TAKE YOUR OPEN SOURCE SECURITY STRATEGY TO THE NEXT LEVEL The power of open source from a single, unified console WWW.ALIENVAULT.COM/
May 19, 2015
TAKE YOUR OPEN SOURCE SECURITY STRATEGY TO THE NEXT LEVEL
The power of open source from a single, unified console
WWW.ALIENVAULT.COM/
The World’s Most Widely Used SIEMMEET OSSIM
OSSIM is trusted by 195,000+ security professionals in 175 countries…and countingEstablished and launched by security engineers out of necessityUsers enjoy all of the features of a traditional SIEM – and more
EXAMPLE OF HOW THE TOOLS WORK TOGETHER
Tools ClassificationHOW IT WORKS
TOOLS integrated with AlienVault OSSIM are classified by behavior of the tool with the network
Active: they generate traffic in network being monitoredPassive: they analyze network traffic without generating any traffic
Passive tools require port mirroring (SPAN) configured in network equipment or virtual machines to analyze traffic
ASSET DISCOVERY
Detecting Network Assets in AlienVault OSSIM
PRADS
What is it?Signature-based detection engine used to passively detect network assets
OSSIM allows for distributed PrADS monitoring, to help simplify:Inventory managementVersion changes on servicesPolicy violationsInventory correlation
Passive Tool
Passive.sourceforge.net
Identifying Network Hosts & Services in AlienVault OSSIM
NMAP (NETWORK MAPPER)
What is it?Security scanner to discover hosts & services on networkProduct includes interface for scheduling NMAP scans & inventory system to manage results
The OSSIM user interface makes it easy to schedule NMAP scans and manage results.
Quickly find: network assets, open ports, service versions, operating systems and product versions
Active Tool
nmap.org
Inventorying IT Assets in AlienVault OSSIMOCS INVENTORY NG
What is it?Lightweight agent; provides full enumeration on installed softwareCollects information about hardware running OCS agent
OSSIM simplifies OCS inventory installation and management of:
Hardware and software inventoryVulnerabilitiesInformation on policy violations
Active Tool
ocsinventory.ng.org
VULNERABILITY ASSESSMENT
Vulnerability Assessment in AlienVault OSSIMOPENVAS
What is it?Provides both authenticated and unauthenticated vulnerability detectionActively scans network for known vulnerabilities per your specificationsDaily feed of network vulnerability tests (over 33,000)Allows for scanning aggressiveness fine-tuning
OSSIM gives users the ability to schedule OpenVAS scans and reporting in concert with vulnerability information.
Active Tool
openvas.org
Web Vulnerability Scanning in AlienVault OSSIMNIKTO
What is it?Performs comprehensive tests against web servers
NIKTO in OSSIM scans web servers for problems including:Server and software misconfigurationsDefault files and programsInsecure files and programsOutdated software
Active Tool
cirt.net/nikto2
THREAT DETECTION
Host-based Intrusion Detection in AlienVault OSSIMOSSEC
What is it?Host-based intrusion detection system
How it works? OSSIM provides a web interface for OSSEC to simplify management of distributed deploymentsAlienVault Sensor collects events from OSSEC serverOSSIM can use Windows, UNIX and application logs, as well as registry and file integrity monitoring information
Active Tool
ossec.org
Network Intrusion Detection in AlienVault OSSIM SNORT
What is it?Default IDS in virtual applianceGenerates security events for SIEM when analyzing network trafficCombines signature, protocol and anomaly-based inspection
OSSIM makes it easy to manage distributed SNORT installations. Manage IDS rules to monitor for malware signatures and policy violations (p2P, unauthorized IM, games, etc.)
Passive Tool
snort.org
Intrusion Detection & Prevention in AlienVault OSSIM
SURICATA
What is it?Intrusion detection and intrusion prevention, based on threat signaturesSame IDS signatures as SNORTAdvanced processing of HTTP signaturesMulti-threaded processing
OSSIM makes it easy to manage distributed Suricata installations and manage IDS rules.
Passive Tool
Suricata.ids.org
Wireless Intrusion Detection System in AlienVault OSSIM
KISMET
What is it?
OSSIM uses the Kismet package for wireless IDSWorks with any wireless card supporting raw monitoring (rfmon) modeWith appropriate hardware, like Raspberry Pi, can sniff 802.11b, 802.11a, 802.11g & 802.11n traffic
OSSIM provides an interface for easy distributed deployments of Kismet.
WIFI network security monitoringRogue Apps detectionPCI compliance help
Passive Tool
kismetwireless.org
SECURITY INFORMATION & EVENT MANAGEMENT
Security Event & Information ManagementALIENVAULT OSSIM
OSSIM, the open source SIEM, is the most widely used SIEM in the world.
What can you do with it?
Event collection, normalization and correlationLeverage suite of pre-integrated, best of breed security tools for incident response
Passive Tool
www.alienvault.com/open-threat-exchange/projects
BEHAVIORAL ANALYSIS
System & Network Monitoring in AlienVault OSSIMNAGIOS
What is it?Watches hosts & services and provides alertsConfigurable checking of assetsCan do checks with agent or remotely, without agentWide variety of plugins for monitoring apps and devices available
OSSIM provides web interface for Nagios, making distributed installations easy with:
Ongoing availability monitoringAvailability monitoring during logical correlation (by request)Visibility whether service ports are open or closed
Active Tool
nagios.org
Network Traffic Capture in AlienVault OSSIM TCPDUMP
What is it?
TCPDUMP is a command-line packet analyzer and libpcapIt is also a portable C/C++ library
What does it do? Watches hosts and services and provides alertsConfigurable checking of assetsCan do checks with agent or remotely, without agentWide variety of plugins for monitoring apps and devices available
Active Tool
tcpdump.org
Generating Netflow Data in AlienVault OSSIM FPROBE
What is it?Collects network traffic data and distributes it as netflow flows towards the specified collectorLibpcap-based tool
OSSIM provides an integrated console where you can view netflow information, from FPROBE, to assist with incident response
Passive Tool
fprobe.sourceforge.net/
Netflow Collector in AlienVault OSSIM NFDUMP
What is it?Read netflow data from the files stored by NFCAPD NFSUMP syntax is similar to TCPDUMP
OSSIM makes it easy to quickly implement NFDUMP for netflow analysisProvides netflow data Creates customizable, top N statistics of flows, IP addresses, ports etc.Saves time by eliminating need for “How To” tutorial
Passive Tool
Nfdump.sourceforge.net
Collecting IP Traffic in AlienVault OSSIM NFSEN
What is it?Web based front end for NFDUMPNFSEN is a network protocol developed by Cisco to run on iOS-enabled equipment and collect IP traffic informationIt is supported by other platforms, such as Juniper, Linux, FreeBSD and OpenBSD
OSSIM aggregates NFSEN data and allows you to:Display netflow dataProcess netflow data within specific time frameCreate historic and continuous profiles
Passive
nfsen.sourceforge.net
Network Use Monitoring in AlienVault OSSIM
NTOP
What is it?Network probe providing real-time & historical network usageUses RRD Aberrant Behavior algorithm to draw predictions of future behavior**If prediction differs from real traffic, an event is generated in OSSIM
In OSSIM, NTOP provides:Network usage statisticsAsset informationTime & activity matricesReal-time session monitoringAnd network abuse information
Passive Tool
ntop.org
Play, share, enjoy!START USING OSSIM TODAY
Download OSSIM
Join AlienVault OTX
Learn more about our commercial offering
Try AlienVault USM, free for 30 days
Join us for a LIVE Demo!