Leveraging Open Source to Manage Security Bob Salmans – Security Training Architect, Linux Academy bsalmans@integrityky.com robert.salmans@linuxacademy.com
Problem? What’s the problem we’re trying to solve? A. SIEMs are very expensive [more features = more $$$] add-ons! B. Current SIEM solution doesn’t meet our needs I. Lacking incident response (IR) capabilities II. Poor reporting functionality III. Better marketing than ability C. There’s more data out there to be analyzed D. Want to start threat hunting and being more proactive about defense
Solution? What’s the solution?
A. Use an existing open source SIEM solution? I. None met all of our needs B. Bolt apps onto existing open source SIEM? I. Tried with Security Onion and too many problems II. Looked at others (SIEMonster/Graylog) [we want it all!]
BUILD OUR OWN !!!
Tools? What tools will we bake in? A. B. C. D. E. F. G. H. I. J.
NIDS – Snort/Eve Packet Capture & Analysis - BRO HIDS – Wazuh (OSSEC) Vulnerability Scanning – OpenVAS/Greenbone Threat Analysis – RITA (Real Intelligence Threat Analytics / AI) APRwatch – ID new devices on networks SaltStack – Central management of all nodes Alerting – Sentinl (Kibana plugin) Reporting – Kibana ELK stack to rule ALLS the DATAS
AKA? What should we name it?
THIRSI Threat Hunting Incident Response SIem
THIRSI? Quench your thirst for data dominance !!! Threat Hunting – BRO / RITA / ELK Incident Response – ELK / NIDS / BRO / ARPwatch SIEM – Wazuh (NIDS/Syslog) / BRO / Osquery / OpenVAS / Elastalert …and a little SaltStack to tie it all together !!!
THIRSI? Threat Hunting What is Threat Hunting? A. Looking for abnormal activity. i. Patterns of communications (beacons?) ii. Abnormally long sessions or large data xfers (data exfil?) iii. Abnormally ports in use (rogue applications?)
THIRSI? Incident Response What is Incident Response? A. Responding to a possible infection or breach B. Need to be able to search for many data points (IP’s, names, timestamps) C. Must be fast searching capabilities; time is of the essense
THIRSI? What really is SIEM? Security Information & Event Management 1. Collects log events (Windows, Linux, Firewall, IDS, Cloud, etc) 2. Analysis of all this data (what’s going on?) 3. Reporting of what‘s going on (failed logins, account creations, group changes, sudo commands, IDS alerts, etc) 4. Alerting (The sky is falling)
ARCHITECTURE? What does THIRSI look like? * Distributed Deployment – Single SOC server w/remote sensors
SOC Server
VPN or SSH tunnel
Remote Sensor
Success Story !!! So you built it, but does it work? Initial deployment: A. Client was needing SOC compliance B. We worked with the client to overhaul their security posture, which included the deployment of THIRSI C. THIRSI was accepted by the SOC auditors as meeting SOC regulatory requirements
Success Story !!! So you built it, but does it work? Other uses: A. Received a call from an organization who: i. Experienced a breach & had their IT firm clean it up ii. Wanted an outside 3rd party to validate cleanup of breach B. THIRSI was deployed in a threat hunting role and found: i. Ongoing malicious activity remained ii. Client needed additional security controls in place iii. Clients IT provider was using public DNS on internal hosts
Lessons learned A. THIRSI is a success !!! i. One year of development and lots of failures along the way “I have not failed. I’ve just found 1,000 ways that won’t work” - Thomas Edison B. Auditors are accepting of open source solutions i. Open Source is proven technology
Open Source for the win! Questions?