SlideShare a Scribd company logo

InfoSecurity.be 2011

Xavier Mertens, profile picture
Xavier Mertens

1) Most organizations are unprepared to deal with security incidents effectively due to complex networks, outsourcing of resources, and reduced budgets and staffing. 2) Proper log collection, normalization, storage, search, and reporting is needed to gain visibility into security events and identify suspicious activity, but many organizations only utilize a small portion of expensive SIEM capabilities. 3) Free and open source tools like Syslog utilities, Simple Event Correlation, and OSSEC can be used to build an effective log management solution while avoiding high SIEM costs. These raw logs provide valuable information if properly analyzed and correlated.

Technology
1 of 36
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
All Your Security Events are Belong to ...You! InfoSecurity 2011 - Xavier Mertens
$ whoami • Xavier Mertens • Senior Security Consultant • CISSP, CISA, CeH • Security Blogger • Volunteer for security projects like:
$ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not reflect those of past, present or future employers, partners or customers”
Today’s Situation
Are You Ready? • Most organizations are NOT prepared to deal with security incidents • If anything can go wrong, it will! (Murphy’s law) • Assigned internal resources?
Technical Issues • Networks are complex • Some components/knowledge are outsourced • Millions of daily events • Lot of console/tools • Lot of protocols/applications
Find the Differences Aug 27 14:33:01 macosx ipfw: 12190 Deny TCP 192.168.13.1:2060 192.168.13.104:5000 in via en1 %PIX-3-313001: Denied ICMP type=11, code=0 from 192.168.30.2 on interface 2
Economic Issues • “Time is money” • Real-time operations • Downtime has a huge financial impact • Reduced staff & budget • Happy shareholders
Legal Issues • Compliance requirements • Big names • Initiated by the group or business • Local laws • Due diligence & due care
Belgian Example: CBFA From a document published in April 2009: “Tout établissement qui connecte son infrastructure sur Internet dispose d’une politique de sécurité qui tient compte de: ... la création, l’archivage de fichier “historique d’évènements” techniques adaptés à leur analyse, leur suivi et leur reporting.”
Challenges • Creation & archiving of log files • Analyze (Normalization) • Follow-up • Reporting
Layer Approach Correlation Reporting Search Storage Normalization Log Collection
Raw Material • Your logs are belong to you • If not stored internally (cloud, outsourcing), claim access to them • All applications/devices generate events • Developers, you MUST generate GOOD events
3rd Party Sources • Vulnerabilities Databases • Blacklists (IP addresses, ASNs) • “Physical” Data • Geolocalization • Badge readers
The Recipe
Collection • Push or pull methods • Use a supported protocols • Ensure integrity • As close as the source
Normalization • Parse events • Fill in common fields • Date, Src, Dst, User, Device, Type, Port, ...
Storage • Index • Store • Archive • Ensure integrity (again)
Search • You know Google? • Investigations / Forensic • Looking for “smoke signals”
Reporting • Automated / On-demand • Reliable only if first steps are successfull
Correlation • Generation of new events based on the way other events occurred (based on their logic, their time or recurrence) • Correlation will be successful only of the other layers are properly working • Is a step to incident management
Build Your Toolbox
<warning> Please keep v€ndor$ away from the next slide ;-) </warning>
Let’s Kill Some Myths • Big players do not always provide the best solutions. A Formula-1 is touchy to drive! • Why pay $$$ and use <10% of the features? (the “Microsoft Office” effect) • But even free softwares have costs! • False sense of security
LM vs. SIEM • A LM (“Log Management”) addresses the lowest layers from the collection to reporting. • A SIEM (“Security Information & Event Management”) adds the correlation layer (and incidents management tools)
Grocery Shopping • Compliance • Suspicious activity • Web applications monitoring • Correlation • Supported devices • Buying a SIEM is a very specific project
Free Tools to the Rescue
Syslog Daemons • Syslog is well implemented • Lot of forked implementations • syslogd, rsyslogd, syslog-ng • Multiple sources • Supports TLS, TCP • Several tools exists to export to Syslog (ex: SNARE)
SEC • “Simple Event Correlation” • Performs correlation of logs based on Perl regex • Produces new events, triggers scripts, writes to files
OSSEC • HIDS • Log collection & parsing • Active-Response • Rootkit detection • File integrity checking • Agents (UNIX, Windows) • Log archiving
Miscellaneous • MySQL • iptables / ulogd • GoogleMaps API • Some Perl code • Cloud Services (don’t be afraid)
Personal Researches • Examples based on OSSEC! • MySQL integrity audit • USB stick detection in Windows environments • Detecting rogue access • Mapping data on Google Maps
Visibility! • LaaS (Loggly) • Splunk • Secviz.org
Example of Visualization
Conclusions • The raw material is already yours! • The amount of data cannot be reviewed manually. • Suspicious activity occurs below the radar. • Stick to your requirements! • It costs $$$ and HH:MM • Make your logs more valuable via external sources
Thank You! Q&A? http://blog.rootshell.be http://twitter.com/xme

More Related Content

PDF
All Your Security Events Are Belong to ... You!
Xavier Mertens
 
PPTX
Enterprise Forensics 101
Mona Arkhipova
 
PPTX
Incident response live demo slides final
AlienVault
 
PPTX
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
PDF
Positive Hack Days 7 - Ransomware forensiсs
Mona Arkhipova
 
PPTX
Risks vs real life
Mona Arkhipova
 
PPTX
Beginner's Guide to SIEM
AlienVault
 
PPTX
Practical Defense
Sean Whalen
 
All Your Security Events Are Belong to ... You!
Xavier Mertens
 
Enterprise Forensics 101
Mona Arkhipova
 
Incident response live demo slides final
AlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
Positive Hack Days 7 - Ransomware forensiсs
Mona Arkhipova
 
Risks vs real life
Mona Arkhipova
 
Beginner's Guide to SIEM
AlienVault
 
Practical Defense
Sean Whalen
 

What's hot (20)

PPTX
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
OWASP Russia
 
PPTX
QIWI SOC benchmarking: Blue Team story
Mona Arkhipova
 
PDF
Logz.io Jenkins Meetup
GrigoryAvsyuk
 
PPTX
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
PDF
CNIT 125 7. Security Assessment and Testing
Sam Bowne
 
PPTX
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 
PDF
CNIT 121: 17 Remediation Introduction (Part 1)
Sam Bowne
 
PDF
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
PPTX
Hp arcsight services 2014 ewb
rty_ngtglobal
 
PPTX
SIEM
Napier University
 
PPTX
The Subversive Six: Hidden Risk Points in ICS
Tripwire
 
DOC
SIEM
vikasraina
 
PDF
Windows Threat Hunting
GIBIN JOHN
 
PDF
Wc4
Said Wali
 
PDF
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Anton Goncharov
 
PDF
1. Security and Risk Management
Sam Bowne
 
PPTX
Security Information and Event Management (SIEM)
k33a
 
PPTX
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
PPTX
SIEM presentation final
Rizwan S
 
PPTX
encase enterprise
Damir Delija
 
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
OWASP Russia
 
QIWI SOC benchmarking: Blue Team story
Mona Arkhipova
 
Logz.io Jenkins Meetup
GrigoryAvsyuk
 
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
CNIT 125 7. Security Assessment and Testing
Sam Bowne
 
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 
CNIT 121: 17 Remediation Introduction (Part 1)
Sam Bowne
 
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
Hp arcsight services 2014 ewb
rty_ngtglobal
 
SIEM
Napier University
 
The Subversive Six: Hidden Risk Points in ICS
Tripwire
 
SIEM
vikasraina
 
Windows Threat Hunting
GIBIN JOHN
 
Wc4
Said Wali
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Anton Goncharov
 
1. Security and Risk Management
Sam Bowne
 
Security Information and Event Management (SIEM)
k33a
 
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
SIEM presentation final
Rizwan S
 
encase enterprise
Damir Delija
 
Ad

Viewers also liked (16)

PDF
$HOME Sweet $HOME
Xavier Mertens
 
PDF
Automatic MIME Attachments Triage
Xavier Mertens
 
PDF
ISSA Siem Fraud
Xavier Mertens
 
PDF
The BruCO"NSA" Network
Xavier Mertens
 
PDF
$HOME Sweet $HOME Devoxx 2015
Xavier Mertens
 
PDF
What Will You Investigate Today?
Xavier Mertens
 
PDF
Because we are just humans
Xavier Mertens
 
PDF
Building A Poor man’s Fir3Ey3 Mail Scanner
Xavier Mertens
 
PDF
$HOME Sweet $HOME SANSFIRE Edition
Xavier Mertens
 
PDF
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens
 
PDF
Secure Web Coding
Xavier Mertens
 
PDF
Developers are from Mars, Security guys are from Venus
Xavier Mertens
 
KEY
Unity makes strength
Xavier Mertens
 
PPT
Mobile Apps Security
Xavier Mertens
 
PDF
Mobile Security
Xavier Mertens
 
KEY
Social Networks - The Good and the Bad
Xavier Mertens
 
$HOME Sweet $HOME
Xavier Mertens
 
Automatic MIME Attachments Triage
Xavier Mertens
 
ISSA Siem Fraud
Xavier Mertens
 
The BruCO"NSA" Network
Xavier Mertens
 
$HOME Sweet $HOME Devoxx 2015
Xavier Mertens
 
What Will You Investigate Today?
Xavier Mertens
 
Because we are just humans
Xavier Mertens
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Xavier Mertens
 
$HOME Sweet $HOME SANSFIRE Edition
Xavier Mertens
 
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens
 
Secure Web Coding
Xavier Mertens
 
Developers are from Mars, Security guys are from Venus
Xavier Mertens
 
Unity makes strength
Xavier Mertens
 
Mobile Apps Security
Xavier Mertens
 
Mobile Security
Xavier Mertens
 
Social Networks - The Good and the Bad
Xavier Mertens
 
Ad

Similar to InfoSecurity.be 2011 (20)

PDF
All your logs are belong to you!
Security BSides London
 
PPT
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
PPTX
Log management &amp; SIEM
BarakatAbweh
 
PDF
UNIT -III SIEM aur baato kaise hai aap log.pdf
hefagi6193
 
PPT
Making Logs Sexy Again: Can We Finally Lose The Regexes?
Anton Chuvakin
 
PPT
Belnet events management
Xavier Mertens
 
PPT
Events Management or How to Survive Security Incidents
guest6fd3c2f9
 
PPT
What Every Organization Should Log And Monitor
Anton Chuvakin
 
PPTX
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Security Information Event Management Security Information Event Management
karthikvcyber
 
PDF
Incident response before:after breach
Sumedt Jitpukdebodin
 
PPTX
Log Standards & Future Trends by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
SIEM Primer:
Anton Chuvakin
 
PDF
Preventing The Next Data Breach Through Log Management
Novell
 
PPT
Logs for Information Assurance and Forensics @ USMA
Anton Chuvakin
 
PDF
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
PDF
SIEM for Beginners
BAKOTECH
 
PDF
Big security for big data
Giuliano Tavaroli
 
PPTX
Karunia Wijaya - Proactive Incident Handling
Indonesia Honeynet Chapter
 
PPTX
Introduction to SIEM.pptx
neoalt
 
All your logs are belong to you!
Security BSides London
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
Log management &amp; SIEM
BarakatAbweh
 
UNIT -III SIEM aur baato kaise hai aap log.pdf
hefagi6193
 
Making Logs Sexy Again: Can We Finally Lose The Regexes?
Anton Chuvakin
 
Belnet events management
Xavier Mertens
 
Events Management or How to Survive Security Incidents
guest6fd3c2f9
 
What Every Organization Should Log And Monitor
Anton Chuvakin
 
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
Anton Chuvakin
 
Security Information Event Management Security Information Event Management
karthikvcyber
 
Incident response before:after breach
Sumedt Jitpukdebodin
 
Log Standards & Future Trends by Dr. Anton Chuvakin
Anton Chuvakin
 
SIEM Primer:
Anton Chuvakin
 
Preventing The Next Data Breach Through Log Management
Novell
 
Logs for Information Assurance and Forensics @ USMA
Anton Chuvakin
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
SIEM for Beginners
BAKOTECH
 
Big security for big data
Giuliano Tavaroli
 
Karunia Wijaya - Proactive Incident Handling
Indonesia Honeynet Chapter
 
Introduction to SIEM.pptx
neoalt
 

More from Xavier Mertens (10)

PDF
FPC for the Masses (SANSFire Edition)
Xavier Mertens
 
PDF
FPC for the Masses - CoRIIN 2018
Xavier Mertens
 
PDF
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
PDF
Unity Makes Strength
Xavier Mertens
 
PDF
HTTP For the Good or the Bad
Xavier Mertens
 
PDF
Malware Analysis Using Free Software
Xavier Mertens
 
PDF
You have a SIEM! And now?
Xavier Mertens
 
PDF
What are-you-investigate-today? (version 2.0)
Xavier Mertens
 
PDF
Unity Makes Strength SOURCE Dublin 2013
Xavier Mertens
 
PDF
BruCON 2010 Lightning Talk
Xavier Mertens
 
FPC for the Masses (SANSFire Edition)
Xavier Mertens
 
FPC for the Masses - CoRIIN 2018
Xavier Mertens
 
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
Unity Makes Strength
Xavier Mertens
 
HTTP For the Good or the Bad
Xavier Mertens
 
Malware Analysis Using Free Software
Xavier Mertens
 
You have a SIEM! And now?
Xavier Mertens
 
What are-you-investigate-today? (version 2.0)
Xavier Mertens
 
Unity Makes Strength SOURCE Dublin 2013
Xavier Mertens
 
BruCON 2010 Lightning Talk
Xavier Mertens
 

Recently uploaded (20)

PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
KodekX | Application Modernization Development
KodekX
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 

InfoSecurity.be 2011

  • 1. All Your Security Events are Belong to ...You! InfoSecurity 2011 - Xavier Mertens
  • 2. $ whoami • Xavier Mertens • Senior Security Consultant • CISSP, CISA, CeH • Security Blogger • Volunteer for security projects like:
  • 3. $ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not reflect those of past, present or future employers, partners or customers”
  • 5. Are You Ready? • Most organizations are NOT prepared to deal with security incidents • If anything can go wrong, it will! (Murphy’s law) • Assigned internal resources?
  • 6. Technical Issues • Networks are complex • Some components/knowledge are outsourced • Millions of daily events • Lot of console/tools • Lot of protocols/applications
  • 7. Find the Differences Aug 27 14:33:01 macosx ipfw: 12190 Deny TCP 192.168.13.1:2060 192.168.13.104:5000 in via en1 %PIX-3-313001: Denied ICMP type=11, code=0 from 192.168.30.2 on interface 2
  • 8. Economic Issues • “Time is money” • Real-time operations • Downtime has a huge financial impact • Reduced staff & budget • Happy shareholders
  • 9. Legal Issues • Compliance requirements • Big names • Initiated by the group or business • Local laws • Due diligence & due care
  • 10. Belgian Example: CBFA From a document published in April 2009: “Tout établissement qui connecte son infrastructure sur Internet dispose d’une politique de sécurité qui tient compte de: ... la création, l’archivage de fichier “historique d’évènements” techniques adaptés à leur analyse, leur suivi et leur reporting.”
  • 11. Challenges • Creation & archiving of log files • Analyze (Normalization) • Follow-up • Reporting
  • 12. Layer Approach Correlation Reporting Search Storage Normalization Log Collection
  • 13. Raw Material • Your logs are belong to you • If not stored internally (cloud, outsourcing), claim access to them • All applications/devices generate events • Developers, you MUST generate GOOD events
  • 14. 3rd Party Sources • Vulnerabilities Databases • Blacklists (IP addresses, ASNs) • “Physical” Data • Geolocalization • Badge readers
  • 16. Collection • Push or pull methods • Use a supported protocols • Ensure integrity • As close as the source
  • 17. Normalization • Parse events • Fill in common fields • Date, Src, Dst, User, Device, Type, Port, ...
  • 18. Storage • Index • Store • Archive • Ensure integrity (again)
  • 19. Search • You know Google? • Investigations / Forensic • Looking for “smoke signals”
  • 20. Reporting • Automated / On-demand • Reliable only if first steps are successfull
  • 21. Correlation • Generation of new events based on the way other events occurred (based on their logic, their time or recurrence) • Correlation will be successful only of the other layers are properly working • Is a step to incident management
  • 23. <warning> Please keep v€ndor$ away from the next slide ;-) </warning>
  • 24. Let’s Kill Some Myths • Big players do not always provide the best solutions. A Formula-1 is touchy to drive! • Why pay $$$ and use <10% of the features? (the “Microsoft Office” effect) • But even free softwares have costs! • False sense of security
  • 25. LM vs. SIEM • A LM (“Log Management”) addresses the lowest layers from the collection to reporting. • A SIEM (“Security Information & Event Management”) adds the correlation layer (and incidents management tools)
  • 26. Grocery Shopping • Compliance • Suspicious activity • Web applications monitoring • Correlation • Supported devices • Buying a SIEM is a very specific project
  • 27. Free Tools to the Rescue
  • 28. Syslog Daemons • Syslog is well implemented • Lot of forked implementations • syslogd, rsyslogd, syslog-ng • Multiple sources • Supports TLS, TCP • Several tools exists to export to Syslog (ex: SNARE)
  • 29. SEC • “Simple Event Correlation” • Performs correlation of logs based on Perl regex • Produces new events, triggers scripts, writes to files
  • 30. OSSEC • HIDS • Log collection & parsing • Active-Response • Rootkit detection • File integrity checking • Agents (UNIX, Windows) • Log archiving
  • 31. Miscellaneous • MySQL • iptables / ulogd • GoogleMaps API • Some Perl code • Cloud Services (don’t be afraid)
  • 32. Personal Researches • Examples based on OSSEC! • MySQL integrity audit • USB stick detection in Windows environments • Detecting rogue access • Mapping data on Google Maps
  • 33. Visibility! • LaaS (Loggly) • Splunk • Secviz.org
  • 35. Conclusions • The raw material is already yours! • The amount of data cannot be reviewed manually. • Suspicious activity occurs below the radar. • Stick to your requirements! • It costs $$$ and HH:MM • Make your logs more valuable via external sources
  • 36. Thank You! Q&A? http://blog.rootshell.be http://twitter.com/xme