O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Title
Introductions
Mark Allen
Technical Sales Engineer
Garrett Gross
Sr. Technical PMM
Resources for OSSIM Users
AlienVault Forums:
https://www.alienvault.com/forums/discussions/tagged/ossim
LinkedIn Group: ht...
Agenda
How to deploy & configure OSSEC agents
Best practices for configuring syslog and
enabling plugins
Scanning your net...
Lets get started!
Host IDS Configuration
OSSIM comes with OSSEC host-based IDS, which
provides:
• Log monitoring and collection
• Rootkit detection
• File integrit...
Deploying HIDS
1. Add an agent in OSSIM
2. Deploy HIDS agent to the target system.
3. Optionally change configuration file...
Add an
agent.
Save agent.
Specify name
and IP address.
Add Agent in OSSIM
Required task for
all operating
systems
Can also...
Specify domain, username and
password of the target system.
Download preconfigured
agent for Windows.
Automatic deployment...
Configuration
file.
Log
file.
Change Configuration File on Agent
OSSEC
configuration is
controlled by a
text file.
Agent n...
Agent status
should be active.
Verify HIDS Operations
Displays overview of
OSSEC events and
agent information
Environment ...
OSSEC events.
Verify HIDS Operations (Cont.)
Verify if OSSEC events
are displayed in the
SIEM console.
Utilize search filt...
Verify HIDS Operations (Cont.)
Environment > Detection > HIDS > Agents > Agent Control
Verify registry
integrity.
Verify p...
Syslog & Plugins
Syslog Forwarding
Syslog configuration will vary based on
source device/application but, usually,
the necessary parameters...
Enabling Plugins
Enable plugin at the
asset level
General > Plugins > Edit
Plugins
Green light under
“Receiving Data” will...
Vulnerability Assessment
Vulnerability Assessment
Uses a built-in OpenVAS scanner
Detects vulnerabilities in assets
• Vulnerabilities are correlate...
Advanced Options
Vulnerability assessment can be:
• Authenticated (SSH and SMB)
• Unauthenticated
Predefined profiles can ...
Vulnerability Assessment Config
1. (Optionally) tune global vulnerability assessment settings.
2. (Optionally) create a se...
Update
configuration.
Select vulnerability
ticket threshold.
Tune Global Vulnerability Assessment Settings
The vulnerabili...
Specify login
username.
Specify credential
set name.
Select
authentication type.
Click settings.
Create Set of Credentials...
Examine 3 default
profiles.
Enable/disable
plugin family.
Create a
new profle.
Edit profiles.
Create Scanning Profile
Enab...
Create a new
scan job.
Import Nessus
scan report.
Select schedule
method.
Specify scan
job name.
Select profile.
Select se...
Examine vulnerability
statistics.
View vulnerability
report for all assets.
Examine reports for
all scan jobs.
Examine Vul...
OSSIM vs. USM
How is USM different?
Correlation Directives: Over 2,000 built-in correlation directives developed by the
AlienVault Labs ...
USM + Free Installation Services
http://www.alienvault.com/marketing/smb-bundles
888.613.6023
ALIENVAULT.COM
CONTACT US
HELLO@ALIENVAULT.COM
Now for some Q&A
Resources for OSSIM Users
OSSIM vs. USM Compa...
Próximos SlideShares
Carregando em…5
×

Best Practices for Configuring Your OSSIM Installation

Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation.
Join us for this customer training webcast where our OSSIM experts will walk through:
How to deploy & configure OSSEC agents
Best practices for configuring syslog and enabling plugins
Scanning your network for assets and vulnerabilities

  • Entre para ver os comentários

Best Practices for Configuring Your OSSIM Installation

  1. 1. Title
  2. 2. Introductions Mark Allen Technical Sales Engineer Garrett Gross Sr. Technical PMM
  3. 3. Resources for OSSIM Users AlienVault Forums: https://www.alienvault.com/forums/discussions/tagged/ossim LinkedIn Group: https://www.linkedin.com/groupInvitation?gid=3793 USM & OSSIM On-Demand Training Archives: https://www.alienvault.com/product-training AlienVault Blog – Analysis from the AlienVault Labs research team, practical tips to secure your environment & industry trends
  4. 4. Agenda How to deploy & configure OSSEC agents Best practices for configuring syslog and enabling plugins Scanning your network for assets and vulnerabilities
  5. 5. Lets get started!
  6. 6. Host IDS Configuration
  7. 7. OSSIM comes with OSSEC host-based IDS, which provides: • Log monitoring and collection • Rootkit detection • File integrity checking • Windows registry integrity checking • Active response OSSEC uses authenticated server/agent architecture. Host IDS OSSIM Sensor OSSEC Server Servers OSSEC Agent OSSIM Server UDP 1514 Normalized events
  8. 8. Deploying HIDS 1. Add an agent in OSSIM 2. Deploy HIDS agent to the target system. 3. Optionally change configuration file on the agent. 4. Verify HIDS operations.
  9. 9. Add an agent. Save agent. Specify name and IP address. Add Agent in OSSIM Required task for all operating systems Can also be added through the manage_agents script Environment > Detection > HIDS > Agents
  10. 10. Specify domain, username and password of the target system. Download preconfigured agent for Windows. Automatic deployment for Windows. Extract key. Deploy HIDS Agent to Target System Automated deployment for Windows machines Manual installation for other OS Key extraction is required for manual installation
  11. 11. Configuration file. Log file. Change Configuration File on Agent OSSEC configuration is controlled by a text file. Agent needs to be restarted after configuration changes. Log file is available for troubleshooting.
  12. 12. Agent status should be active. Verify HIDS Operations Displays overview of OSSEC events and agent information Environment > Detection > HIDS > Overview
  13. 13. OSSEC events. Verify HIDS Operations (Cont.) Verify if OSSEC events are displayed in the SIEM console. Utilize search filter to display only events from OSSEC data source. Analysis > Security Events (SIEM) > SIEM
  14. 14. Verify HIDS Operations (Cont.) Environment > Detection > HIDS > Agents > Agent Control Verify registry integrity. Verify presence of rootkits. Verify file integrity.
  15. 15. Syslog & Plugins
  16. 16. Syslog Forwarding Syslog configuration will vary based on source device/application but, usually, the necessary parameters are: • Destination IP • Source IP • Port (default is UDP 514)
  17. 17. Enabling Plugins Enable plugin at the asset level General > Plugins > Edit Plugins Green light under “Receiving Data” will confirm successful log collection
  18. 18. Vulnerability Assessment
  19. 19. Vulnerability Assessment Uses a built-in OpenVAS scanner Detects vulnerabilities in assets • Vulnerabilities are correlated with events‘ cross-correlation rules • Useful for compliance reports and auditing Managed from the central SIEM console: • Running and scheduling vulnerability scans • Examining reports • Updating vulnerability signatures
  20. 20. Advanced Options Vulnerability assessment can be: • Authenticated (SSH and SMB) • Unauthenticated Predefined profiles can be selected: • Non destructive full and slow scan • Non destructive full and fast scan • Full and fast scan including destructive tests Custom profiles can be created.
  21. 21. Vulnerability Assessment Config 1. (Optionally) tune global vulnerability assessment settings. 2. (Optionally) create a set of credentials. 3. (Optionally) create a scanning profile. 4. Create a vulnerability scan job. 5. Examine scanning results. 6. Optionally create a vulnerability or compliance report.
  22. 22. Update configuration. Select vulnerability ticket threshold. Tune Global Vulnerability Assessment Settings The vulnerability assessment system opens a ticket for found vulnerabilities. Start with a high threshold and fix important vulnerabilities first. Configuration > Administration > Main
  23. 23. Specify login username. Specify credential set name. Select authentication type. Click settings. Create Set of Credentials Used to log into a machine for authenticated scan Supports the DOMAIN/USER username Environment > Vulnerabilities > Overview
  24. 24. Examine 3 default profiles. Enable/disable plugin family. Create a new profle. Edit profiles. Create Scanning Profile Enable profiles that apply to assets you are scanning. Environment > Vulnerabilities > Overview
  25. 25. Create a new scan job. Import Nessus scan report. Select schedule method. Specify scan job name. Select profile. Select server. Select assets. Select credential set for authenticated scan. Save job. Create Vulnerability Scan Job Environment > Vulnerabilities > Scan Jobs
  26. 26. Examine vulnerability statistics. View vulnerability report for all assets. Examine reports for all scan jobs. Examine Vulnerabilities Results Environment > Vulnerabilities > Overview
  27. 27. OSSIM vs. USM
  28. 28. How is USM different? Correlation Directives: Over 2,000 built-in correlation directives developed by the AlienVault Labs Threat Research Team, and updated weekly Reporting: 150+ Customizable Reports, including compliance-specific reports Log Management: Robust Log Management, Log Search & Long-Term Log Retention Professional Support via phone & email as well as customer support portal And more…view comparison chart here: https://www.alienvault.com/products/compare-ossim-to-alienvault-usm “I started out with OSSIM and I didn’t fully realize how much value I would get out of USM until I started using it. The reporting is awesome, it’s been a big benefit for me. And, having a fully supported solution means I can get answers to my questions much more quickly than before.” – Matthew Frederickson, Director of Information Technology, Council Rock School District
  29. 29. USM + Free Installation Services http://www.alienvault.com/marketing/smb-bundles
  30. 30. 888.613.6023 ALIENVAULT.COM CONTACT US HELLO@ALIENVAULT.COM Now for some Q&A Resources for OSSIM Users OSSIM vs. USM Comparison Chart https://www.alienvault.com/products/compare-ossim-to-alienvault-usm AlienVault Forum https://www.alienvault.com/forums/discussions/tagged/ossim LinkedIn Group https://www.linkedin.com/groupInvitation?gid=3793 Subscribe to the AlienVault Blog https://www.alienvault.com/blogs Hands-on 5-day Training Classes, in-person or “Live on-line” https://www.alienvault.com/support/classroom-training

×