John Lowry's presentation on Using Nagios as a Security Monitoring Framework.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
4. 4
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
5. 5
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
6. 6
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve
7. 7
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve
Framework means it is infinitely configurable
8. 8
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve
Framework means it is infinitely configurable
Framework means it is as good as you want it
to be.
11. 11
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert
12. 12
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert
It is built for anomaly detection.
13. 13
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert
It is built for anomaly detection. <--HUGE PART
OF SECURITY
17. 17
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this
Tells you when a service or a host has
problems.
Security and sysadmins ask: Why is this HTTP
server throwing 500 messages? Why is this
SNMP trap getting generated?
18. 18
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this
Tells you when a service or a host has
problems.
Security and sysadmins ask: Why is this HTTP
server throwing 500 messages? Why is this
SNMP trap getting generated?
Nagios, when setup correctly, knows what is
“normal” and when something anomalous
happens you get an alert.
19. 20
Noise versus Signal
Rabbits versus the Army
There is such a thing as too much information
False positives train one to ignore alerts
20. 21
Triage every alert
If it is a valid alert, you are SUPPOSED to fix it.
Make a ticket, prioritize it, fix it, DO
SOMETHING, do not ignore it.
21. 22
Regularly update your monitoring
If you are getting false positives, fix the check
Tune the frequency, do not be the source of the
problem
Active tuning, daily, weekly, monthly.
22. 23
Integrating External Tools
AV
IDS/IPS, HIDS, FIC
Log monitoring
Host and service detection (nmap)
SNMP Traps
If you get email from a tool and it runs under
cron, consider using Nagios to manage it.
25. 26
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
26. 27
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.
27. 28
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.
Good for some forensics, not so good if
someone misses it.
28. 29
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.
Good for some forensics, not so good if
someone misses it.
But this happens anyway.
32. 33
Example
Workstation Incident Response
Palo Alto or ePO detects some activity, sends a
SNMP trap to NSTI
Nagios then uses an event handler to grab 24
hours of pcap data. Use Bro to look for
interesting traffic, file a ticket, with attached files
33. 34
Example
Workstation Incident Response
Palo Alto or ePO detects some activity, sends a
SNMP trap to NSTI
Nagios then uses an event handler to grab 24
hours of pcap data. Use Bro to look for
interesting traffic, file a ticket, with attached files
All while I am getting coffee