010

48. Recap
Focus on approach, not tools
Use open source to facilitate & learn
Integrate in architecture later
Thursday 21 October 2010

49. Thank you !
interesting people to follow :
@andrewsmhay
@zrlram
@anton_chuvakin
@rockyd
@xme
podcast :
wremes@gmail.com LogChat (see Anton’s blog or iTunes)
@wimremes websites :
http://www.securosis.com
http://www.secviz.org
http://www.ossec.net
http://www.alienvault.com
http://chuvakin.blogspot.com/
http://blog.rootshell.be
http://www.decurity.com
Thursday 21 October 2010