Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory



Similar documents
Security Onion. Peel Back the Layers of Your Network in Minutes. Doug Burks

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Missing the Obvious: Network Security Monitoring for ICS

Network Security Monitoring

Network Security Monitoring

BEGINNER S GUIDE to. Open Source Intrusion Detection Tools.

NETWORK SECURITY. Scott Hand. Melanie Rich-Wittrig. Enrique Jimenez

The SIEM Evaluator s Guide

S N O R T I D S B L A S T C O U R S E

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Intrusion Detection in AlienVault

Intrusion Detection Systems

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

USE HONEYPOTS TO KNOW YOUR ENEMIES

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Chapter 9 Firewalls and Intrusion Prevention Systems

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Introduction of Intrusion Detection Systems

What happens when you use nmap or a fuzzer on an ICS?

Taxonomy of Intrusion Detection System

Security Event Management. February 7, 2007 (Revision 5)

Dynamic Rule Based Traffic Analysis in NIDS

Network Security Forensics

Network Intrusion Analysis (Hands-on)

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

The principle of Network Security Monitoring[NSM]

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

The Importance of Cybersecurity Monitoring for Utilities

COUNTERSNIPE

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

INTRUSION DETECTION SYSTEMS and Network Security

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Role of Anomaly IDS in Network

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Network Monitoring for Cyber Security

Intrusion Detections Systems

CSCE 465 Computer & Network Security

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

Presented by Evan Sylvester, CISSP

Network Security Monitoring Theory and Practice

Network Security Monitoring

Introducing IBM s Advanced Threat Protection Platform

Intrusion Detection Systems vs. Intrusion Prevention Systems. Sohkyoung (Michelle) Cho ACC 626

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Defending Against Data Beaches: Internal Controls for Cybersecurity

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Network Based Intrusion Detection Using Honey pot Deception

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Intrusion Detection System (IDS)

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

SURVEY OF INTRUSION DETECTION SYSTEM

RAVEN, Network Security and Health for the Enterprise

Analyzing Intrusion Detection System Evasions Through Honeynets

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

How To Manage Security On A Networked Computer System

Berkley Packet Filters and Open Source Tools. a tranched approach to packet capture analysis at today s network speeds

Computer Security: Principles and Practice

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

SANS Top 20 Critical Controls for Effective Cyber Defense

Open Source Network Security Monitoring With Sguil

Intrusion Detection from Simple to Cloud

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

Computer Security DD2395

Performance Evaluation of Intrusion Detection Systems

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

C. Universal Threat Management C.4. Defenses

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS

Edge Configuration Series Reporting Overview

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

On-Premises DDoS Mitigation for the Enterprise

Intruders and viruses. 8: Network Security 8-1

Passive Vulnerability Detection

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

IDS : Intrusion Detection System the Survey of Information Security

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

SOURCEFIRE RNA (REAL-TIME NETWORK AWARENESS)

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

Security Intrusion & Detection. Intrusion Detection Systems (IDSs)

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

THE EVOLUTION OF SIEM

When Recognition Matters THE COMPARISON OF PROGRAMS FOR NETWORK MONITORING.

Enabling Security Operations with RSA envision. August, 2009

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events

A Review on Network Intrusion Detection System Using Open Source Snort

Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Kingston University London

McAfee Network Security Platform Administration Course

When prevention FAILS: Extending IR and Digital Forensics to the corporate network. Ismael Valenzuela

Intrusion Detection Systems

Transcription:

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

A Little Context! The Five Golden Principles of Security! Know your system! Principle of Least Privilege! Defense in Depth! Protection is key but detection is a must.! Know your enemy. 2

What Is An IDS?! An IDS (Intrusion Detection System)! Is usually passive in nature.! Detects and alarms on suspected intrusions using signaturebased, statistical anomaly-based, or and/or stateful protocol analysis detection.! Has a reputation for false positives. 3

What If! Data breaches are occurring within the organization?! A breached mobile device or infected personal laptop brings outside threats inside the network which goes undetected by most IDS?! Any rogue or unauthorized device tries to access the network internally from behind the firewall? 4

Network Security Monitoring! NSM (Network Security Monitoring)! Requires capture and storage of large amount of data.! Is concerned with the process of reconstructing a network event! Intrusion such as a hack or a penetration! Network or infrastructure outage! Is based on live IP data captures! A new way of looking at trace analysis! Continues from where traditional network troubleshooting ends! Whether you re tracking an adversary or trying to keep malware at bay, NSM provides context, intelligence and situational awareness of your network. 5

How do you get NSM?! Many CIO s/ciso s believe NSM is a solution they can buy to fill a gap; purchase and deploy solution ABC from company XYZ and the problem is solved!! There are lots of companies that will sell you a solution but neglect the M in NSM.! While Artificial Intelligence and fancy interfaces can assist in the process of sorting through false positives and malicious indicators, there is no replacement for human intelligence and awareness.! Security Onion, create by Doug Burks, will provide visibility into your network traffic and context around alerts and anomalous events.! It requires a commitment from you the administrator or analyst to review alerts, monitor the network activity. 6

Security Onion Components! Security Onion seamlessly weaves together three core functions:! Full packet capture,! Network-based and host-based intrusion detection intrusion detection systems (NIDS and HIDS, respectively), and! Powerful analysis tools. 7

Full Packet Capture! Full packet capture is like a video camera for your network, but better because! Not only can it tell us who came and went, but also! Exactly where they went and what they brought or took with them! Exploit payloads! Phishing emails! File exfiltration! Full-packet capture is accomplished via netsniff-ng (http:// netsniff-ng.org/), the packet sniffing beast.! netsniff-ng captures all the traffic your Security Onion sensors see and stores as much of it as your storage solution will hold (Security Onion has a built-in mechanism to purge old data before your disks fill to capacity). 8

NIDS and HIDS! Network-based and Host-based Intrusion Detection Systems (IDS) analyze network traffic or host systems, respectively, and provide log and alert data for detected events and activity.! Security Onion provides multiple IDS options:! Rule-driven NIDS: For rule-driven network intrusion detection, Security Onion offers the choice of Snort (http://snort.org/) or Suricata (http://suricata-ids.org/).! Analysis-driven NIDS: For analysis-driven network intrusion detection, Security Onion offers The Bro Network Security Monitor, also known as Bro IDS (http://bro-ids.org/).! For host-based intrusion detection, Security Onion offers OSSEC (http://www.ossec.net/), a free, open source HIDS for Windows, Linux and Mac OS X. 9

Analysis Tools! With full packet capture, IDS logs and Bro data, there is a daunting amount of data available at the analyst s fingertips.! Security Onion integrates the tools to make the task easier:! Enterprise Log Search and Archive (ELSA https://code.google.com/p/enterprise-log-search-and-archive/). ELSA is a powerhouse search tool that allows you to effortlessly comb through most all of the data collected by Security Onion as well as any additional syslog sources that you forward to it.! Snorby (https://snorby.org/), created by Dustin Webber (@Mephux), is a web application interface to view, search and classify Snort and Suricata alerts and generate various types of reports. 10

Analysis Tools Cont.! Sguil (http://sguil.sourceforge.net/), created by Bamm Visscher (@bammv), provides a single GUI (written in tcl/tk) in which to view Snort or Suricata alerts, OSSEC alerts, Bro HTTP events, and Passive Real-Time Asset Detection System (PRADS) alerts.! Squert (http://www.squertproject.org/), created by Paul Halliday (@01110000), provides several visualization options for the data such as time series representations, weighted and logically grouped result sets and geo-ip mapping by interfacing to the Sguil database.! Snorby (https://snorby.org/), created by Dustin Webber (@Mephux), is a web application interface to view, search and classify Snort and Suricata alerts and generate various types of reports, such as most active IDS signatures, most active sensors, and top source and destination IP addresses. 11

Security Onion Installation! One would think that with so many packages as there in Security Onion, installation and configuration would be a nightmare.! Such is NOT the case!! In fact, installation and configuration of Security Onion is so easy, a Windows admin, with no knowledge of Linux, can have a working Network Security Monitoring system up in running in as little as 30 minutes.! This includes:! Downloading and burning the ISO image to a CD.! Installing Security Onion to a PC with 2 NICS.! Running the installation wizard and answering a few simple questions. 12

Security Onion System Requirements! 2 NICs! One for the management interface! One for packet capture! Memory is highly dependent on several variables:! The services that you enable! The kinds of traffic you're monitoring! The actual amount of traffic you're monitoring! The amount of packet loss that is "acceptable" to your organization! Storage! The more disk space you have, the more log retention you'll have for doing investigations after the fact.! Disks are dirt cheap! Cram all you can into the system. 13

Security Onion Deployment Scenarios! There are the three Security Onion deployment scenarios: 1. Standalone 2. Sensor/Server 3. Hybrid! The Security Onion setup script allows you to easily configure the best installation scenario to suit your needs. 14

Conclusion! With NSM, we have:! Full packet capture,! Snort or Suricata rule-driven intrusion detection,! Bro event-driven intrusion detection and! OSSEC host-based intrusion detection,! All running out of the box once you run Security Onion setup.! These disparate systems with various dependencies and complexities all run seamlessly together and would otherwise take days, weeks or months to assemble and integrate on their own.! What was once a seemingly impossible task is now as easy to install as Windows ;) 15

References! Bro IDS (http://bro-ids.org/)! Enterprise Log Search and Archive (ELSA https://code.google.com/p/enterprise-log-search-andarchive/)! Netsniff-ng (http://netsniff-ng.org/)! OSSEC (http://www.ossec.net/)! Security Onions (http://blog.securityonion.net/)! Sguil (http://sguil.sourceforge.net/)! Snorby (https://snorby.org/)! Snort (http://snort.org/)! Squert (http://www.squertproject.org/)! Suricata (http://suricata-ids.org/) 16

Questions? Gary Smith Information System Security Officer, Molecular Science Computing, Pacific Northwest National Laboratory Richland, WA gary.smith@pnnl.gov 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information