owasp-philly-april2012-hector
Download
Report
Transcript owasp-philly-april2012-hector
HECTOR
Security Intelligence Platform
Copyright 2012 Justin C. Klein Keane
<[email protected]>
About Me
Justin C. Klein Keane
Information security (and application
development) for University of Pennsylvania,
School of Arts & Sciences
@madirish2600
http://www.MadIrish.net
Copyright 2012 Justin C. Klein Keane
<[email protected]>
About this Presentation
Covers internally developed SEIM and security
intelligence platform (HECTOR)
Lessons learned likely apply to any such
platform, open or closed source, internally or
externally developed
Feedback appreciated
Designed to provide food for thought in advance
of the open source availability of HECTOR
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Why HECTOR
Challenge of identifying 15,000 hosts across
SAS
Proactive vulnerability identification
Asset management
Vulnerability disclosure mitigation
Aggregation of intrusion detection logs
Centralize honeypot and darknet data
Development of security intelligence platform
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Fundamentals
No network span ports or taps required!
HECTOR is designed to be an augmented
asset management platform
All data is tied to hosts
Each host includes contact information for users
as well as technical support
HECTOR designed to allow supplementary data
to be linked with hosts, from port scans to
incident histories to vulnerability reports
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Initial Challenges
Lots of hosts means lots of data
Once you aggregate data how do you develop
meaningful (and timely reports)?
Once issues are identified, what next?
Remediation tracking to keep reports topical
Initial configuration and data population
Keep noise to a minimum and utility to a
maximum
Copyright 2012 Justin C. Klein Keane
<[email protected]>
HECTOR Building Blocks
PHP web front end
MySQL database back end
OSSEC intrusion detection system
NMAP scanning engine
Kojoney (or Kippo) based honeypot
Iptables based darknet sensors
Assignments (internal asset inventory)
Some Perl and Python for good measure
Copyright 2012 Justin C. Klein Keane
<[email protected]>
How it Works
Scheduled lightweight NMAP port scans that
save profiles and alert on changes
Querying interface to provide insight into what
assets offer what ports (and services)
Database contains many different tables but
ultimately based around a single host table that
is tied to IP addresses (“host” defined via
network accessibility)
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Users and Groups
Internal, or CoSign, based auth
Users are assigned to groups of hosts
User queries and reports are restricted to hosts
assigned to groups for which the user is granted
access
Users are e-mailed alerts based on port profile
changes for machines in groups they're
assigned
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Scripting Support
PHP based scripts perform scans and report in
XML which is migrated to the database
Extensible design so that Nikto, Nessus, and
other scanning engines can produce reports
Scripts designed to be pluggable so new scripts
can easily be added based on need.
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Intrusion Detection ++
Integrate intrusion detection to support
workflow:
Attacker observed (malicious IP identified)
Query other hosts that might have been
attacked to identify a historical pattern
Query database to find other hosts with
services the attacker is looking for or profiles
similar to victim
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Darknet Reporting
Darknet shows trends in attacker port probes
New trends can be cross referenced with
reports on the machines offering services
sought by attackers
Mitigation can be deployed to defend these
hosts
Alternatively honeypots can be deployed to
gather additional data
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Vulnerability Management
Vulnerability identified in a popular service
HECTOR allows organizations to quickly
identify assets that could be vulnerable
Custom scripts can quickly be deployed for fine
grained reporting
Alerts can be sent to contacts for each host
Follow up reports can be used to track
remediation
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Lessons Learned
Internal software development takes a really long time
Logistical considerations are always the most difficult
challenge
As soon as software enters a useful beta it tends to
migrate rapidly to essential service
Bug fixes tend to weight towards feature use
Simple NMAP scans are never simple
Remediation tracking is as difficult as vulnerability
identification
Querying large data sets takes careful planning
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Summary Screen
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Port Query Screen
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Asset Summary
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Asset Management Screen
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Alerts Summary
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Sample Report
Copyright 2012 Justin C. Klein Keane
<[email protected]>
System Configuration
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Scan Schedule
Copyright 2012 Justin C. Klein Keane
<[email protected]>
Questions, Comments?
Copyright 2012 Justin C. Klein Keane
<[email protected]>