Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework

•Transferir como ODP, PDF•

2 gostaram•1,244 visualizações

John Lowry's presentation on Using Nagios as a Security Monitoring Framework. The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna

Tecnologia Design

Using Nagios as a Security
Monitoring Framework
John Lowry
johnlowry@gmail.com

3
Frameworks > Out of the Box
OOTB is “one size fits all”

4
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure

5
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront

6
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve

7
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve
Framework means it is infinitely configurable

8
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve
Framework means it is infinitely configurable
Framework means it is as good as you want it
to be.

10
Why Nagios for security?
Alert framework is robust

11
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert

12
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert
It is built for anomaly detection.

13
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert
It is built for anomaly detection. <--HUGE PART
OF SECURITY

14
Basic Strategies for Anomaly Detection

15
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this

16
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this
Tells you when a service or a host has
problems.

17
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this
Tells you when a service or a host has
problems.
Security and sysadmins ask: Why is this HTTP
server throwing 500 messages? Why is this
SNMP trap getting generated?

18
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this
Tells you when a service or a host has
problems.
Security and sysadmins ask: Why is this HTTP
server throwing 500 messages? Why is this
SNMP trap getting generated?
Nagios, when setup correctly, knows what is
“normal” and when something anomalous
happens you get an alert.

20
Noise versus Signal
Rabbits versus the Army
There is such a thing as too much information
False positives train one to ignore alerts

21
Triage every alert
If it is a valid alert, you are SUPPOSED to fix it.
Make a ticket, prioritize it, fix it, DO
SOMETHING, do not ignore it.

22
Regularly update your monitoring
If you are getting false positives, fix the check
Tune the frequency, do not be the source of the
problem
Active tuning, daily, weekly, monthly.

23
Integrating External Tools
AV
IDS/IPS, HIDS, FIC
Log monitoring
Host and service detection (nmap)
SNMP Traps
If you get email from a tool and it runs under
cron, consider using Nagios to manage it.

25
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event

26
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.

27
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.

28
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.
Good for some forensics, not so good if
someone misses it.

29
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.
Good for some forensics, not so good if
someone misses it.
But this happens anyway.

31
Example
Workstation Incident Response

32
Example
Workstation Incident Response
Palo Alto or ePO detects some activity, sends a
SNMP trap to NSTI

33
Example
Workstation Incident Response
Palo Alto or ePO detects some activity, sends a
SNMP trap to NSTI
Nagios then uses an event handler to grab 24
hours of pcap data. Use Bro to look for
interesting traffic, file a ticket, with attached files

34
Example
Workstation Incident Response
Palo Alto or ePO detects some activity, sends a
SNMP trap to NSTI
Nagios then uses an event handler to grab 24
hours of pcap data. Use Bro to look for
interesting traffic, file a ticket, with attached files
All while I am getting coffee

Mais conteúdo relacionado

Mais de Nagios

Janice Singh - Writing Custom Nagios Plugins

Nagios

Dave Williams - Nagios Log Server - Practical Experience

Nagios

Mike Weber - Nagios and Group Deployment of Service Checks

Nagios

Mike Guthrie - Revamping Your 10 Year Old Nagios Installation

Nagios

Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring...

Nagios

Matt Bruzek - Monitor Public Cloud Use Nagios to monitor your public cloud. - No debian installer for Nagios 4? No problem! Deploy your public cloud with Juju and you can connect Nagios core services to your Ubuntu instances in the cloud. In this session, Matt will quickly go over the basic concepts of Juju and spend the rest of the time walking through examples of deploying Nagios monitoring solutions

Matt Bruzek - Monitoring Your Public Cloud With Nagios

Nagios

Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.

Nagios

Eric Loyd - Fractal Nagios

Nagios

Marcelo Perazolo, Lead Software Architect, IBM Corporation - Monitoring a Pow...

Nagios

Thomas Schmainda - Tracking Boeing Satellites With Nagios - Nagios World Conf...

Nagios

Nagios World Conference 2015 - Scott Wilkerson Opening

Nagios

NRPE - Nagios Remote Plugin Executor - NRPE enables users to remotely execute Nagios plugins on any Linux/Unix machine, allowing remote metrics monitoring. In addition, users can communicate with Windows agent add-ons, which executes scripts and metrics checks on remote Windows machines. ============ Version: 2.14, 2.15 Source: nrpe-2.1[4|5].tar.gz Platform: Centos 6.5 x64 (Nagios client) Compile1: ./configure --enable-ssl --with-nrpe-user=nagios --with-nrpe-group=nagios --with-nagios-user=nagios --with-nagios-group=nagios --libexecdir=/opt/nagios/libexec/ --bindir=/opt/nagios/bin/ --prefix=/opt/nagios Compile2: ./configure --enable-ssl --with-nrpe-user=nagios --with-nrpe-group=nagios --with-nagios-user=nagios --with-nagios-group=nagios --libexecdir=/opt/nagios/libexec/ --bindir=/opt/nagios/bin/ --prefix=/opt/nagios --with-cacert-file --with-privatekey-file

Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core

Nagios

Nagios Log Server greatly simplifies the process of searching your log data. Set up alerts to notify you when potential threats arise, or simply filter your data to quickly audit your system. With Log Server, you get all of your data in one location, with high availability and fail-over built right in. Quickly monitor your servers with configuration wizards and start monitoring your logs in minutes. Learn more here: https://www.nagios.com/products/nagios-log-server/ Free download (60 day trial): https://www.nagios.com/downloads/nagios-log-server/

Nagios Log Server - Features

Nagios

Nagios Network Analyzer - Features

Nagios

Nagios Conference 2014 - Dorance Martinez Cortes - Customizing Nagios

Nagios

Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options

Nagios

Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core

Nagios

Nagios Conference 2014 - Trevor McDonald - Monitoring The Physical World With...

Nagios

Nagios Conference 2014 - Andy Brist - Nagios XI Failover and HA Solutions

Nagios

Nagios Conference 2014 - Shamas Demoret - An Overview of Nagios Solutions

Nagios

Mais de Nagios (20)

Janice Singh - Writing Custom Nagios Plugins

Dave Williams - Nagios Log Server - Practical Experience

Mike Weber - Nagios and Group Deployment of Service Checks

Mike Guthrie - Revamping Your 10 Year Old Nagios Installation

Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring...

Matt Bruzek - Monitoring Your Public Cloud With Nagios

Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.

Eric Loyd - Fractal Nagios

Marcelo Perazolo, Lead Software Architect, IBM Corporation - Monitoring a Pow...

Thomas Schmainda - Tracking Boeing Satellites With Nagios - Nagios World Conf...

Nagios World Conference 2015 - Scott Wilkerson Opening

Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core

Nagios Log Server - Features

Nagios Network Analyzer - Features

Nagios Conference 2014 - Dorance Martinez Cortes - Customizing Nagios

Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options

Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core

Nagios Conference 2014 - Trevor McDonald - Monitoring The Physical World With...

Nagios Conference 2014 - Andy Brist - Nagios XI Failover and HA Solutions

Nagios Conference 2014 - Shamas Demoret - An Overview of Nagios Solutions

Último

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Architecting Cloud Native Applications

WSO2

ICT role in 21st century education and its challenges

rafiqahmad00786416

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Scalable LLM APIs for AI and Generative AI Application Development Ettikan Karuppiah, Director/Technologist - NVIDIA Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

apidays

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Manulife - Insurer Transformation Award 2024

The Digital Insurer

Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework

1. Using Nagios as a Security Monitoring Framework John Lowry johnlowry@gmail.com

2. 2 Frameworks > Out of the Box

3. 3 Frameworks > Out of the Box OOTB is “one size fits all”

4. 4 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure

5. 5 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront

6. 6 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve

7. 7 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve Framework means it is infinitely configurable

8. 8 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve Framework means it is infinitely configurable Framework means it is as good as you want it to be.

9. 9 Why Nagios for security?

10. 10 Why Nagios for security? Alert framework is robust

11. 11 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert

12. 12 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert It is built for anomaly detection.

13. 13 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert It is built for anomaly detection. <--HUGE PART OF SECURITY

14. 14 Basic Strategies for Anomaly Detection

15. 15 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this

16. 16 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems.

17. 17 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems. Security and sysadmins ask: Why is this HTTP server throwing 500 messages? Why is this SNMP trap getting generated?

18. 18 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems. Security and sysadmins ask: Why is this HTTP server throwing 500 messages? Why is this SNMP trap getting generated? Nagios, when setup correctly, knows what is “normal” and when something anomalous happens you get an alert.

19. 20 Noise versus Signal Rabbits versus the Army There is such a thing as too much information False positives train one to ignore alerts

20. 21 Triage every alert If it is a valid alert, you are SUPPOSED to fix it. Make a ticket, prioritize it, fix it, DO SOMETHING, do not ignore it.

21. 22 Regularly update your monitoring If you are getting false positives, fix the check Tune the frequency, do not be the source of the problem Active tuning, daily, weekly, monthly.

22. 23 Integrating External Tools AV IDS/IPS, HIDS, FIC Log monitoring Host and service detection (nmap) SNMP Traps If you get email from a tool and it runs under cron, consider using Nagios to manage it.

23. 24 Passive check strategies

24. 25 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event

25. 26 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check.

26. 27 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts.

27. 28 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts. Good for some forensics, not so good if someone misses it.

28. 29 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts. Good for some forensics, not so good if someone misses it. But this happens anyway.

29. 30 Some Automation

30. 31 Example Workstation Incident Response

31. 32 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI

32. 33 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI Nagios then uses an event handler to grab 24 hours of pcap data. Use Bro to look for interesting traffic, file a ticket, with attached files

33. 34 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI Nagios then uses an event handler to grab 24 hours of pcap data. Use Bro to look for interesting traffic, file a ticket, with attached files All while I am getting coffee

34. 35 FIN Questions?

Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Nagios

Mais de Nagios (20)

Último

Último (20)

Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework