Document Sample
ISSA OSSIM Powered By Docstoc
					 Low Cost/High Return Security
Information Management (SIM)
Jason Drury – CISSP, GCIH, CEH
IT Security Officer
Schneider Electric
                     Old Way
• Have someone look at
  separate IDS and
  firewall consoles all day
  and try to make sense
  of the millions of events
  they generate

• Spend hours upon
  hours researching false
  New Way - SIM (Security Information
• Wikipedia - SIM is the industry-
  specific term in computer
  security referring to the collection
  of data into a central repository
  for trend analysis.

• Nutshell – collect a ton of logs,
  apply secret sauce to those logs,
  generate just a handful of alerts
  on just the critical events as a
  result of the correlation of all the

• Popular Commercial SIM Products
  – ArcSight, RSA enVision, Cisco
• Open Source Security Information Manager

• Plugins for many open source and commercial
  products (currently 2,395 available):

• If it a plugin is not available for your product, it can
  be written fairly easily (just need a little bit of regular
  expression knowledge)

• Full reporting capabilities with Jasper Reports
  (including PCI, SOX, HIPAA, FISMA reports)
• This is where the
  between OSSIM
  and commercial
  SIM products stop
                 OSSIM Advantages
• In addition to what
  commercial SIM products
  provide, it also includes the
  following tools:

    – Network Inventory - do
      you know what everything
      connected to your network

    – Client inventory via OCS-
      NG – complete hardware &
      software inventory of your
      clients with an easy to
      search interface
                           OSSIM Sensor
• OSSIM can also be run in Sensor mode and includes the
  following best of breed open source tools:
   – Snort – the IDS, also used for cross correlation with nessus.
   – Nessus – used for vulnerability assessment and for cross correlation
   – Ntop – which builds an impressive network information database from which we can
     identify aberrant behavior/anomaly detection.
   – Nagios – fed from the host asset database, it monitors host and service availability
   – OSSEC – HIDS (integrity file checking, rootkit detection, registry detection, and more)
   – Arpwatch – used for MAC anomaly detection.
   – P0f – used for passive OS detection and OS change analysis.
   – Pads – used for service anomaly detection.
   – Tcptrack – used for session data information which can prove useful for attack
   – OCS-NG – cross-platform inventory solution.

• All of this information is logged and correlated
                   OSSIM Sensor
• In addition, OSSIM can also
  be used as a Firewall or IPS
  – this is how their largest
  customer, Telefonica (with
  over 250,000 employees)
  uses it for – known as a
  UTM (Unified Threat
  Management) Firewall
  in the industry

• The commercial SIM
  products should be very
                 OSSIM Deployment
• OSSIM is a Linux based distribution (Debian) that installs the OS and
  OSSIM software all from one iso CD

• For small deployments, it is acceptable to have an all-in-one installation
   – Database
   – Sensor
   – Server
   – Web Console

• For large deployment you want to separate these (Database/Server/Web
  Console on one box, many sensors)

• Do not skimp on hardware with the Database/Server/Web Console
          OSSIM Deployment
• We currently have two sensors connected to
  some fairly busy networks (700 and 800 users)
  and the Mgt server is running on a 64bit VM
  (100GB + 2GB RAM)

• Mgt server is ok but we plan on moving to
  dedicated server hardware to prepare for the
  new vulnerability management console
     OSSIM Commerical Products
• The commercial company behind OSSIM, AlienVault, offers
  a commerical version of OSSIM for companies that require
  very high performance (lot of MySQL optimization)

• They also sell dedicated appliances tuned for OSSIM

• Commerical support & services

• Finally they have a paid plugin feed (similar to Snort) for
  custom signatures (you still get community Snort signatures
  and AlienVault signatures for free)
                    OSSIM Future
• I have met with the commerical company behind OSSIM,
  AlienVault, and some of the cool things they plan on adding
  this year:
    – Complete redesign of the Vulnerability Management
      engine – scheduled to be released Feb 14 – very very nice
    – Wireshark integration – when performing incident
      handling enable wireshark sniffer for certain ip’s to log all
      traffic + visualization
    – OVAL Integration (agent, WMI audit, reporting)
    – Honeypot Framework – deeper integration with honeypots
      along with Sandbox technology (reverse engineer malware
      on the fly to determine if it is malicious)
    – NAC – designing their own custom NAC solution
    – Multiclient – one client for HIDS, OVAL, NAC, inventory mgt
               OSSIM Resources
• AlienVault -
• Plugin list -
• Documentation -
• Install guide -
• FAQ -
• Forums -
• OVAL -
                 Demo Time
• Recorded a screencast
  since I am cursed when
  it comes to demos. If
  you have a question
  during the demo let me
  know and I will pause

• The version of OSSIM
  on the demo is about 6
  months old

Shared By: